[pingec]

What are some safety measures you take when downloading a new version of keepass? Checking the digital signature of the binary?

Original keepass downloads are hosted on sourceforge which has not had the best history of integrity the way I see it.

[codeulike]

Sourceforge is under new management and they removed the bundled installers, as I understand it.

https://sourceforge.net/blog/brief-history-sourceforge-look-...

[mihaifm]

Compile it from source, it's a standard Visual Studio solution that builds without issues.

[mehrdadn]

This. And the benefit is it's easy to add your own fixes to your local version too. Stuff like removing the PerformSelfTest() call, adding items to the ListView in batch, item bounds checking when refreshing the ListView, etc. can quite noticeably speed up the UI, and random window focusing/sizing issues aren't too hard to fix either.

[sebazzz]

You might also consider submitting such changes as a patch to Dominic, the developer.

[mehrdadn]

In a perfect world I would love to, but every time I've tried to submit improvements to open-source software I've come out extremely frustrated with how many hoops I have to jump through just to get my code properly considered, let alone merged. Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, or that their upstream code is responsible, etc., and the other half the time they're admittedly quite welcoming but present hoops that on my end I simply don't feel like jumping through (like putting more personal info on the internet than I care to), especially when I'm already going out of my way to help people. Maybe you'd think the problem is with me, or maybe Dominic would be an exception in all regards, but wherever the problem is, I've grown very reluctant about the idea in general, so I just fix bugs on my own computer and let someone else who cares & has the time/energy to put up a real fight fix the issues for everyone else.

[moviuro]

> their upstream code is responsible

Then you're not going to the good people. Stop going through intermediaries, go straight for the source (package specific issues on Ubuntu must be reported to Ubuntu -like python not recognizing a new module-, but bad code inside the package must be dealt with with upstream).

> Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, [...]

That's why I take the habit of jumping on IRC first, talking with devs a bit and trying to understand why I find a specific piece of code problematic.

I was trying to add support for i686 on an AUR package I maintain; quickly dismissed "we don't support i686 anymore anyway, just slap comments in your PKGBUILD and ship it".

I was working with the btrfs(8) util, which has the most horrific interface ever designed; "OK, we're not hostile to a new interface design, but you'll have to provide a comprehensive explanation of what you want and how it should behave".

And finally, documentation usually gets merged real fast (recently on cbsd(8) and nextcloud).[0][1]

[0] https://github.com/nextcloud/documentation/pull/826

[1] https://github.com/cbsd/cbsd-wwwdoc/pull/12

[mehrdadn]

I assure you I'm not naively just dumping code on random developers and telling them to merge it. I do talk to them first, that's exactly how I figure out they think their code is fine and my changes are unwelcome whenever that's the case. (Edit: Well, mostly. It's also happened that my changes were rejected after I made the patch, but that was nevertheless after discussions had already taken place. Like when I said they later decide the patch is too big.) And regarding the upstream project issue: in the case I had in mind, the upstream project had its own reasons for not doing things the way I mentioned. The changes really did belong in the downstream project, but the downstream guy just didn't care to have to maintain the changes. Although, I also have to point out that upstream projects tend to present even more obstacles for merging code -- not only when the entire reason there's a downstream fork is that upstream is not going to support the entire platform/architecture/whatever, but also when they're big projects with their own hoops I don't care to jump through on my end as I explained earlier.

[pingec]

But there are no guarantees about the source either unless I am willing to audit all of it?

[mihaifm]

I agree, that's why signed source code releases are the safest thing you can get. Keepass has signed releases (including the source code archive) that can be checked with OpenPGP.

https://keepass.info/integrity.html

[svenfaw]

If you trust the signed source code there's no reason you shouldn't trust the signed binary - unless you have sufficient time and expertise to audit the source.

[mihaifm]

This is how I view it:

* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.

* Signed code archive prevents against a compromised hosting site.

[perl4ever]

In order to get from a trusted source to a trusted binary, you have to trust the compiler and its dependencies as well, I think.

[sebazzz]

All keepass executable downloads have valid digital signatures and are signed by the developer.

[swaggyBoatswain]

I usually just use SHA / MD5 checksum, digital signatures

I think 7zip has a way for you to check the hash signature with just a right click on the file so thats dandy

[lakechfoma]

Are you imparting trust on checksums downloaded from the same source page?

Not implying you are but there is plenty of software where that is how they expect users to verify the integrity of the download. Useful for checking bit errors, but in the event that someone has replaced the binary then they could probably also replace the checksum...

[swaggyBoatswain]

I didnt think about that, but there's not always a reputable alternative checksum source.

I was thinking about all the times I had to download a windows ISO. And how microsoft had openly published what the checksum values were so I could verify this after downloading from a 3rd party

I would need to do more research here you make a good point

[slipstream-]

pup bundlers also tend to be signed. just checking for a valid signature would not be enough

[mikelpr]

keepassxc

[mehrdadn]

What if you don't have/want cloud syncing programs installed on your whole system just for the sake of a password manager?

[slmkbh]

What does this have to do with keepassxc? (the community version of keepassx)

[mehrdadn]

It doesn't have built-in syncing, unlike KeePass. So if you want cloud syncing you have to install an entire syncer on your file system just for the sake of that one program. The assumption that everyone has or wants an automatic behind-the-scenes file syncer installed on every system they use the program on is quite a big and incorrect one.

[jlgaddis]

They aren't required. I use KeePassXC and don't use any type of cloud syncing.

[mehrdadn]

No, the question is what if you do want cloud syncing for your passwords (you need to sync with your phone somehow without manually uploading/downloading from a browser every time...), but unable or unwilling to install a background cloud syncer installed on every system you use KeePassXC on. People blindly suggest KeePassXC without realizing not everyone has or wants a cloud syncer installed on their entire system.

[iMerNibor]

That was worded a bit ambiguously then

You're not really going to get around having to install "something" to sync your passwords if you want to have your passwords synced

You could use something like Syncthing if you just don't want to trust any company with your data

Otherwise, I cant really suggest a solution either

[mehrdadn]

> That was worded a bit ambiguously then

Sorry, I hope it's clear now.

> You're not really going to get around having to install "something" to sync your passwords if you want to have your passwords synced

Huh? This is obviously wrong; I'm doing literally this with KeePass. I haven't installed anything, and it has a plugin to sync directly with Google Drive that doesn't mess with or care about anything in the rest of the system.