[gmuslera]

All designs have use cases and scenarios for which they are better or worse.

Pass (and gopass, and all the derivatives of the same idea) is not the best personal password store (for that KeePassXC and similars might be better) but coupled with git gives a technical team a way to share passwords in a more or less secure way on rest.

AFAIK KeePassXC don't give a way of automating merge of different versions of the password store (for that the granularity provided by git and the pass format is better), so modifying the keys by a team is an exercise of coordination, and have one global master key that implies an all-or-nothing approach.

And being built over time tested technology in a simple enough way is another feature. It is a simple bash script taking advantage of gpg and git, not a complex piece of software that should be audited with each security update.

Of course that the computers taking part should be trusted, if the personal computer of any of the people with access to the keys is compromised, or where you store your git repository, it might not be so safe, but probably you should worry about bigger problems.

[LanternLight83]

> AFAIK KeePassXC don't give a way of automating merge of different versions of the password store (for that the granularity provided by git and the pass format is better), so modifying the keys by a team is an exercise of coordination, and have one global master key that implies an all-or-nothing approach.

You might already know about the Merge feature in general, but, curtosy of GHacks[1]:

> KeePass' synchronization algorithm merges matching entry levels when sync is invoked. The application uses the last modification date as the main data point when deciding about the recency of entries. KeePass keeps track of it automatically whenever an entry is added or modified.

> The application uses its history feature when it merges entries. Assume that the same login is available in two databases, but with different passwords. KeePass will merge these and set the most recent username and password as the default after the sync process completes. All other entries are stored in the history, so that they are not lost and may be accessed when the need arises.

I bet one could argue that this is at least as automated as a merge commit, which I wouldn't expect to run truly automatically anyways (ie. as a commit or ci hook without any other user input).

1: https://www.ghacks.net/2022/03/25/how-to-merge-two-keepass-d...