Does listing here on the KeePass site imply anything?: Other downloads and...
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Does listing here on the KeePass site imply anything about the contributed unofficial KeePass ports? Like what? Or can anyone submit such a contribution and get listed there, regardless? Obviously what I am concerned with is to what extent these contributions are vetted before listing, if a continuing listing means anything, if there is any vetting, is it continuous? If anyone can get anything posted there, then that is that, user beware and seek other places for reviews as to security, functionality, etc. If in fact these items ARE vetted, to what extent should the casual user assume so, and where should he/she look for further review, advice, comment about their security and functionality? For example, for iOS the Apple App Store or for Android the Google Play Store have user ratings and comments, but these are probably about as useful as the user ratings on Amazon (not useless, but the reader is advised to be careful using them). Or is there a better place/way to vet these, more specialized KeePass centric forum about these contributions? Please forgive this newb question. I am not trying to get KeePass to offer any guarantees, etc., just trying to understand how I should proceed in using this important resource. Thank you.
There is no formal vetting, just as there is no formal vetting of KeePass releases.
You could base you decision on the recommendations on this page.
https://keepass.info/links.html#kp
KeePass V1 was once vetted formally.
cheers, Paul
Does the operator of the KeePass website and that page: Other downloads and links: Contributed/Unofficial KeePass Ports look at the submittals at all? Or do they just get posted? By vetting I didn't mean anything formal, "audited" or whatever, just do the Ports work as indicated, and are they secure, to some extent? If not, or even if so, is there any discussion venue in which users compare notes on these Ports? If one uses a iOS device or an Android device (typically at least a smart phone), how is he/she to know which such Port can be safely used? Or if one is better than another. Am I missing something? Seems like a legit concern.
Last edit: Tom Wolff 2021-01-04
Tom, the website is operated by Dominik Reichl, KeePass author. The ports are most definitely are added manually, not "just get posted". To get posted, an app should satisfy at least these criteria:
1) be actually compatible with KeePass, at least in description (unlike a certain fake KeePass app in the Apple AppStore)
2) respect the naming guidelines in the footer (for example, "KeePass Touch" does not, so it is not listed)
3) possibly something else.
This is quite hard to verify beyond reading app description. I would not expect Dominik to have a BlackBerry, Sailfish and Palm OS devices only to check apps for each of these platforms. The links are merely pointers for interested users. I guess the same applies to KeePass plugins.
There are a few threads in this forum, as well as in r/KeePass on Reddit.
Most people simply check app reviews.
Android apps are a bit easier to verify, because they have to declare network access permission. "No network access" is a good sign the app won't be able to steal your data even if it wanted. On iOS, unfortunately, network access permission is granted to all apps, even those which don't want it. So even when the developer wants to make a provably safe app, iOS does not provide technical guarantees to do so.
Some people also consider indirect signs:
Expert users simply add a firewall rule to cut their password manager from the network.
Finally, a few developers personally check the source code and build their own version of the app.
But in general, you are on your own. You have the freedom to choose the app, but this freedom implies full responsiblity for making the right choice. Only you can decide whether an app is trustworthy and good for you.
(Source: two of my KeePass-compatible apps are listed as unofficial ports.)
People frequently ask that very question and users respond. Some users have answered lots of questions intelligently and thoughtfully, so I value their opinions. Lots of people recommended keepass2android particularly for syncing, so I tried it years ago and liked it a lot. There have been recommendations also for iOS and/or Macs. For plugins, recommendations occur when people want to do something. Also, some authors have made multiple plugins, and when I've used one and it is great, I tend to be more open to another.
Unfortunately I cannot find any useful discussion of the merits, security, etc. of the Plug-Ins and Extensions that make KeePass function as fully as some of the "better" paid proprietary software (non-open source) PMs: https://keepass.info/plugins.html The suggested links above (in this thread) have nothing. It has also been suggested that one could view any comments and reviews where the Plug-Ins or Extensions are hosted, which is better than nothing, but not much, having looked at those.
I would like to suggest a formal KeePass provided place to host such a KeePass-centric discussion per Plug-In and Extension title, particularly with respect to the functionality and security of the Plug-Ins and Extensions listed on the above referenced page, possibly to include suggestions for their developers. At some point, if sufficient discussion were to ensue, users might be able to rank the alternatives, inputting their "user rankings," not KeePass endorsements. An idea. There is no expectation that Dominik Reichl would vet the listed Plug-Ins and Extensions--and never was, despite some of the answers above, "excusing" him. I do not know how much it would cost to implement such a venue/page and show the user rankings or the alternative Plug-Ins and Extensions (Would it be too much to have the user's rank both functionality and security, with the average of the two shown next to the listings--if sufficient data were present?). I pledge a $1,000 donation if this idea is implemented, to help defray any associated expense. I would love to see a link for any/every Plug-In and Extension listed, perhaps in the form of its user ranking, a live link to the associated discussion and user rankings/ratings. (I do not care if the competing Plug-Ins and Extensions get listed on that page in any order relative to the user rankings, alphabetically, by historical precedence, or however they get there now.) Perhaps I am being naïve in hoping or assuming that KeePass users are sophisticated enough to make proper use of any such facility, or that Mr. Reichl even reads this stuff.
Are proposing some sort of forum?
Given we are all volunteers I can't see anyone managing / moderating such a thing - we already have this forum to keep an eye on.
cheers, Paul
p.s. Dominik reads all posts here.
I have gone into the incentives and details to the extent required to make my case--whether doable or not, or whether the incentives seem like anything to Mr. Reichl, I wouldn't presume to know. If this is not a thing, then this thread/post/suggestion will pass into history. I am serious about my donation pledge, FWIW. How such a thing could be implemented I am not about to presume to know. If "moderation" of the posts/rankings/ratings is needed, Mr. Reichl can seek volunteers, and I would consider participating, but without any history on my part with KeePass participation, I doubt that I would be acceptable, some guy coming out of nowhere making suggestions? The suggestion must stand on its own logic and appeal, notwithstanding if or how it could be implemented. To use KeePass on a smart phone requires use of an app, about which there is little reliable information--"read the reviews of the app, its ratings where the app is offered." To take advantage of the numerous Plug-Ins and Extensions listed on the KeePass page requires trust that they do as claimed AND are not a source of insecurity. It is understood that nothing beyond the convenience of being listed is implied by the KeePass listing, as to functionality or security. I do not know if such Plug-Ins and Extensions, and apps for other devices are even open source code, as is KeePass proper. Perhaps someone could comment on that.
Must the Plug-Ins and Extensions listed on the KeePass pages be open source, to be listed there? I can't tell. What about apps/ports/forks allowing KeePass files to work on other (not MS Windows) devices, for example Android or iOS devices (not to mention Linux, Mac, etc.)? Under Downloads find Contributed/Unofficial KeePass Ports for a list of such apps. From what I can tell, they need not be open source (OS), that is the fork, ports, or apps. But in their descriptions they usually mention if they are OS or not, ad-free, free or paid. I would presume so, but since there appears to be little vetting, or any comment as to what a listing means, aside from the ostensible intent of the Plug-In, Extensions, or app for another device, how to know? Anyone? There is a paragraph under Plug-Ins addressing Security. As far as iOS apps, there is this which is quite helpful put up by the KeePassium developer, I believe: https://keepassium.com/articles/keepass-apps-for-ios/ Which does mention whether open source or not, together with a comment on ethics. For Android there isn't any such review page, and the user must look up the listings in the Google Play Store or elsewhere from here: Contributed/Unofficial KeePass Ports under Downloads to do his/her own diligence. Sorry for being such a pest about this, but it seems pretty important. If I am displaying basic ignorance, please take pity and advise, as I am not the only newb who may be looking for this kind of info.
We do not have the time or resources to vet / assess 3rd party apps, so it's up to the developer to provide relevant information - we are all volunteers.
If you have queries about a specific app, someone here has probably used it and can help.
cheers, Paul