> Next week Anthropic will do something evil and everyone will be moving back to OpenAI.
Anthropic has been, relatively speaking, the most responsible of the frontier labs since its founding. There has never been a point at which OpenAI took a more measured and reasonable approach while Anthropic proceeded dangerously.
These are relative terms, but you'd have to not be paying attention to find this plausible.
There's nothing about this that's horse blinders. It's literally a way to highlight riders that you both agree and disagree with. It actually makes it more likely that you're going to engage with the ones you disagree with, because now they have a red orb.
The keepass ecosystem is comprised of a dozen implementations of the KDB(X) file spec. Some are better than others.
I built KeePass Tusk back in 2018, for example. This would kill the project and abandon 30K users without a rewrite of the JS engine (there are several now!)
I agree with you that KDBX sucks, but at this point a keepass based on SQLite would be keepass in name only, a new password manager to migrate to.
Breaking format changes is not such a major issue, they happened before: kdb → pre-2.08 kdbx → kdbx3 → kdbx4. If the new format is worth it, popular apps will adopt it within a few years — while still supporting older formats. Users would just stick with their current format until the ecosystem catches up, as it happened with KDBX and KDBX4.
Good to see you in here! You make a great point, historically the breaking changes have not really affected users. You kept your db as is, and it would get migrated if you wanted to use new features. A friendly warning on open with a prompt to migrate to unlock new features (after gaining ecosystem traction) would be reassuring to users. On a more technical note, is there anything on your end with KeePassium that would be greatly improved, especially regarding potential improvements to auto-fill memory usage?
Nothing major, mostly UX improvements that could be defined as part of the new format. For instance, custom ordering of entry fields is not possible now because existing apps just sort them alphabetically on save. Multi-URL storage is basically KP2A's workaround adopted as-is by other apps.
That said, most of the concerns raised by the article — outdated schema, inefficiencies, governance issues — call for a new iteration of database format, but not necessarily SQLite. However, we would still be debating how to represent entry templates and how to accommodate features that stretch format's initial assumptions (be it multi-URLs or smart groups). We may still discover that passkeys need more fields than initially foreseen. Then someone would come up with item-level access rights scheme. Then something else.
All of these are already possible with XML+Gzip, just as much as with SQLite/SQLCipher. The main advantage of the latter is the standard, multi-platform library with a permissive license, instead of KDBX' specialized parsing. Switching to SQLite would probably lower the entry barrier for new apps. Which would be a good thing on the surface (more choice), but could end up with the same devil-in-details bedlam as the status quo.
I really appreciate your commentary here! I understand that SQLite would not automatically solve the politics issue. As ctoth mentioned, it would serve as a "flag day" for the KeePass community to hopefully cover everyone's bases in a formal manner. Schema versioning and evolution is way more up SQLite's alley. An SQLite schema has referential integrity which an XML schema lacks, making it harder to misuse and contort. It is also far simpler to modify a query in the event passkey storage need to be changed than it is to modify the parser.
The lower barrier to entry probably also reduces the number of catastrophic parsing mistakes a developer can make. This is a net positive gain for the wider ecosystem of external tools which do not have to re-implement the whole parser. Every language has a great SQLite library, the same cannot be said of KDBX.
As for autofill memory limitations, this is largely an implementation detail: just process data stream in small chunks, that's it.
Unfortunately, KeePassium's data layer was designed in the times of iOS 11, before AutoFill became a thing. So I chose the easier path of loading and processing the whole file at once. This made sense for 10-20 MB databases on iPhones with 2 GB of RAM. By the time the mistake became obvious, it was much harder to switch to streamed processing, especially with a long queue of lower-hanging feature requests.
This class of mistake could have been wholly avoided if the format was SQLite based because there is no assumption that everything must be loaded into memory. Of course I defer expertise to you, but I've had a far better time with SQLite than I've ever had with XML parsing (OFX/QBO still bother me...)
Hey I’ve seen your project before! You bring up a super good point that I was thinking of when I brought up the idea that the extension should be renamed to .kp . Really the only reason to keep the KeePass name would be branding, people know and trust it. Honestly my dream password manager is essentially something that uses the CodeBook (by SQLCipher authors) storage format, but with the nice trustworthy, FOSS KeePass ecosystem chrome on top of it (keepassxc<-browser>, keepassium, etc).
I've ripped and archived CDs for well over a decade, purchase from Bandcamp and — if I can't find a way to buy it — I'll find it and buy a shirt or something from the band as directly as possible.
It's an advertisement for noai.duckduckgo.com, a version of DuckDuckGo that disables the AI features and tries to filter out AI-generated content. (Or, if you choose "yes", it's an advertisement for DuckDuckGo's AI features.)
Aside from the fact that it kind of obviously is if you "vote" the fact that it says "Not sure yet? That's okay — vote anyway!" is kind of a give-away that this isn't going to produce anything like rigorously useful data on the question (it produces a lot of other data though!)
At least for me it tells me about some options to use ai privately for duckduckgo so I assume it's from them. Possibly collecting views for Ai generated search results.
Yes, it seems to be DuckDuckGo advertising that they'll let you control the use of AI in searches rather than foisting it on you by default the way e.g. Google does.
I editorialized slightly on the title, but this post made me want to go and play more with the personality in my Claude file to reinforce some of these same values. I might even copy some of it verbatim.
I would love to see some deep economic analysis of what the fuck is going on with Bombas. Why is everyone on the internet trying to sell a helix mattress? How does a marketing department even negotiate that many different contracts with that many small scale influencers?
Anthropic has been, relatively speaking, the most responsible of the frontier labs since its founding. There has never been a point at which OpenAI took a more measured and reasonable approach while Anthropic proceeded dangerously.
These are relative terms, but you'd have to not be paying attention to find this plausible.
reply