Software Updates

An anti-AI fork of KeePassXC just appeared

The developers of KeePassChi are more than just skeptical of LLM code contributions.

Jordan Gloor

Jordan Gloor

2 min read
The KeePassXC logo, which features a key outlined against a green circle, over a yellow-to-blue gradient.

A trio of developers have made public its KeePassXC fork called KeePassχ, and it's meant to stay completely free of LLM-assisted contributions. The project is a direct response to KeePassXC leadership officially allowing "responsible" LLM usage in its development.

Meet KeePassChi

KeePassχ, or phonetically and URL-ly, KeePassChi, is forked from KeePassXC version 2.7.10. This was the last version before KeePassXC explained a policy change indicating that it would officially make contributions born of of "Generative AI" acceptable.

The KeePassXC policy itself states that LLM use must be well-documented in pull requests. That those contributions would be subject to the same "rigorous review process" that all contributions get.

KeePassχ's developers don't see that policy as strong enough. Or, rather, they don't see a strong enough reason to afford LLMs and their users any trust at all. On the project's home page, the developers state:

A password manager doesn't need 300 regular contributors armed with 14 LLMs; it just needs to do its job, be stable, and be ported to Qt 6 already.

Who's behind it

The developers describe themselves as "a small group of engineers with extensive open source maintenance and information security experience." One of them, named Catherine, posted a link to the project with the text "alright here we go".

Post by @whitequark@treehouse.systems
View on Mastodon

The toot had several hundred boosts and favorites at the time of writing. That indicates the treat the KeePassχ team is baking has an undeniable pull among the open source community.

Diving in

To learn more about the project and its developers, you can go to KeePassChi.org. Right now, the URL just takes you to the project repositories on Codeberg, which displays the reason for the fork.

If you were hoping to download it, there aren't any actual releases for KeePassχ yet. In fact, the main repository has only seen a few initial commits, all within the past 24 hours; the README still links to KeePassXC resources. It's not clear when we'll get an actual release.

Zooming out

Why this fork matters: The advent of generative code has upended open source development in many ways. Different projects have responded in different ways, and one of the more interesting responses is the sprouting of new projects. This the first seemingly serious fork of KeePassXC I've seen based on mistrust of LLM code alone.

Lingering questions:

  • Many open source projects struggle to filter LLM code, no matter their official policy. KeePassXC noted this in its reasoning for the new LLM policy, stating "... it made little sense to ban AI submissions by third-party contributors. Such a policy would be near-impossible to enforce anyway."
    • It's not clear how the KeePassχ team will go about enforcing purity.
  • Forks of popular open source software come and go all the time. Will KeePassχ can stand the test of time and establish itself in the FOSS ecosystem and community?

My take: I've been using KeePassXC as my primary password manager for years. Password security is nothing to take lightly, and while KeePassXC's policy explanation makes good points, I instinctively lean away from LLM use wherever possible.

  • If KeePassχ gets serious development, I'll switch.

Read more

Jordan Gloor © .