Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

I mention that but with a specific context.

• people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
• even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

If this makes you paranoid

Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.

Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.

However KeePassXC’s sync feature does sync the vault.

How does it work though? From this I see you need to store the database in a cloud storage basically.

For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.

I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.

Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.

If you are paranoid, the software is open source and you can host your own relays privately,

This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).

To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.

Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.

Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.

Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.

The thing is, from a higher level point of view the security model can only be one of a handful of cases:

• the password data only remains local
• the password data is sync’d with device-to-device (e.g. ssh) connections
• the password data is sync’d using an external connection that acts as a bridge or as a stateful storage, where all the clients connect to.

The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.

In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.

Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers

Nobody talked about victims. I was just contesting your BS exaggeration. But I see you can only discuss in absolutes and you decided to simply ignore every single point I made and flip the table with all the cards.

You must be really unsure about your ideas if you can’t defend them at all.

YOU made it sound like reality is either you going around in complete peace and bliss without any danger whatsoever (man) or in complete terror with a deathly danger behind every corner (woman). Challenging this barbie view of the world is not aiming to flatten the differences (which I acknowledged since the beginning) between men and women.

So yeah, nice try but no. Maybe reflect on your position and admit you used an hyperbolic statement next time, I dunno, it might work better than strawmen and moving the goalpost.

Women fear for their safety around men in public, and rightfully so. Period. It’s so fucking bizarre that anyone would ever try to argue against this.

I am not. I am arguing against the fact that men don’t (need to) worry about their safety in public. It’s such a cartoonish way to think. You don’t worry, good for you!

The statistics you’re quoting (and likely making up, but I don’t care enough about this to look) aren’t really relevant, I’m talking about real women’s real life experience.

So one comment ago you were telling me to look at statistics, now it’s real life experience that matters.

BTW, just search and you will find data, for example https://www.abs.gov.au/statistics/people/crime-and-justice/recorded-crime-victims/latest-release, https://www.statista.com/statistics/423245/us-violent-crime-victims-by-gender/ (which shows 2022 is essentially identical, but quite a gap in 2021), etc. Note that I am searching generic violent crimes. In terms of murders men are quite universally in higher number.

Again, talk to women. Or if you can’t do that, read what actual women have to say about this subject. Do you not value the opinions of women? Do you not believe them when they speak about their personal experiences?

This has nothing to do with my argument. I am not contesting women (need to) fear for their personal safety in public. If I were a woman there would be a host of additional things I would worry about. What I am contesting is the way you present this fact, as if the difference between men and women was a 0-100 difference, when it’s not.

I don’t really see the reason to make up bullshit exaggerations to drive a point that stands on its own without them. Women have to worry and do worry differently, both in terms of quality and quantity than men when they go in public. There are certain risks that in public are fairly irrelevant for men, which doesn’t mean “men have nothing to worry about”. There are also certain risks that are much smaller for women (e.g., getting into a fight in a bar because some dude’s ego was hurt and needs to assert being the alpha).

Why is it necessary for you to make a completely unrealistic assertion (which BTW disregards my opinion as man while talking about men, so “Do you not value the opinions of women? Do you not believe them when they speak about their personal experiences?” cit.) to support a very reasonable thesis? Do you think people can appreciate the safety issue for women only if they contrast it with a completely opposite (i.e., no issue at all) situation for what concerns men?

All the crimes I have mentioned are statistically way more likely than sexual assaults, a crime that notoriously happens mostly within one’s home. So what you just said seems to me completely in antithesis with the original message.

Also, I completely disagree with your assessment. I live in a perfectly safe city and country, but when I travel I sometimes also go in worse areas, and most importantly I don’t even know whether I am in a “bad neighborhood” or not, because I don’t know the place. Hence I worry for my personal safety, which is exactly what prompts for those basic measures that you listed (and more), such as not flashing wealth unnecessarily. You do this exactly because you are aware that man or not you can be victim of such crimes just as much. In fact, statistics show that men are more likely to be victims of violent crimes in general, so I am not really sure where your core thesis come from.

Also worrying is not being terrified, is understanding a risk exists and taking precautions. Either way, this idea that as a man you have nothing to worry about is completely idiotic.

Because robberies and mugging do not exist, because I should not worry about them or because they don’t happen to me as a man?

When men leave the house, the worst thing we walk around in fear of is ridicule and rejection.

Do you live in a cartoon? Seriously, this is complete nonsense. I worry about my personal safety very often, when an environment presents certain risks (e.g., getting robbed, mugged etc.). It’s true that I don’t generally fear to be sexually assaulted by a woman, but to say that men don’t (need to) worry about their personal safety is completely absurd.

For too long it told men they can treat women however they want

This is demonstrably false, as we have certain narratives that are literally millennia old (latin literature) about courtship, romantic gestures, protection and all the other stuff usually associated with how men should treat women. Usually this is some form of protection/care for a lower/weaker being, but it is absolutely a way society has been telling men how to tell women for centuries.

I would say that what you said applies not to feminism in general (who historically had strong links to class struggle and anticapitalism), but to a part of the modern status quo feminism which is focused purely on individuals and has been absorbed by the ruling class (e.g., once the CEO is a woman, the goal is reached). This is not a representation of feminism in general though, and I would say the same can apply to many other movements as well (e.g., ambientalism, antiracism, etc.) that (in part) lost their revolutionary nature and are left fighting for small changes within the status quo.

I think that in fact in at least some cases the lack of respect (or general ability to live a relationship with a man in a mutually loving way) is exactly due to that education. At the end of the day the flipside of the “subservient” attitude is that the man in the relationship is represented as a provider, with all the gender stereotypes that come with it: lack of emotions, self-reliance and of course the expectation for him to be a provider. I would say that most of the examples of bad relationships in this thread boil down to exactly these dynamics.

Also we are not anymore in the 1950, so that education today mostly happens implicitly, but it also gets mixed up with a lot of other messages from the wider society.

I personally also disagree about the fact that men are not taught how to fit in their gender role. I think they are, since very little, symmetrically to how women are too and possibly even more explicitly: you need to protect women (incl. sacrificing because that’s what heroes do), the whole courtship thing, the fact that as a man you are responsible to provide for others, that there are certain activities that are manly, etc… Essentially is the exact same problem: gender stereotypes and sexism go both ways and impact both genders, although in different ways.

Nftables is the modern iptables FYI. Linux firewall.

Do you understand what an advantage is, and that there are N attributes where people have advantages?

Anyway, how is this relevant to this particular comment chain?

Can you now show a glimpse of intellectual honestly and show that your source uses poor data and therefore makes a wrong claim? Can you recognize that your initial claim that “Ledecky beats Phelps in long distance” is based on this one source that uses poor data?

I feel like I need you to acknowledge that a comparison between 1-time trials for 15yo Phelps and Ledecky’s peak performance record was not a sane comparison at all, and that the little difference even in such a shitty comparison proves the opposite of what you were claiming.

Aren’t we discussing the arbitrary nature of the gender binary and the intersection of biology, genetic diversity, and ability?

No. You are, maybe. I am discussing the way certain characteristics relate to categories currently used in sport. You started from here to then contest categories themselves, which in have no problem with, recognizing they have obviously limits and they are simply ok-ish proxies.

Amd I’m pretty sure you are the one who started the confrontation

I started a discussion. You turned every single topic of conversation in a polarizing discussions between two opposite sides, despite me being fully open to a lot of your ideas (like for example that categories are arbitrary, that limits are mostly arbitrary especially considering genders are a spectrum, etc.). You constantly force a me vs you fight, which pushed you to actually misrepresent my opinion a couple of times (remember when you claimed I am gender deterministic and see it as fully binary, few comments down from when I said the exact opposite?).

Per the source, Ledecky beat Phelps.

Bad faith 100%. You just made a rant of few lines about how I refuse to make research to further my knowledge (brb, taking a biology degree in between comments), and yet you deny reality about something so simple that doesn’t even require research, it requires basic math and a pinch of common sense.

Yes, your source shows the the personal best for Phelps for a race he did once, when he was 15 is (few seconds!) slower than Katie Ledecky peak performance record. I told you, I run faster the 100m than Bolt when he was 5, so I am faster than Bolt. I actually also outrun my mom’s car when it was without fuel, so I am faster than cars and I ride faster than the winner of the Tour de France when he was learning to bike, so I am faster than him! You can prove anything if you use a shitty enough comparison!

I won’t even try to convince you, because it’s clear you are not here with the intellectual honestly to say “yep, my claim was bullshit”, I will just lay it out as it is to show how ridiculous your argument is. In fact, the source you showed could be used by anybody with a bit of honesty to prove the opposite: if Phelps at 15, without it being his specialty, could swim only a few seconds slower than Ledecky in her main specialty at peak performance, it is clear that men have advantages in swimming!

Yes, regressive like fascists and every other terrible person who can’t fathom a better world so they make us all miserable with the status quo.

Yes, exactly like that, it makes perfect sense. It’s obvious that anybody who didn’t welcome without questions your proposal (which is based on solid science and of course deep, deep understanding of all sports - see above for example swimming!) is a regressive fascist who hates a better world. That’s how the world works!

Yes, you could run it in LAN only. You could access it via VPN only.

Obviously this adds friction in addition to security, but if that’s fine with you, you can.

That is simply because you moved the topic of the conversation to something else. You changed topic twice, and now you are burdening me with providing a solution, when I was barely acknowledging the existence of a problem. Not sure why you are so unnecessarily confrontational, but I am arguing in good faith, laying down exactly what I mean and what I don’t. I am not going to search stuff on the fly I am not competent about to entertain a conversation you are forcing.

Let’s also remember the other shameful thread in which you were claiming something objectively false (Phelps swims slower than Ledecky on distance), and after 3 comments of bad faith arguments you simply disappeared without ever acknowlding the mistake in your argument. Who is arguing in bad faith? You are the one that after being shown that your argument was bases on comparibg times when Phelps was 15 yo answered “being a teenager is an advantage in some sports”.

So please, I don’t think you are in any position to moralize anybody. Including in this case, where I clearly said that even though I am not an expert, a quick search showed some objections to your proposal. Instead of addressing any of that, you just wrote this meta-comment about how I didn’t “debate the science”. So yeah, you want to call me regressive to support status quo vs the impromptu proposal of a random internet user who is not an expert in this either, with the proposal having no general support (I found one article having the same idea in addition to that reddit post)? Sure, I am regressive then.

I don’t have a solution. I started this whole conversation by simply answering “why being intersex is different from having scoliosis”, and we are at this point where you proposed a completely alternative way to slice competitions in sports. In my opinion your solution is impractical at least, let alone there might be tens of scientific issues that I am not aware of. A quick search shows that your idea has been suggested already in informal conversations, and even in a non-scientific forum received objections of missing advantages deriving from hemoglobin, reaction times, biomechanical advantages and sizes, all properties for which sex is a good proxy. This should be addressed somehow, and I am not in a position to do that, I am simply not an expert. That said, I am not against finding a better way to make sport both inclusive and fair/entertaining in principle. I simply believe, based on some reading and a basic understanding that your suggestion might not be it.

Thanks for the head’s up!

Are you misunderstanding my argument on purpose?

You and I both know that testosterone is not the only thing. There are people who have different sensitivity (low reception) to it, for example, then there is the problem that testosterone (and probably other stuff too!) has an historical effect on development that is not captured by a snapshot in time. I am not strawmanning, I simply assumed that since both of us know that testosterone level at time T is insufficient data, you would need at least more parameters to make fair categories. If that’s not the case and you actually meant just using testosterone level and weight, than I think this is a bad idea. Actually, I think this is worse than the sex categorisation. This way you are 100% bundling together people with high T and low reception (I.e. didn’t get most of the benefits) with people with low T and high reception. You are also exposing yourself to men artificially lowering testosterone levels after having gotten all the historical developmental advantages to compete in “lower” categories (similarly to how it happens today with weight).

They are only “corner cases” because you define gender as red and yellow and thus leave out orange, green, and purple.

No, I don’t. They are corner cases because we can look at the reality and observe that this is a problem with a relative small incidence. I think your proposal will present way more corner cases and problematic situations.

Swimming is not one of them for fucking sake.

Are you done dancing around rethoric arguments to avoid saying that you were wrong?

Comparing the performance of a non specialized teenager swimmer with that of a specialized adult woman in peak adult performance is a shitty comparison.

This is a fact that can be easily confirmed if you do 10 seconds of research and you check swimming records by age category.

It’s fine, you used as source an article that made this claim based on shitty data, you have been shown that the data was shitty. The mature thing to do is to say “OK, that was a false claim”.