Archiving Android Password Store

[msfjarvis]

Hi,

Over the past 3 years the pace of development in APS has steadily fallen off as maintainers including myself have moved on to other things. I no longer have time and motivation to dedicate to this project, and in the absence of significant external contributions there is no-one else I can offer the project's stewardship to.

To that effect, I will be archiving the repository on Monday, October 14th 2024 at 7AM GST. In the situation that a serious and viable fork emerges, I will help them as much as I can with the transition. The criteria for what counts as "serious and viable" is entirely vibes-driven for now, and may become more specific in the future. In case I determine that a fork does not live up to my made up standard, they will have to come up with a slightly more creative name than "Android Password Store" and watch low 4 figures of cash wither away in OpenCollective's bank account.

Below is a more complete list of Password Store related assets outside of GitHub itself and how I intend to handle a transition if there is one.

1. The https://passwordstore.app domain
   • This has been renewed for the next 9 (max duration) years on its current registrar Porkbun to prevent link rot and potential takeover by spammers.
   • I will transfer the domain over to whatever registrar the future maintainer would like to use.
2. The websites are hosted via Netlify and I will not be taking them down as long as I own the domain.
   • I will simply disable the Netlify projects.
3. The Google Play listing at https://play.google.com/store/apps/details?id=dev.msfjarvis.aps
   • I will un-list the app and add a notice in the page for existing users redirecting them to the new maintainer
4. The OpenCollective organisation
   • I am not entirely sure yet. It's objectively not a lot of money — 2406 USD as of writing, with a 134.16 USD Porkbun invoice awaiting processing — but it's also not insignificant. A part of me thinks I've probably earned it by this point, but I also can't bring myself to take it when I'm quitting the whole thing. I'm open for feedback here, which is why this post is being made in the first place.
5. GitHub Sponsors
   • Currently active sponsors will receive an email with a link to this post and I will let them cancel their sponsorships themselves.
6. Crowdin
   • I am open to transferring this

Over the (almost exactly) 6 years I've worked on the project there have been a lot of ups and downs, I am glad to have made the acquaintances I did while interacting with the community and it has been a learning experience for the whole duration.

[Tycho-S]

Too bad you need to stop working on it, it's an amazingly useful password manager and I still use 'pass' every day in conjunction with yubikeys. Your app helps me to use it on mobile. I like the way there is no password that could be brute-forced because the encryption is handled on the private keys on the yubikey.

But I understand it is not viable to continue. I don't have the skills to take it on. I really hope someone else does! The main thing I think it needs is maintenance, compliance with new APIs etc. I don't really see the need for any new features because it's stable and works really well. Perhaps passkey support which I see in the branches you've worked on in the past. But it's not a big one for me as I tend to use the yubikeys directly for the handful sites that support it.

In terms of the money, I donated in the past also and I think you earned it. I've been using this for years.

PS: Will it disappear from F-Droid now that it's been archived?

[msfjarvis]

Thanks for the kind words :)

Will it disappear from F-Droid now that it's been archived?

I don't directly handle the F-Droid side of distribution but I imagine either a manual reviewer or their usual staleness checks will eventually detect that the project is archived and take appropriate action.

[amirhomayoun]

Thanks for all you have done throughout the years. When I first thought about switching to pass 3-4 years ago, the first thing I did was to check for an Android app and it worked so well that I switched the next day!

As for the contributions, I'd say you have definitely earned it, you never owed any of us users anything and shared the results of your efforts with everyone with no expectations in return, I personally am grateful for that. I think you should take it, at least one fewer thing to keep track of!

As for archiving, are you sure that won't remove the stars the project already has? Why not leave a disclaimer notice on top of the readme about it not being maintained? Archiving sounds a bit aggressive, but you know best. I guess without a new maintainer and a transition, the app will stay on Google Play store under the same name for now?

I'm sad about this (as I use it daily as my password manager), but understand that you don't have unlimited time to spend on the project. Thanks for creating and maintaining it all these years and for being transparent with the users now. :)

PS) What are you using yourself for managing your passwords? Guessing you were using APS and have moved on now?

[msfjarvis]

As for archiving, are you sure that won't remove the stars the project already has? Why not leave a disclaimer notice on top of the readme about it not being maintained? Archiving sounds a bit aggressive, but you know best. I guess without a new maintainer and a transition, the app will stay on Google Play store under the same name for now?

Archiving doesn't remove stars, only making a repo private does. I have an archived repo that's still retained its stars years later. I've made the choice to archive the repo instead of just adding a note because it communicates the intent accurately, and people who miss the note won't feel like they're screaming into a void when their issue gets no response.

I intend to delist the app from Google Play, after which it will only be accessible to users who've installed it previously.

I'm sad about this (as I use it daily as my password manager), but understand that you don't have unlimited time to spend on the project. Thanks for creating and maintaining it all these years and for being transparent with the users now. :)

PS) What are you using yourself for managing your passwords? Guessing you were using APS and have moved on now?

I haven't migrated to something else yet, but I plan to switch to Bitwarden and a self-hosted Vaultwarden server.

[amirhomayoun]

Funny, I recently (completely unrelated to this) have set up a self hosted vaultwarden to just try it out! Looks like I'm following your steps unintentionally!)

[WhiteBlackGoose]

Thank you for your work!

[stefanv]

@msfjarvis Thank you for all your work on this project. My modest donations are for you to do with as you wish; they were intended to help keep the lights on, as some small recompense for your time, and as an expression of gratitude for a very useful project (the beta build which I still use every day). 🙏

[stefanv]

BTW, for those looking at alternatives: I am planning on running pass through termux. Not nearly as nice an interface, but gets the job done.

[Tycho-S]

I'm just planning to keep using this app to be honest. Even if it's not picked up (though I'm still oping somone will maintain it because it's so great!). The encryption is handled by OpenKeyChain and my yubikeys of course so that should still be secure. And termux doesn't have Android password manager integration. I'm sorry to hear it'll disappear from F-Droid but I'll save the APK. It hasn't had a release since 2021 anyway (and it didn't really need one because it still works great).

I don't like bitwarden because I don't believe in using a master password, I feel like it's an achilles heel and entering the password exposes the whole database, wheras pass only exposes one password every time I use my yubikey (Every password is encrypted individually using the yubikeys). Also, bitwarden still don't support using only Fido2 keys for every app, I believe only using the web and desktop app.

[filiprojek]

Which version of APS are you using? I've had no luck setting up APS with OpenKeyChain and my YubiKey.

[msfjarvis]

https://github.com/android-password-store/Android-Password-Store/releases/tag/v1.13.5

[fmeum]

Thank you for everything you have done for APS and its community over the years! I've always looked up to you as an OSS maintainer and can relate to the "highs and lows" that come with this role.

I really enjoyed working on the app with you and I'm sorry that I couldn't continue to do so. You truly deserve all the money that remains in the OpenCollective, so please don't feel bad in the slightest for taking it. Good luck with your future endeavors!

[tomkel]

I'm open to maintainership. I've been running this app's nightly builds and auto-updating with Obtainium for 1-2 years. There's the occasional build which breaks and the app just freezes, which has motivated me to download the code and poke around in the past. But it works at the moment, so I haven't done any dev work as of yet. I'd rather maintain this than switch over to Bitwarden because I've invested pretty heavily in pass & co. It'd be nice to complete the new backend work to get it out of nightly and into stable, and to keep up with the latest in the GPG ecosystem: https://tests.sequoia-pgp.org/

I guess then for me the next move would be to fork and do some work. If you (@msfjarvis) have some ideas about issues you think should be prioritized, feel free to mention them. I'm also open to DMs or voice/video calls.

For everyone watching this space: I'd wait until I actually commit some code before getting excited. Myself and many others in the OSS space have a lot of intentions and goals and aspirations, yet many fall through. Hopefully this message is not me getting ahead of myself.

[msfjarvis]

You can check out the most recently closed issues in https://github.com/android-password-store/Android-Password-Store/milestone/19?closed=1

[Tycho-S]

Just the latest one. Ping me directly and I can help you set it up :3

…

________________________________ From: Filip Rojek ***@***.***> Sent: Saturday, October 12, 2024 9:44:41 PM To: android-password-store/Android-Password-Store ***@***.***> Cc: Tycho Schenkeveld ***@***.***>; Comment ***@***.***> Subject: Re: [android-password-store/Android-Password-Store] Archiving Android Password Store (Discussion #3260) Which version of APS are you using? I've had no luck setting up APS with OpenKeyChain and my YubiKey. — Reply to this email directly, view it on GitHub<#3260 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACUMU6H5SCNJDQVRNIH63PDZ3F32FAVCNFSM6AAAAABP2MM7KGVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAOJSGQ3DEMA>. You are receiving this because you commented.Message ID: ***@***.***>

[filiprojek]

I tried setting up APS 1.13.5 again, but I think I have OpenKeyChain set up wrong. I don't know how to ping you here. Could you please send me an message? You can find my email or telegram at https://filiprojek.cz. Thanks!

[l3u]

It would be really, really cool if somebody stepped up and continued to maintain this brilliant piece of software. I use it on an almost daily basis. The OTP support makes other apps for this purpose dispensable, so I have all my stuff stored via pass – accessible both on my desktop and my phone. And doing this using the normal console tools and putting it into a git repo simply feels so much better than using some other password manager for that that it would really be a shame if this app vanished.

Alas, I have no idea about Android development, if this was e.g. C++/Qt, I could help I think (e.g. I coded a bit on QtPass some time ago). But I'm sure some of you can. Please rock this ;-)

PS: Just speaking of me, but it could happily continue to use OpenKeychain – I use it for K9Mail anyway …

[hansbogert]

ah man, just a user here. Occasionally I check in to see status on explicit subkey support in the .gpg-id file. It led me to the whole rabbithole and slight understanding how complex and time invasive this all is.

Thank you for having provided the app as long as your did, that was probably not easy.