Storm in a teacup, as tends to be the norm on the internet.
Not only this is nothing new and nothing unexpected to happen in Sid of all places, but it’s also something that helps bring keepassxc more in line with packaging guidelines on Debian. They already have lots of packages, both of the mutually-exclusive kind and of the complementary kind, with “foo-full”, “foo-minimal”, “foo-data” etc naming. p7zip and nginx of all things are quite interesting examples.
Plus, the author of the post sensationalizes the title to brigade the issue.
All that said:
- If the maintainer wishes to do this, “only” having two packages is a half-assed measure and that causes more issues in the long term. I’d expect three packages:
keepassxc-minimal,keepassxc-fulland the retained namekeepassxcas a virtual package name. - Furthermore, a direct upgrade path should go from (previous)
keepassxcto (proposed)keepassxc-full. - I don’t know enough of KeePassXC to know if something like
keepassxc-datawould be needed. Are there potential cases where one would want to switch between “-full” and “-minimal” or viceversa without the system seeing a software uninstallation in the meantime? - The “crap” rationale is definitively something we all can do without, but given how people tend to brigade developers who try to do things, I can completely understand and support raising shields and looking defensive because some damage is already going to be done.
- Most responses are right in that the right place to discuss this is in the opened Debian bug report. The entire point is to see Debian (not KeepassXC) handle this before things get to Next Stable.
- If the maintainer wishes to do this, “only” having two packages is a half-assed measure and that causes more issues in the long term. I’d expect three packages:
deleted by creator
Debian sid user here, and long time keepassxc user
Debian maintainer didnt communicate this well, but i agree that i dont want my password manager having any access to networking or interacting with anything other than the clipboard.
I’m not a developer or a security expert. This is just my gut feeling talking
The response by the debian maintainer responsible for this change to the keepassxc developer is an actual disgrace
Request to revert change:
@julian-klode this needs to be reverted asap. This is now our fourth bug report because of the decision to neuter the base KeePassXC package in Debian. Put the base package back where it was and create a keepassxc-minimal.
Response by debian maintainer:
julian-klode commented 9 hours ago: I’m afraid that’s not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there’s little that can be done about that. It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided. Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.
The whole github issue is worth a read, as it actually explains the issue with the change.
users annoyingly do not read the NEWS files they should be reading
Devs having too much time.
Ι don’t agree with what they did. They removed browser integration, not just the “favicon” thing. If this was a problem for normal users, well, normal users would just use Firefox’s built-in password manager, not keepassxc. That change made the app useless to me, and going forward it will be a headache for NEW users who won’t know of the -full package. It was a bad decision.
The Debian maintainer is probably a volunteer. Can we not troll people who make Debian and Foss possible?
To be fair, it looks like the debian maintainer started the unfriendly discourse by calling the work of other FOSS devs “crap”
Everyone needs to chill out, otherwise we have another potential XZ social engineering attack
It would be catastrophic for something like keepass to have a malicious maintainer take over
The KeePassXC people are also volunteers and dealing with the fallout of this decision.
They didn’t “strip” anything, they’ve split it into 2 variants, a package without networking features (
-DWITH_XC_NETWORKING=OFF) and a package with them, because it’s considered a privacy issue to have your password manager phone home and fetch favicons and so on. The packages will be calledkeepassxcandkeepassxc-fullgoing forward.KeepassXC replied on that thread that it wasn’t just the privacy problematic networking that was removed:
that bug report is bunk. He removed ALL features, not just networking. That includes yubikey support, auto-type and browser integration.
I expect the KeepassXC people are mostly bothered by the naming of the package because the version called “keepassxc” is now the basic one. Anyway, the maintainer has offered to call them
-minimaland-fulland to make “keepassxc” a metapackage that pops up a debconf dialog telling users that install it to choose one. There is precedent with other complex packages that are split into basic and full. This should solve things nicely for everyone.
Afaiu it, he added a second package with (quote) “all the crap” later, after the storm.
And no, it wasn’t just the favicons feature that was removed (which like … is that really such a big privacy issue that you need to remove it from the binary?). Support for Yubikey was removed as well — which is not a privacy issue. The reasoning mentioned by the Debian maintainer is that all of these features might turn out to be security issues in the long run. Thus, in his view, a password manager application must do nothing but provide access to the database within the app.
I find it an interesting example of diverging upstream, maintainer, and user interests in any case.
I find it a lot of unnecessary fuss over unstable. Sid is supposed to make breaking changes, you offer feedback and you follow it through politely. The next Debian stable is one year away, this is not an urgent matter
There are so many people who think sid is a distro when really, as far as the Debian project is concerned, it is a staging ground.
Its also in testing.
And no, it wasn’t just the favicons feature that was removed (which like … is that really such a big privacy issue that you need to remove it from the binary?)
Fetching a favicon means raising a network connection with a predictable endpoint. That’s already three concerns (four on the modern internet) to handle security-wise, and it’s absolutely an unneeded feature. Favicons could just be shipped on something like
keepassxc-dataorkeepassxc-contribto handle locally, no need to raise a network call.
I highly recommend reading the Github thread as this is not at all an accurate representation. These features you’re talking about are off by default. Removing them from the existing package is just breaking existing users. There’s already a report from a user who can’t access their passwords because yubikey support was suddenly removed. You don’t do that to users just because you suddenly develop an opinion as a package maintainer that you feel is important. There was no dialogue, no consideration and a very rude, dismissive attitude of Julian.
There’s already a report from a user who can’t access their passwords because yubikey support was suddenly removed.
Yeah, well, this is Sid. It’s called unstable for a reason. You have to read the changelogs or bad things will happen.
By the time it lands in stable it will most likely have a debconf dialog warning users and letting them transition smoothly to the version they want.
Rip keep ass xc emacs style defaults.
Keepassxc systemd integration when?
