Email or username:

Password:

Forgot your password?
Top-level
tuxwise

@keepassxc An exceptionally bad decision to wreck a huge existing installation base, "because I can".

The rude reply by @juliank is condescending, and far from what I am used to read.

github.com/keepassxreboot/keep

54 comments
Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@tuxwise @keepassxc why do you think it's rude and condescending?

The first thing Debian users should be looking at when something changes unexpectedly is the /usr/share/doc/<package>/NEWS.Debian.gz

That is the way breaking changes are communicated. Users of testing/unstable are expected to have apt-listchanges installed to see them automatically.

Stable release users should read the release notes.

People annoying upstream isn't something I can solve.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@tuxwise I took my time to reach the decision it went back and forth for a year, and the xz-utils thing eventually tilted things in favour of shipping as little code builtin as possible by default.

I do not believe however that there is a significant overlap between people who use Debian, keepaasxc, and people looking for a featureful password manager.

It just makes no sense to go with a local only password manager and then put gaping holes in it.
@keepassxc

@tuxwise I took my time to reach the decision it went back and forth for a year, and the xz-utils thing eventually tilted things in favour of shipping as little code builtin as possible by default.

I do not believe however that there is a significant overlap between people who use Debian, keepaasxc, and people looking for a featureful password manager.

Mathijs

@juliank @tuxwise @keepassxc I fall into this category, though I would obviously like to think I'm unique. Either way, you mentioned taking the time to make a desicion, and yet the upstream devs seemed to have been caught completely by surprise. That really shouldn't happen for what I hope are obvious reasons. What went wrong here? Did they just ignore all your communications and deliberations about this decision?

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@mvgorcum It's a question for the Debian project I polled other Debian developers on IRC. We already knew upstream's position on this.

Could I have communicated it to them? Sure. Did they abandon IRC years ago? Yes. Well there's some weird Heisenbridge thing but it's WEIRD and nobody has talked to me for years. ๐Ÿคทโ€โ™‚๏ธ

I barely have the energy to package new versions, seeking out and engaging with upstream on these grounds on downstream decisions is a tad much.

@tuxwise @keepassxc

Mathijs

@juliank @tuxwise @keepassxc I don't run debian testing, so I hadn't run into this yet, but I would certainly have gone to upstream when I saw this breaking change. I would argue that at least doing them the courtesy of a heads up would be the decent human interaction thing. It may have allowed them to join the discussion, and possibly made my life easier as a user, but certainly their life easier. Adversarial packaging is allowed by GPL, but wouldn't that be a last resort?

Mathijs

@juliank @tuxwise @keepassxc on a related note: this whole thing must not be fun, I do appreciate that this gives you a lot of work that you didn't really ask for. Thank you for packaging keepassxc and spending the time, and I'm sorry you have to deal with loads of people having opinions on your choices, that's never fun...

Euph0r14

@mvgorcum @juliank @tuxwise @keepassxc also im unsure how this improves security. Any user who finds out about this will just immediately move to the full release.

Adding a โ€œliteโ€ package would have been better.

Team KeePassXC

@juliank @mvgorcum @tuxwise we have multiple, MULTIPLE, means to get in touch with us. We moved to matrix years ago, but still bridge to IRC. Easily found through our Readme. Sorry this went down this way but it does end up having a huge negative impact on us when downstream shit breaks unexpectedly.

gudinoff

@juliank @tuxwise @keepassxc
This was my first thought when reading the headline.
I get that some people would prefer to have all the features by default, but given the nature of the package, I totally understand and agree that we should lean on the safe side by default.

tuxwise

@juliank

I will not repeat your extremely rude vocabulary here, but leave that for interested parties to look up, since it is documented at github.

@keepassxc

Lyude๐ŸŒน#BLM

@juliank @tuxwise @keepassxc it is condescending because just because users "should" and because the thing is there does not mean that they will or that it's even reasonable to expect.
but none of that is relevant because if this many people have pointed out to you the statement is rude that should be enough of an indicator that people aren't reading the NEWS - and that you're clearly fighting a battle that can't be won at the expense of your users.
You can't control how people use their computers, you can only entice them to use it in certain ways. That's the end of your influence. If you've failed to do that, you need to accept it might not be possible rather than blaming every individual user

@juliank @tuxwise @keepassxc it is condescending because just because users "should" and because the thing is there does not mean that they will or that it's even reasonable to expect.
but none of that is relevant because if this many people have pointed out to you the statement is rude that should be enough of an indicator that people aren't reading the NEWS - and that you're clearly fighting a battle that can't be won at the expense of your users.
You can't control how people use their computers,...

Lyude๐ŸŒน#BLM

Also, real question - outside of commandline apt how often is NEWS even shown to a user at all? I know numerous people with debian machines who do not install stuff through the command line. Also, what about all of the other ways of installing a package? If I'm setting up a ton of systems through ansible playbooks I can pretty much promise you I don't even know what a NEWS is nor is it likely I would care.
At some point it's a lot more useful to accept it's the fault of the medium, NEWS, rather than the fault of users not modifying their workflows to work around NEWS.

Also, real question - outside of commandline apt how often is NEWS even shown to a user at all? I know numerous people with debian machines who do not install stuff through the command line. Also, what about all of the other ways of installing a package? If I'm setting up a ton of systems through ansible playbooks I can pretty much promise you I don't even know what a NEWS is nor is it likely I would care.
At some point it's a lot more useful to accept it's the fault of the medium, NEWS, rather than...

Angelino Desmet.

โ€œStable release users should read the release notes.โ€

No they shouldn't. That's exactly why they use stable: so things don't break unexpectedly and they can work on problems that they want/need to work on.

--
@juliank @tuxwise @keepassxc

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@stardust @tuxwise @keepassxc That's a misunderstanding, they should read the release notes when upgrading to the next release

Team KeePassXC

@juliank @stardust @tuxwise@tchncs.de I disagree with this statement on a fundamental level. If you see Debian as an expert tool for a very specific expert target group, then fine, whatever. But Debian is the base for a general-purpose operating system for millions of users with no technical background or simply no nerve and time to deal with things like this. You cannot and should not expect these users to know about any obscure text files, let alone read and understand the tech babble that's in them.

Team KeePassXC

@juliank @stardust @tuxwise@tchncs.de I certainly don't fire up a text editor and check the NOTES files first before I run apt upgrade or click the "Install now" button on the update reminder popup and I am probably much more of an expert user. We can only implore you to revert your decision. Your concerns about supply chain attacks in particular are certainly not unfounded, but you cannot export the complexity of this decision to your users in a way they will not and cannot understand.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@keepassxc I think renaming the package to keepassxc-minimal will make it much clearer, and I'll try to do that and I hope it gets accepted.

I'm very torn on the upgrade path with a transitional keepassxc package, we can depend on keepassxc-minimal|keepassxc-full or the other way around.

Once we drop the transitional package is when things become nice: apt install keepassxc will tell you that there's a minimal and a full, and you can select it.

@stardust @tuxwise

Orca๐ŸŒป | ๐Ÿด๐Ÿณ๏ธโ€โšง๏ธ

@juliank@mastodon.social
Sorry for the sudden request:
I hope that users that already have KeepassXC installed be transitioned to the full version. I don't want someone to woke up one day and found that their KeepassXC was upgraded to a minimin version (by themselves or automatically) without the feature they need. Newly installed users on the other hand can take some time to tinkering with their installation and figure it out.
Debian has been the OS that has least nasty suprise for decades, I hope it keeps this way.
โค๏ธ
@keepassxc@fosstodon.org @stardust@fosstodon.org @tuxwise@social.tchncs.de

@juliank@mastodon.social
Sorry for the sudden request:
I hope that users that already have KeepassXC installed be transitioned to the full version. I don't want someone to woke up one day and found that their KeepassXC was upgraded to a minimin version (by themselves or automatically) without the feature they need. Newly installed users on the other hand can take some time to tinkering with their installation and figure it out.
Debian has been the OS that has least nasty suprise for decades, I hope...

Team KeePassXC

@juliank @stardust @tuxwise That would certainly be much appreciated. Keep in mind that "keepassxc" refers to the full package in all other Linux distros and it's how we ship it ourselves for all platforms (including the PPA).

James Bennett

@juliank @tuxwise @keepassxc

You went into their GitHub issue tracker to call their software "crapโ€. Just by itself, that is so incredibly over the line of what is acceptable from a distro package maintainer that your maintainer privileges should have been revoked instantly.

The changes you made were also a massive breach of the trust reposed in you by your employer, by multiple distros, and by users of those distros. Trust that was built up over years, which you threw away in an instant and now cannot recover.

And this is before we even get to evaluating your technical judgment, which goes directly against best practices of the security community. For example: checking passwords against a database of known-compromised values is such a good practice that even government standards for password handling have been recommending it for years. But you decided on your own that this was bad and and that users must be "protected" from it. That you preferred your ignorance over others' expertise is extremely bad. That you doubled down on it when others pushed back is an unforgivable and irreparable breach of your responsibilities.

Since you say you "barely have energy" for this package, the only correct action for you to take now is to revert the changes to the package and step down immediately afterward so as to cease causing further harm.

@juliank @tuxwise @keepassxc

You went into their GitHub issue tracker to call their software "crapโ€. Just by itself, that is so incredibly over the line of what is acceptable from a distro package maintainer that your maintainer privileges should have been revoked instantly.

The changes you made were also a massive breach of the trust reposed in you by your employer, by multiple distros, and by users of those distros. Trust that was built up over years, which you threw away in an instant and now cannot recover.

Screenshot of Julianโ€™s comment in the GitHub thread:

&quot;I&#39;m afraid that&#39;s not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there&#39;s little that can be done about that.

It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacksโ€
Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@ubernostrum

1. Please leave my employer out of it. That's crossing a line.
2. It's entirely normal to refer to stuff considered superfluous as crap, at least in German, that's quite a normal expression.
3. I wrote this quickly after waking up before hopping on a train and a plane to be nice and let them know that there's no going back. That doesn't mean there's no way forward.

1/2

@tuxwise @keepassxc

@ubernostrum

1. Please leave my employer out of it. That's crossing a line.
2. It's entirely normal to refer to stuff considered superfluous as crap, at least in German, that's quite a normal expression.
3. I wrote this quickly after waking up before hopping on a train and a plane to be nice and let them know that there's no going back. That doesn't mean there's no way forward.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@ubernostrum

4. If I could step down from maintaining it I would. My KeePass database stores a handful of high value passwords and the password to my Bitwarden where the majority of day to day password lives so I can use it on all devices.

People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought.

*This* would be breaking the trust implied in my relationship with my users.

2/3

@tuxwise @keepassxc

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@ubernostrum

5. Checking against online password databases can be nice to have but sadly we can't have everything and it's misaligned with being a local database password manager.

We are talking about a tool where you have to manually synchronise your password databases over your myriad of devices. Only die hard security fanatics would use such a contraption in the first place.

3/4

@tuxwise @keepassxc

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@ubernostrum

6. This did not happen in an instant but you can clearly see it took over a year to reach this point where the plan could be finalised and executed.

The upstream developments have been very concerning, I can't be the only one feeling that way.

In fact I know I'm not the only one feeling that way because I've had users tell me. Actually security engineers too.

@tuxwise @keepassxc

varjolintu

@juliank
"People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought."

"The upstream developments have been very concerning, I can't be the only one feeling that way."

Could you elaborate these a bit?

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@varjolintu What happens with keepassxc packaging is exactly the same thing what happened with xz-utils.

People demand new upstream releases getting merged quickly, some with upload rights threaten to upload them themselves, people "helpfully" package new upstream versions for you. I employ a 0 trust model, so I need to redo it all anyway to make sure it was not tampered with.

Now they may be honest, but after being burned out by time_t and then xz-utils you can understand I'm very cautious

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@varjolintu On the upstream side, I think there's some misalignment between various fractions.

I need my password manager to manage my passwords. In fact I use keepaasxc only for high value targets, like my backup encryption keys, or the key to my day-to-day bitwarden account (as I need the sync to Chromebooks, family account sharing, etc, I do self host a vaultwarden for it).

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@varjolintu There are several people like this, and what they are looking for is not a constant influx of new features or large changes to fix bugs.

And that to me is the most logical choice. You went to all that trouble to pick the hardest to use (across devices) password management solution in the world, you're paranoid and trust nobody, you don't suddenly want to poke holes in it for convenience like browser extensions, just use the clipboard, it's much more secure.

varjolintu

@juliank As far as I know, clipboard can be accessed by any application, especially in Windows. Encouraging to use it instead of more secure alternatives might not be the way to promote any "secure defaults". Speaking of password managers in general, as a Bitwarden user, do you think their browser extension and Vaultwarden is more secure than KeePassXC's browser integration that works only locally? Or are you using only clipboard with Bitwarden too?

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ replied to varjolintu

@varjolintu No I do not think Bitwarden is more secure. I only trust it with 2nd tier passwords, most web accounts.

It is more secure in the context that I don't need to keep my high security KeePass database open. But then one could have two databases.

But I wouldn't trust my backup encryption keys, to it, or my Google account 2 factor code.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@varjolintu The clipboard thing is a bit annoying, as far as I understand it's privileged in Wayland to some extent, and the autotype doesn't work there.

But having one password in there for 15s, that a malicious software would need to correlate with what you are doing to find out what it's for is very much a better choice than exposing APIs to query any password IMO.

varjolintu replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@juliank There's an API but it isn't exposed in a way that anyone could query something from it without user knowing about it. Plus it only works locally and is not exposed to outside world. Is these one of the features that are insecure in your opinion?

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ replied to varjolintu

@varjolintu I understand there are some access controls, but they can be buggy. A bug in the browser extension IPC access control could reveal your entire database to your browser.

If you don't have the means to query the database from other processes the entire attack vector goes away.

i.e. keepassxc-light or whatnot could only ever have critical CVEs if it messed up the database encryption.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@varjolintu Optimally I'd go a step further:

- make keepassxc open files using portals (it might already, I don't know)
- write an AppArmor profile that only allows r/w configuration files, and read access to /usr

Then you can select databases, key files, and work with them and rest assured that even if keepassxc core is compromised (whether that's a new malicious maintainer sneaking in, or a gcc backdoor ๐Ÿ˜„) it can't talk anywhere else.

varjolintu replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@juliank There are already a few PR's waiting for 2.8.0 that will reduce the possibility of such attacks. One is storing access related settings directly to a database instead of a config file. Another one allows restricting processes that can access the database. Revealing the entire database without user knowing it would be very difficult even now.

Are you concerned about the possible attack vectors on Bitwarden? With multiple dependencies, and as an Electron application it has its downsides.

Ian Douglas Scott replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@juliank @varjolintu In theory access to the clipboard on Wayland is limited to the focused window, though in practice this isn't really secure (on most compositors), since compositors tend to give focus to windows when they are created. Something like wl-copy/wl-paste exploits this with a small temporary window.

varjolintu replied to Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@juliank Are there some memory issues with keeping KeePass database open we are not aware of? It should be much more protected than a browser's memory.

James Bennett

@juliank @tuxwise @keepassxc You work for a company that maintains a distro on which you are a core developer. That is relevant, especially because it makes it harder to hold you accountable for your bad actions: people might feel threatened by the power of your employer in the open-source world and let you get away with bad actions that others would not get away with.

And while it may be quite normal for a German to insult other people, it is quite normal for an American to say someone who does a bad job should be fired. Respect for culture must go both ways!

(though all the Germans I am friends with are generally quite nice people who do not go around insulting others, so perhaps it is not something you can blame on culture)

And if you are saying "there's no going backโ€, that means you are not open to discussion or to having arguments presented which would change your mind or change your actions. This should disqualify you from a position where you make decisions that impact other people.

You are a distro maintainer. You can decide to package something or not to package it. You should not decide to package something and also effectively fork it in the distro package because you do not like the choices the developers made. If you disagree with their choices, go to them and present your arguments and try to convince them to change. If you do not convince them, you can always perform a real fork and promote your fork.

Above all, what you should NEVER do is abuse your position as a distro maintainer and employee of a distro company to force your preferences onto someone elseโ€™s project against their will. But that is exactly what you did. If you called your package โ€œJulian's KeePassXC Forkโ€ and lobbied to have Debian include it, that would not be a problem. But you call your package KeePassXC and prevent the real KeePassXC from being allowed into Debian, just because you prefer to make people use Julian's KeePassXC Fork. That is a problem.

And, again, features like checking against databases of compromised passwords are strongly recommended best practices. See, for example, section 5.1.1.2 here:

pages.nist.gov/800-63-3/sp800-

I direct you again to my previous post suggesting what actions you should take.

@juliank @tuxwise @keepassxc You work for a company that maintains a distro on which you are a core developer. That is relevant, especially because it makes it harder to hold you accountable for your bad actions: people might feel threatened by the power of your employer in the open-source world and let you get away with bad actions that others would not get away with.

Screenshot of NIST Special Publication 800-63B, โ€œDigital Identity Guidelinesโ€, section 5.1.1.2, highlighting this text:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

* Passwords obtained from previous breach corpuses.

* Dictionary words.

* Repetitive or sequential characters (e.g. โ€˜aaaaaaโ€™, โ€˜1234abcdโ€™).

* Context-specific words, such as the name of the service, the username, and derivatives thereof.

If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.
Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@ubernostrum you seem to mistake there's no going back for something it isn't but it means the situation was untenable.

I do not have a problem offering an explicit choice between a keepassxc-minimal and a keepassxc-full package.

Anyway, right now, keepassxc packages the default build flags, and keepassxc-full passes the option to turn additional features on. We're not at the outrageous territory where we need to take defensive measures by patching code, yet anyway.

@tuxwise @keepassxc

James Bennett

@juliank @tuxwise @keepassxc The situation is untenable because you made it that way. You have decided that you know better than upstream.

This is sadly something that Debian maintainers have a history of doing with many projects, not just this one, and has caused many headaches for upstream maintainers who only find out from the deluge of bug reports that Debian broke their software.

Debian should not in general do that and you personally should not do that. You should package something that would cause the least surprise to someone migrating onto your package from an installation performed some other way. Or, if you are not willing to do that, you should step down and make room for someone who will do a better job.

@juliank @tuxwise @keepassxc The situation is untenable because you made it that way. You have decided that you know better than upstream.

This is sadly something that Debian maintainers have a history of doing with many projects, not just this one, and has caused many headaches for upstream maintainers who only find out from the deluge of bug reports that Debian broke their software.

yoshir

@juliank
You CAN solve that by not making stupid changes

Rรฉmi Letot

@tuxwise @juliank @keepassxc I don't think so, and many users in the discussion agree. If most users use only a small subset of the functionnality, then the smart secure move is to provide it and make it the default. Now it would be better if Keepassxc showed a message saying that that version is the minimal one, and that a full one is available, but that's not in the hands of the debian maintainer.

tuxwise

@RLetot

I was not referring to providing a minimal and a full version, to which the original developer agreed to as well.

As you can easily see from actually reading what I wrote, I criticized the rude tone, and the wrecking of the implied contract with those who have installed the existing package. And I stand by that.

@juliank @keepassxc

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@tuxwise @RLetot @keepassxc I was just being courteous, signing in on my phone and giving a short reply while travelling.

The concern is that somebody leaves or somebody new comes and picks up a subsystem and eventually maintains it on their own because the others don't actually use it and then believe the subsystem expert. That's somewhat normal.

This opens the doors for malicious actors to appear and compromise less popular subsystems.

1/2

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@tuxwise @RLetot @keepassxc Hence I did not want to expose new users to optional subsystem code by default. This seems a reasonable stance. It is what Debian users generally expect.

Sadly I could not do that without breaking some users existing functionality. I can add a debconf dialog on upgrades to tell you more explicitly.

I will have to think about how we can solve this better in the future for similar situations (upgraded get X, new gets Y), but this requires new apt features.

Julian Andres Klode ๐Ÿณ๏ธโ€๐ŸŒˆ

@tuxwise @RLetot @keepassxc We can also rename the existing package to KeePassXC-minimal and then remove the keepassxc package.

Then users will get a message from apt when doing install keepassxc that tells them it's provided by either.

But anyway I hope this longer explanation seems less rude to you, I had to sit down in the middle of a city trying to get it out on my phone.

Topher ๐ŸŒฑ๐Ÿง๐Ÿ’š

@juliank @keepassxc

I personally wouldn't mind and would in fact choose to use the minimised version with all those things removed, aside from the YubiKey support. That's the only part that seems a bit odd...

All the other features, though? I would happily use the "feature-less" version.

(would *strongly* opt for it, in fact, if it did still have YubiKey support)

tuxwise

@juliank

There is no point in continuing to discuss with you if you now call your rude tone "courteous" and think that deflecting from that tone by adding more and more reply text will somehow cover up your foul language.

You are muted now, don't bother to reply.

@RLetot @keepassxc

Rรฉmi Letot

@tuxwise @keepassxc I know that English is not my language, so maybe I missed something, but where is there foul language from @juliank ???

Brian K. White

@tuxwise What in the ever loving F... are you talking about? Please quote @juliank being rude.

Rรฉmi Letot

@tuxwise sorry, but I find your tone a lot more rude and condescending than what I read from @juliank. You want more respect from people ? Maybe start by respecting them yourself. Bye. @keepassxc

Go Up