Email or username:

Password:

Forgot your password?
Team KeePassXC

Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.

175 comments
R. L. Dane :debian: :openbsd:

@Ray_Of_Sunlight @keepassxc

Trying to reduce the size of an iso by fifteen kilobytes?? lol no idea.

LievenBlancke

@RL_Dane @Ray_Of_Sunlight @keepassxc looks to be security related when reading packages.debian.org/sid/keepas: This package includes only the bare minimal functionality, and no security complications like networking, SSH agent, browser plugin, fdo secret storage. See keepassxc-full if you absolutely need those.

Team KeePassXC

@j_r @lieven @RL_Dane @Ray_Of_Sunlight that bug report is bunk. He removed ALL features, not just networking. That includes yubikey support, auto-type and browser integration.

Steven Reed

@keepassxc @j_r @lieven @RL_Dane @Ray_Of_Sunlight tbf the changelog does say .. "and IPC" .. but that's certainly an 'interesting' choice. I think you could make a strong argument that the missing features reduce more vulnerabilities than they create, and most users will want them. The other-way-around approach of "keepassxc-minimal" v "keepassxc" would have made a lot more sense!

Ray Of Sunlight

@srtcd424 @keepassxc @j_r @lieven @RL_Dane I mean i'm not an expert, i know nothing about this functions, i just like my Offline Password manager 😄

Ric :linux:

@Ray_Of_Sunlight @srtcd424 @keepassxc @j_r @lieven @RL_Dane because the security argument is valid but not strong enough, and this action create a lot of noise, I'm thinking myself why someone knows whats is better for me ? I always prefer ship packages follow the upstream recommendations, but its just me :)

Ray Of Sunlight

@r1w1s1 @srtcd424 @keepassxc @j_r @lieven @RL_Dane On my case i'm going with flatpak once i become a real Linux user

R. L. Dane :debian: :openbsd: replied to Ray Of Sunlight

@Ray_Of_Sunlight @r1w1s1 @srtcd424 @keepassxc @j_r @lieven

I like flatpak, but prefer to use native packages when I can. Their choice sounds like a dubious one, but as long as there's still a native package with the feature I need, I'll be using that one.

Steven Reed replied to R. L. Dane :debian: :openbsd:

@RL_Dane @Ray_Of_Sunlight @r1w1s1 @keepassxc @j_r @lieven I've settled in on flatpaks for "key" or major apps - keepassxc isn't large, but I do consider it important. Allows to me keep on a stable distro and still track up-to-date versions of things.

I'm not really a huge fan of the "bundle all dependencies" model, but I've grudgingly accepted that's the world we're in now, and disk is still cheap relative to app sizes even given modern toolkit bloat!

Ray Of Sunlight replied to Steven

@srtcd424 I do like the "bundle with all dependencies", although it makes the package a lil' heavier, it helos not having to download the dependencies on separated servers and who knows when one of them will shut down.

Plus, it's cross-distro and it's not like Snaps.

Ray Of Sunlight

@j_r @lieven @RL_Dane @keepassxc That explains everything, Thanks funny-looking puppet guy(No offense intended) 😁

Marc Haber

@keepassxc I dont find it so problematic to offer two versions of your program: One minimal one that does the basic job (which is enough for me) and has less attack vectors, and the fully-blown "monster" with all those nifty features.

Nerdeiro :debian: :steamdeck:

@Zugschlus @keepassxc Keepassxc is not the only package that is split this way. Vim and Nginx are packaged like that too.

Joseph Nuthalapati :fbx:

@keepassxc Though I appreciate having a minimal package, I think naming the packages the other way round would be less confusing to existing users - keepassxc-minimal and keepassxc.

Jason Lefkowitz

@joel @njoseph @keepassxc Especially since there are now many years of online how-tos, blog posts, Stack Overflow answers, etc. telling Debian users "you can install the complete KeePassXC via the keepassxc package," and none of that material is ever going to be updated to reflect the change. So a lot of people are going to be unwittingly steered into downloading a package that isn't what they think it is.

Jason Lefkowitz

@steko @joel @njoseph @keepassxc You can't imagine someone writing an article along the lines of "How to get started using a password manager" that tells people to install a particular package?

STOP WAR (Stefano Costa)

@jalefkowit @joel @njoseph @keepassxc there seem to be hundreds of such articles, half of which are AI generated, and none includes the installation instructions for a specific operating system, let alone a Linux distribution. But I have already done too much reply-guying here, apologies.

Brian K. White

@njoseph @keepassxc I think the safest-possible version should be the default version for a password manager. Maybe an mp3 player or picture editor has other priorities, but a password manager's central purpos of exiting is security, so it should be as safe as possible *by default*, and you have to go out of your way to add convenience and reduce security.

The problem of changing an existing default is a thing, but it's not a big enough problem to justify not doing it.

AlisonW ♿🏳️‍🌈

@keepassxc
Can you link to a clarification of what 'all' means please?

Team KeePassXC

@AlisonW All means no yubikey, auto-type, browser integration, ssh agent, fdo secrets, and networking (favicon download, HIBP).

pootriarch ⏚

@keepassxc is this specific to the debian distro or does it affect other distros that use apt?

Team KeePassXC

@pootriarch this might end up flowing down to ubuntu at some point.

lp0 on fire :unverified:

@pootriarch, it affects Devuan because the package is pulled in directly from Debian without change.

tuxwise

@keepassxc An exceptionally bad decision to wreck a huge existing installation base, "because I can".

The rude reply by @juliank is condescending, and far from what I am used to read.

github.com/keepassxreboot/keep

Julian Andres Klode 🏳️‍🌈

@tuxwise @keepassxc why do you think it's rude and condescending?

The first thing Debian users should be looking at when something changes unexpectedly is the /usr/share/doc/<package>/NEWS.Debian.gz

That is the way breaking changes are communicated. Users of testing/unstable are expected to have apt-listchanges installed to see them automatically.

Stable release users should read the release notes.

People annoying upstream isn't something I can solve.

Julian Andres Klode 🏳️‍🌈

@tuxwise I took my time to reach the decision it went back and forth for a year, and the xz-utils thing eventually tilted things in favour of shipping as little code builtin as possible by default.

I do not believe however that there is a significant overlap between people who use Debian, keepaasxc, and people looking for a featureful password manager.

It just makes no sense to go with a local only password manager and then put gaping holes in it.
@keepassxc

@tuxwise I took my time to reach the decision it went back and forth for a year, and the xz-utils thing eventually tilted things in favour of shipping as little code builtin as possible by default.

I do not believe however that there is a significant overlap between people who use Debian, keepaasxc, and people looking for a featureful password manager.

tuxwise

@juliank

I will not repeat your extremely rude vocabulary here, but leave that for interested parties to look up, since it is documented at github.

@keepassxc

Lyude🌹#BLM

@juliank @tuxwise @keepassxc it is condescending because just because users "should" and because the thing is there does not mean that they will or that it's even reasonable to expect.
but none of that is relevant because if this many people have pointed out to you the statement is rude that should be enough of an indicator that people aren't reading the NEWS - and that you're clearly fighting a battle that can't be won at the expense of your users.
You can't control how people use their computers, you can only entice them to use it in certain ways. That's the end of your influence. If you've failed to do that, you need to accept it might not be possible rather than blaming every individual user

@juliank @tuxwise @keepassxc it is condescending because just because users "should" and because the thing is there does not mean that they will or that it's even reasonable to expect.
but none of that is relevant because if this many people have pointed out to you the statement is rude that should be enough of an indicator that people aren't reading the NEWS - and that you're clearly fighting a battle that can't be won at the expense of your users.
You can't control how people use their computers,...

Lyude🌹#BLM

Also, real question - outside of commandline apt how often is NEWS even shown to a user at all? I know numerous people with debian machines who do not install stuff through the command line. Also, what about all of the other ways of installing a package? If I'm setting up a ton of systems through ansible playbooks I can pretty much promise you I don't even know what a NEWS is nor is it likely I would care.
At some point it's a lot more useful to accept it's the fault of the medium, NEWS, rather than the fault of users not modifying their workflows to work around NEWS.

Also, real question - outside of commandline apt how often is NEWS even shown to a user at all? I know numerous people with debian machines who do not install stuff through the command line. Also, what about all of the other ways of installing a package? If I'm setting up a ton of systems through ansible playbooks I can pretty much promise you I don't even know what a NEWS is nor is it likely I would care.
At some point it's a lot more useful to accept it's the fault of the medium, NEWS, rather than...

Rémi Letot

@tuxwise @juliank @keepassxc I don't think so, and many users in the discussion agree. If most users use only a small subset of the functionnality, then the smart secure move is to provide it and make it the default. Now it would be better if Keepassxc showed a message saying that that version is the minimal one, and that a full one is available, but that's not in the hands of the debian maintainer.

tuxwise

@RLetot

I was not referring to providing a minimal and a full version, to which the original developer agreed to as well.

As you can easily see from actually reading what I wrote, I criticized the rude tone, and the wrecking of the implied contract with those who have installed the existing package. And I stand by that.

@juliank @keepassxc

Julian Andres Klode 🏳️‍🌈

@tuxwise @RLetot @keepassxc I was just being courteous, signing in on my phone and giving a short reply while travelling.

The concern is that somebody leaves or somebody new comes and picks up a subsystem and eventually maintains it on their own because the others don't actually use it and then believe the subsystem expert. That's somewhat normal.

This opens the doors for malicious actors to appear and compromise less popular subsystems.

1/2

Julian Andres Klode 🏳️‍🌈

@tuxwise @RLetot @keepassxc Hence I did not want to expose new users to optional subsystem code by default. This seems a reasonable stance. It is what Debian users generally expect.

Sadly I could not do that without breaking some users existing functionality. I can add a debconf dialog on upgrades to tell you more explicitly.

I will have to think about how we can solve this better in the future for similar situations (upgraded get X, new gets Y), but this requires new apt features.

Julian Andres Klode 🏳️‍🌈

@tuxwise @RLetot @keepassxc We can also rename the existing package to KeePassXC-minimal and then remove the keepassxc package.

Then users will get a message from apt when doing install keepassxc that tells them it's provided by either.

But anyway I hope this longer explanation seems less rude to you, I had to sit down in the middle of a city trying to get it out on my phone.

tuxwise

@juliank

There is no point in continuing to discuss with you if you now call your rude tone "courteous" and think that deflecting from that tone by adding more and more reply text will somehow cover up your foul language.

You are muted now, don't bother to reply.

@RLetot @keepassxc

Rémi Letot

@tuxwise @keepassxc I know that English is not my language, so maybe I missed something, but where is there foul language from @juliank ???

Brian K. White

@tuxwise What in the ever loving F... are you talking about? Please quote @juliank being rude.

Rémi Letot

@tuxwise sorry, but I find your tone a lot more rude and condescending than what I read from @juliank. You want more respect from people ? Maybe start by respecting them yourself. Bye. @keepassxc

dwm

@keepassxc Breaking change documented in the NEWS file:

"Networking and all plugins have been moved into the keepassxc-full package. Feature creep like SSH agent support, browser integration, Freedesktop.org secret storage, KeeShare pose undue risks for most users."

salsa.debian.org/debian/keepas

Brian K. White

@keepassxc

Does the package create, store, encrypt, and retrieve passwords? Then it still has all the "features" I ever wanted anyway.

The removed features should all be plugins anyway, for exactly the reasons implied in the updated package description.

All of those extra "features" are also bug surface and attack surface, both of which you want as little as physically possible in a password manager.

And that safest-possible version should be the default version.

joui

@keepassxc Oh wow! How about: "Debian will ship keepassxc differently starting ...". Your version sounds like you have some beef with that specific debian maintainer and deliberately dog whistling to generate external motivational pressure to reverse that decision. That was not your intention, wasn't it?

Richard Johnson

@keepassxc @paul_ipv6

Unilaterally here appears to actually mean: After notice and discussion, the core app requires attack surface reduction spurred by threat model change. Feature add version available for those with needs/tolerances for riskier surfaces.

Brian K. White

@tab2space @keepassxc @paul_ipv6

That keepassxc devs themselves don't agree, and think conveniences are more important than security *in a password manager* makes me question the wisdom of using keepassxc as ones keepass client.

All the users I can forgive (well, not them either but it's at least expected if still not excusable) but the actual devs of a password manager?

Team KeePassXC

@bkw777 @tab2space @paul_ipv6 why would we develop and maintain and personally use a feature we don't trust. Use your noggin, we eat our own dogfood.

Brian K. White

@keepassxc @tab2space @paul_ipv6
Your trust of a feature is entirely irrelevant to my point and does not invalidate it.

Presenting a non-sequiter like that as an argument places you in a not-great position from which to try to talk about anyone else's failure to use any noggins.

USB Type-Steve :verified:

@keepassxc Uhhh wait what? Explain? What is a "feature" in this case?

djinnsour

@keepassxc
This is exactly why I stopped using KeePass. How many forks have we had now? A password repository needs to be secure and reliable. If you can’t trust the developers it isn’t reliable.

Team KeePassXC

@djinnsour uh ok. Do you not trust us or debian. It is unclear from your post.

Brian K. White

@keepassxc KeePass Users - Be aware the maintainers of KeePassXC have confused KeePass users with LastPass users, and actually object to Debian shipping their PASSWORD MANAGER in safe-mode by default.

Queen

@keepassxc@fosstodon.org This maintainer sounds like they have the same brain rot that the Suckless devs have. I wouldn't be surprised if they see Suckless software as the "gold standard" for software development.

Seriously, a 3rd party package maintainer should not force their preferences on to common users. Common users are going to end up installing the full package anyway for certain features. This is just pointless security theater from the maintainer.

IzzyOnDroid ✅

@keepassxc Are the DEBs distributed via Launchpad PPA (phoerious) also affected by this?

↫❦ Noptisun ❦↬

@keepassxc this is the funniest thing I saw today, lmao. How is that supposed to even look like??

jrave

@keepassxc
I'm on Ubuntu now, my first Linux, for about half a year and use keepassxc with some of the default features, such as browser integration and the ssh store, accross various OSs, and I'd like to keep it just like it is. I know Ubuntu somehow is based on Debian or something, but I'm unsure whether I am affected yet and how to switch packages without losing my config when and if that is possible.
Can anyone in this thread clear this up for me?

Thomas

@keepassxc Am I right that this won't affect the Ubuntu PPA?

🇨🇦🇩🇪🇨🇳张殿李🇨🇳🇩🇪🇨🇦

@keepassxc Threads lke this are a great resource for identifying people to mute or block.

fa11_1eaf

@keepassxc does that also include totp features?

Space Queen Enthusiast

@keepassxc This maintainer is forcing his preferences onto common users. That's something you should never do as a 3rd party package maintainer. Most common users will end up installing the full package anyway, so this is all just a pointless security theater on his part. Based on his responses to this post/other commenters, he handles criticism quite poorly.

P.S. Since he meddled with the software, he should be responsible for fixing any issues that arise with his minimal version.

Claudius

@keepassxc
So sorry this is done to your excellent program.

IMO that packager is clearly in the wrong on all accounts. And even if their argument was technically sound, they'd *still* handle this in the poorest way possible that breaks the most people's expectations. And even if that wasn't the case there would still be them talking shit about you and your users.

In short: they are (IMO) not fit to package a piece of software.

Efi (nap pet) 🦊💤

@keepassxc ok, but their points are kinda reasonable except for how they are doing it

T_X

@keepassxc I think I don't/won't use features from the full variant. Will the smaller variant complain and abort gracefully if I were using now removed features? Or would it bust my KeePassXC database?

Rhababerbarbar

@keepassxc

Thats the pros and cons of Distributions

Removing potential attack surface, and features

𝘋𝘪𝘳𝘬

@keepassxc Who in the right mind does something that incredibly stupid without the malicious intention of harming the project?

DDR

@keepassxc Huh. Well, thank you for the heads-up.

txt.file

@keepassxc I dislike the wording of your post. You provide a software with option toggles for some functionality and complain that a person decides to use these toggles?

Mathias Hasselmann

@keepassxc Debian is rightfully very proud about its democratic procedures. It should be possible to challenge this very subjective and highly exaggerated decision of a single person.

Big question: Where to start the appealing? Maybe some other Maintainers? Maybe debian-policy@debian dot.org?

Åke Nordin

@keepassxc Isn't the "tell if a new version has arrived" feature dependent on this compile flag being "ON" ?

-DWITH_XC_NETWORKING=[ON|OFF] Enable/Disable Networking support (e.g., favicon downloading) (default: OFF)

If so, wouldn't that be the worst security liability one can think of?

Great e.g. by the way. Favicons would be the least interesting feature to lose at least in my book...

climbertobby

@keepassxc will keepassxc-full be necessary to use the Firefox addon?

Fairy Boy "Ean (Ian) Sea"

@keepassxc Thanks for the heads-up. Telling everyone else.

Go Up