111
submitted 6 months ago by federalreverse@feddit.de to c/linux@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] lemmyvore@feddit.nl 145 points 6 months ago

They didn't "strip" anything, they've split it into 2 variants, a package without networking features (-DWITH_XC_NETWORKING=OFF) and a package with them, because it's considered a privacy issue to have your password manager phone home and fetch favicons and so on. The packages will be called keepassxc and keepassxc-full going forward.

[-] tinsuke@lemmy.world 52 points 6 months ago

KeepassXC replied on that thread that it wasn't just the privacy problematic networking that was removed:

that bug report is bunk. He removed ALL features, not just networking. That includes yubikey support, auto-type and browser integration.

https://fosstodon.org/@keepassxc/112417651131348253

[-] lemmyvore@feddit.nl 104 points 6 months ago

I expect the KeepassXC people are mostly bothered by the naming of the package because the version called "keepassxc" is now the basic one. Anyway, the maintainer has offered to call them -minimal and -full and to make "keepassxc" a metapackage that pops up a debconf dialog telling users that install it to choose one. There is precedent with other complex packages that are split into basic and full. This should solve things nicely for everyone.

[-] PlexSheep@infosec.pub 18 points 6 months ago

That sounds reasonable. I use the package on LMDE6, the one currently in stable though. Having a minimal keepassxc and a full one makes sense to me.

[-] federalreverse@feddit.de 35 points 6 months ago* (last edited 6 months ago)

Afaiu it, he added a second package with (quote) "all the crap" later, after the storm.

And no, it wasn't just the favicons feature that was removed (which like ... is that really such a big privacy issue that you need to remove it from the binary?). Support for Yubikey was removed as well — which is not a privacy issue. The reasoning mentioned by the Debian maintainer is that all of these features might turn out to be security issues in the long run. Thus, in his view, a password manager application must do nothing but provide access to the database within the app.

I find it an interesting example of diverging upstream, maintainer, and user interests in any case.

[-] lemmyvore@feddit.nl 42 points 6 months ago* (last edited 6 months ago)

I find it a lot of unnecessary fuss over unstable. Sid is supposed to make breaking changes, you offer feedback and you follow it through politely. The next Debian stable is one year away, this is not an urgent matter

[-] taladar@sh.itjust.works 21 points 6 months ago

There are so many people who think sid is a distro when really, as far as the Debian project is concerned, it is a staging ground.

[-] Bitrot@lemmy.sdf.org 0 points 6 months ago

Its also in testing.

[-] lambalicious@lemmy.sdf.org 19 points 6 months ago

And no, it wasn’t just the favicons feature that was removed (which like … is that really such a big privacy issue that you need to remove it from the binary?)

Fetching a favicon means raising a network connection with a predictable endpoint. That's already three concerns (four on the modern internet) to handle security-wise, and it's absolutely an unneeded feature. Favicons could just be shipped on something like keepassxc-data or keepassxc-contrib to handle locally, no need to raise a network call.

[-] breakingcups@lemmy.world 31 points 6 months ago

I highly recommend reading the Github thread as this is not at all an accurate representation. These features you're talking about are off by default. Removing them from the existing package is just breaking existing users. There's already a report from a user who can't access their passwords because yubikey support was suddenly removed. You don't do that to users just because you suddenly develop an opinion as a package maintainer that you feel is important. There was no dialogue, no consideration and a very rude, dismissive attitude of Julian.

https://github.com/keepassxreboot/keepassxc/issues/10725

[-] lemmyvore@feddit.nl 36 points 6 months ago

There's already a report from a user who can't access their passwords because yubikey support was suddenly removed.

Yeah, well, this is Sid. It's called unstable for a reason. You have to read the changelogs or bad things will happen.

By the time it lands in stable it will most likely have a debconf dialog warning users and letting them transition smoothly to the version they want.

this post was submitted on 10 May 2024
111 points (77.1% liked)

Linux

48210 readers
882 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS