Recent searches
Search options
Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.
Trying to reduce the size of an iso by fifteen kilobytes?? lol no idea.
@RL_Dane @Ray_Of_Sunlight @keepassxc looks to be security related when reading https://packages.debian.org/sid/keepassxc: This package includes only the bare minimal functionality, and no security complications like networking, SSH agent, browser plugin, fdo secret storage. See keepassxc-full if you absolutely need those.
@lieven @RL_Dane @keepassxc I'm not a Debian.user, but ty for the advise
@lieven @RL_Dane @Ray_Of_Sunlight @keepassxc there is a bit more reasoning in the corresponding bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953529
@j_r @lieven @Ray_Of_Sunlight @keepassxc
Ah, that seems reasonable.
@RL_Dane Not reasonable at all: "I believe most of the people don't want their password manager to connect somewhere they don't know and it will improve user privacy."
That's plain badmouthing, nothing else.
@j_r @lieven @RL_Dane @Ray_Of_Sunlight that bug report is bunk. He removed ALL features, not just networking. That includes yubikey support, auto-type and browser integration.
@keepassxc @j_r @lieven @RL_Dane @Ray_Of_Sunlight tbf the changelog does say .. "and IPC" .. but that's certainly an 'interesting' choice. I think you could make a strong argument that the missing features reduce more vulnerabilities than they create, and most users will want them. The other-way-around approach of "keepassxc-minimal" v "keepassxc" would have made a lot more sense!
@srtcd424 @keepassxc @j_r @lieven @RL_Dane I mean i'm not an expert, i know nothing about this functions, i just like my Offline Password manager 
@srtcd424 @keepassxc @j_r @lieven @RL_Dane @Ray_Of_Sunlight remove the features doesn't make much sense.
@Ray_Of_Sunlight @srtcd424 @keepassxc @j_r @lieven @RL_Dane because the security argument is valid but not strong enough, and this action create a lot of noise, I'm thinking myself why someone knows whats is better for me ? I always prefer ship packages follow the upstream recommendations, but its just me :)
@Ray_Of_Sunlight @r1w1s1 @srtcd424 @keepassxc @j_r @lieven
I like flatpak, but prefer to use native packages when I can. Their choice sounds like a dubious one, but as long as there's still a native package with the feature I need, I'll be using that one.
@RL_Dane @Ray_Of_Sunlight @r1w1s1 @keepassxc @j_r @lieven I've settled in on flatpaks for "key" or major apps - keepassxc isn't large, but I do consider it important. Allows to me keep on a stable distro and still track up-to-date versions of things.
I'm not really a huge fan of the "bundle all dependencies" model, but I've grudgingly accepted that's the world we're in now, and disk is still cheap relative to app sizes even given modern toolkit bloat!
@srtcd424 I do like the "bundle with all dependencies", although it makes the package a lil' heavier, it helos not having to download the dependencies on separated servers and who knows when one of them will shut down.
Plus, it's cross-distro and it's not like Snaps.
@srtcd424 @Ray_Of_Sunlight @r1w1s1 @keepassxc @j_r @lieven
Personal choice, of course. I generally don't see the need to have the absolutely latest version of everything. I don't mind being a couple versions behind in Audacity, or using Firefox & Thunderbird ESR.
There *are* times where having the latest is more important, where the older versions lack some critical functionality, and for that, I use flatpak.
It's all good. ;)
@keepassxc
Basically rendering the product useless for most everyday users. 
Luana@luana @keepassxc We don't rwally know.
@amin and other #debian peeps, just FYI
I'm sleepwalking today, aren't I? 
I thought you're on Void?
@amin @RL_Dane @keepassxc yes but he @ you without actually @'ing u
lol yeah... severe ADHD brain this week. #DERP
Oh, dang. Not on KeePassXC anymore but this is good to be aware of, thanks.
@keepassxc I dont find it so problematic to offer two versions of your program: One minimal one that does the basic job (which is enough for me) and has less attack vectors, and the fully-blown "monster" with all those nifty features.
@Zugschlus @keepassxc Keepassxc is not the only package that is split this way. Vim and Nginx are packaged like that too.
@Zugschlus Sure, but the problem comes from the fact that users have had the full version installed as one package for X amount of time and now that package is suddenly the minimal version.
Most users will blame the change on @keepassxc rather than realizing that their distro made a change. Both the maintainer and KeePassXC agree on this pain point and the maintainer even said he anticipates it will last a year.
Crippling a user's installed software feels more like M$ than FOSS.
@healsdata @keepassxc There is a message displayed on package installation. Julian's actions are just fine and well withing the responsibilites of a package maintainer.
@Zugschlus @healsdata @keepassxc are you sure about that? I was affected (running testing) and didn't remember seeing a notice on update
@lbehm The current version has a NEWS.Debian, which is automatically displayed if apt-listchanges is installed and active (which is the default).
Maybe there was a version without that entry, but that's the price you pay for using an unreleased development version.
@healsdata @Zugschlus @keepassxc Has anyone proposed the obvious solution?
* make two packages, keepasxc-light and keepassxc-full
* make keepassxc a transitional package with keepassxc-full as a dependncy and a NEWS.Debian explaining the change
@nik @healsdata @Zugschlus @keepassxc The rename will happen, ftpteam willing.
As for the direction of the trixie transitional package, maybe that is the best. We'll certainly kill it after Trixie, then apt install keepassxc tells you the two choices and you can decide for yourself.
@juliank @healsdata @Zugschlus @keepassxc
I don't see any problem, then. Clean transition to a reasonable choice.
You say it took a year to make this decision, admitted to not talking to upstream about it, and recognized it would cause confusion for users for at least a year.
And then suddenly, in one day, you have plans to make a better UX, some other team willing.
All because you decided what features this software should & shouldn't have and are bending things to your preferences.
Man, it must be nice to be in a role where you can act so transparently antagonistic with no repercussions.
@juliank i appreciate your diligence, and personally i am very happy with the minimized version of keepassxc, but i don't understand why you needed to insult the keepassxc developers for that? (https://github.com/keepassxreboot/keepassxc/issues/10725#issuecomment-2104401817)
@keepassxc the basic version does not let you open some databases (specifically ones that use a hardware key as a second factor) and is also more prone to phishing due to lack of autofill
@charlotte @keepassxc People are free to migrate to the full version then without losing their data.
@Zugschlus @keepassxc debian could also have a -minimal package for the ~0 people that would prefer that
@Zugschlus @keepassxc it’s an example of bad defaults and also breaking things for the users on purpose. entirely uncalled for and the no-feature version of keepassxc actively harms user security vs the normal version
@charlotte @keepassxc i disagree with that. As a free software project one has to live with the fact that people are free to do things you don't like. That's life.
Please, don't get keepassxc in the "hostile upstream" range, that would be really sad.
@Zugschlus @keepassxc I don’t think that upstream should have to live with bug reports that stem entirely from intentionally bad decisions downstream
@Zugschlus @keepassxc And debian making a user-hostile change should not be the problem of the software developers who had absolutely zero input in this decision
@Zugschlus @keepassxc a lot of the cases of “hostile upstream” are really just cases where downstream were being assholes and upstream did not want to deal with the fallout again
I'm finished with the discussion and will consider other programs to be my password safe in the future.
@Zugschlus @keepassxc don’t let the door hit you on the way out. btw i have nothing to do with the keepassxc project aside from using it
@charlotte @keepassxc @Zugschlus >don’t let the door hit you on the way out
What a shitty thing to say.
@apicultor @keepassxc @Zugschlus idk, i wasn’t the one who basically pulled the open source version of “I demand to speak to your manager” on someone who is completely unrelated
@charlotte @keepassxc @Zugschlus I disagree; I took what they said as not wanting to engage further and that they'd be looking into alternatives instead.
Your reply was tantamount to "good riddance".
To each their own.
@Zugschlus @charlotte @keepassxc I heartily recommend @bitwarden, and you can self-host it if you'd like.
@apicultor @Zugschlus @keepassxc @bitwarden bitwarden would probably also not appreciate it if debian broke basic functionality on purpose, especially since it’s a lot more corporate than keepassxc
@charlotte @bitwarden @keepassxc @Zugschlus I agree, but thankfully I don't depend on a distribution to package it for me.
@Zugschlus @keepassxc like yes, with free software anyone can do what they want. but upstream can also just do what they please. Freedom goes both ways.