Post Ahpvf4vVtxfljuphaK by BrodieOnLinux@linuxrocks.online
(DIR) More posts by BrodieOnLinux@linuxrocks.online
(DIR) Post #AhpmyOBfcGUlOEWVKC by BrodieOnLinux@linuxrocks.online
2024-05-13T02:19:51Z
0 likes, 0 repeats
Who should be software packaging is a tough problem, I can see the value in #linux distros pushing for better changes downstream, encouraging upstream to change (double click in #KDE) but then I see cases like KeepassXC where the Debian package is now by default broken, actively damaging the reputation of upstream but then I remember #XZ where upstream was left unchecked and hid bad code in plain sight and I go back around in a circle.
(DIR) Post #Ahpo0mEXHelQV8ZA1I by BrodieOnLinux@linuxrocks.online
2024-05-13T02:33:22Z
0 likes, 0 repeats
@melanie Very true
(DIR) Post #AhpoiP1yuYz9HWUpV2 by felix@misskey.io
2024-05-13T02:40:20.635Z
0 likes, 0 repeats
@BrodieOnLinux@linuxrocks.online check that debian's openssl crisis.it's all about debian, not upstream, nor other distro downstreams
(DIR) Post #AhpoiPvdZdVM48XHFY by BrodieOnLinux@linuxrocks.online
2024-05-13T02:41:05Z
0 likes, 0 repeats
@felix I assume you're referring to this https://16years.secvuln.info/
(DIR) Post #AhppoJZuCJd63skMs4 by gnomelibre@mamot.fr
2024-05-13T02:53:42Z
0 likes, 0 repeats
@BrodieOnLinux Linux distributions should limit themselves to only offering an operating system and no longer deal with (graphical) user applications. Especially now that we have Flatpak.This would give them more resources to increase the support life of their distributions, which would undoubtedly be much more useful.
(DIR) Post #AhpqeQHsUw0rvcA5qa by narunya@mastodon.social
2024-05-13T03:03:01Z
0 likes, 0 repeats
@BrodieOnLinux Personally, I think a keepassxc-minimal package should be created specifically for this purpose.
(DIR) Post #AhpqndIfUCvItPvHqy by BrodieOnLinux@linuxrocks.online
2024-05-13T03:04:27Z
0 likes, 0 repeats
@narunya The devs are in favor of an optional minimal package, the default should be what upstream offers
(DIR) Post #Ahprxn5a2upK6QD0bI by BrodieOnLinux@linuxrocks.online
2024-05-13T03:17:43Z
0 likes, 0 repeats
@dirk @narunya Right now the philosophy is ship a broken package and who cares if upstream gets spammed with bug reports about it
(DIR) Post #Ahps3eFNphMAPwaSmG by TheStroyer@mastodon.social
2024-05-13T03:18:57Z
0 likes, 0 repeats
@BrodieOnLinux I think flatpak solves part of this problem. Developers are encouraged to provide flatpak packages directly to the user, making sure they can provide the best experience. But by sandboxing applications distro's can limit the security risk of this direct exposure.I think in the end, distro's will be only a way to provide a minimal secure sandboxing environment which is heavily audited. As much applications as possible will be sandboxed and need less strict audits.
(DIR) Post #Ahpv3wDzID322IlR8y by nicemicro@fosstodon.org
2024-05-13T03:52:32Z
0 likes, 0 repeats
@BrodieOnLinux I strongly believe in distro packaged software.But we have to move the culture so that users report their bugs to the software distributor, and not directly to the upstream github. Upstream "issues" should be reserved for the developers and their inner circle of people who test the latest versions, and maybe the distributors themselves.Users of the distributors (i.e. #Linux distros) should encourage users reporting bugs to them, and they report up when needed.#FreeSoftware
(DIR) Post #AhpvIiDHfWkwvNToDg by matk@mastodon.social
2024-05-13T03:55:01Z
0 likes, 0 repeats
@BrodieOnLinux The Debian maintainer decided to reduce the amount of plugins shipped by default (for which upstream already provides flags, so this is a to-be-expected configuration) to improve security of this piece of software. After some discussion, a "-full" variant is also provided for users who need all features.So, both the security-pedantic minimalists and the ones who want all features are happy, I don't see the issue here...https://packages.debian.org/sid/keepassxc-full
(DIR) Post #Ahpvf4vVtxfljuphaK by BrodieOnLinux@linuxrocks.online
2024-05-13T03:59:16Z
0 likes, 0 repeats
@matk But upstream completely disagrees with this approach and instead suggests the default should be the full package and then minimal should be the additional package. They are dealing with a bunch of bug reports due to this change being made with 0 discussion happening with upstream until after it was already shipping in sid.One of the removed features was yubikey support leaving those users with an inaccessible database until they reported to upstream about it.
(DIR) Post #AhpvpjjJ3Ff9BTCmpM by BrodieOnLinux@linuxrocks.online
2024-05-13T04:01:07Z
0 likes, 0 repeats
@matk I can understand why they Debian wants a minimal package but making that the default is absolutely the wrong move here at least without discussing the best approach with upstream beforehand
(DIR) Post #Ahpw1nVKqKw4MkQBto by BrodieOnLinux@linuxrocks.online
2024-05-13T04:01:21Z
0 likes, 0 repeats
@matk I can understand why Debian wants a minimal package but making that the default is absolutely the wrong move here at least without discussing the best approach with upstream beforehand
(DIR) Post #AhpwLe77T00J27YjYm by matk@mastodon.social
2024-05-13T04:06:56Z
0 likes, 0 repeats
@BrodieOnLinux Given that a user reported this first, it apparently wasn't discussed with upstream, so I do agree with that part. Packagers and their upstreams - also in Debian - usually have a fairly tight relationship (of course, including disagreements, but *a lot* of communication generally happens).That said, individualism is high in Debian and every packager can handle things how they see fir, sometimes for better, sometimes for worse, sadly.
(DIR) Post #AhpwaXZO502v54sqGW by BrodieOnLinux@linuxrocks.online
2024-05-13T04:09:35Z
0 likes, 0 repeats
@matk That's fair, I think upstream wouldn't have had as much of an issue with this if Julian didn't initially seem so unwilling to have any conversation about it once they brought up the issue.
(DIR) Post #AhpwrAuzYCvhkdv9Zw by matk@mastodon.social
2024-05-13T04:10:23Z
0 likes, 0 repeats
@BrodieOnLinux This is pretty much one fallout of the XZorcism incident, with security-sensitive distros trying to reduce attack surfaces as much as possible... sometimes going a bit overboard.If these plugins could be compiled as dynamically-loaded libraries, they could be packages separately people could pick their minimal set, but KeepassXC doesn't seem to be built that way.In any case, communication for sure was really bad here.
(DIR) Post #AhpwrBmWLBkQQexu0u by BrodieOnLinux@linuxrocks.online
2024-05-13T04:12:40Z
0 likes, 0 repeats
@matk One thing that's important to note is that pretty much all the functionality that was dropped is not enabled by default and is instead behind a toggle in the full version of keepassxc
(DIR) Post #Ahpx5GCYhiheBvr0fA by matk@mastodon.social
2024-05-13T04:14:56Z
0 likes, 0 repeats
@BrodieOnLinux Yeah... Knowing Julian, that was an exceptionally harsh reply of him, and could have been way more diplomatic. But he does care a lot about security, and people are a bit on edge right now (understandably...).Sometimes when everyone is overworked, stuff like this happens, I hope it gets resolved amicably, as this is a fairly silly thing to fight over.
(DIR) Post #AhpxQIq0694CRsKvBI by matk@mastodon.social
2024-05-13T04:17:59Z
0 likes, 0 repeats
@BrodieOnLinux Toggles mean that users may accidentally flip things on that they don't need, or that malware is one config switch away to enable exploitable code and read all passwords ;-)Granted though, I assume a tool like KeepassXC is probably audited fairly well and there's likely higher-quality plugins that could always be there.
(DIR) Post #AhpxdtzNHYSdR4CoKW by BrodieOnLinux@linuxrocks.online
2024-05-13T04:20:01Z
0 likes, 0 repeats
@matk Regarding the plugin thing, they're not actually plugins this is just the term Julian used. These are core pieces of functionality in the project which can be disabled through compile options
(DIR) Post #Ahpy9OOiH0Zciv4bpY by matk@mastodon.social
2024-05-13T04:27:03Z
0 likes, 0 repeats
@BrodieOnLinux Playing devil's advocate here: If they are core pieces of functionality, why can they be disabled by compile flags at all?
(DIR) Post #AhpybpYatB1N46FtUu by BrodieOnLinux@linuxrocks.online
2024-05-13T04:31:10Z
0 likes, 0 repeats
@matk There was some discussion back in 2016 about reducing the attack surface after some potential vulnerabilities were discovered
(DIR) Post #AhqBZfjniyqxR6nZDM by hierodula@fosstodon.org
2024-05-13T06:55:23Z
0 likes, 0 repeats
@BrodieOnLinux breaking it by default isn't repackaging or maintaining its active malice as is passing off the problems you created on to the upstream devs .
(DIR) Post #AhqCGfRYh6LqyYldui by BrodieOnLinux@linuxrocks.online
2024-05-13T07:01:28Z
0 likes, 0 repeats
@hierodula The point I was making is there's no perfect group to maintain a package, there are bad/misaligned actors in both groups
(DIR) Post #AhqCigCNTpIrQU1XuK by hierodula@fosstodon.org
2024-05-13T07:06:46Z
0 likes, 0 repeats
@BrodieOnLinux that's a fair point, maybe its time for distros to just do the basics and stop packaging software and leave software maintainers to it at least it minimises the good or bad actors to just one source.
(DIR) Post #AhqJTpXVAWDljOlrEW by taken@sakurajima.moe
2024-05-13T08:26:06Z
0 likes, 0 repeats
@BrodieOnLinux let's be honest majority of people wouldn't of used a password manager without the browser integrations so removing that will probably have an inverse effect
(DIR) Post #AhqKlK8QlftNUzwvyK by taken@sakurajima.moe
2024-05-13T08:22:28Z
0 likes, 0 repeats
@gnomelibre @BrodieOnLinux correct me if I'm wrong but I don't think flatpak supports the use of the browser extension unless it's been added recently
(DIR) Post #AhqKlKXxEmJCm9tJku by BrodieOnLinux@linuxrocks.online
2024-05-13T08:40:25Z
0 likes, 0 repeats
@taken @gnomelibre Having to copy from a desktop app is just not as convenient
(DIR) Post #AhqN24nbEveylaK1c8 by BrodieOnLinux@linuxrocks.online
2024-05-13T09:02:32Z
0 likes, 0 repeats
@taken Having to copy from a desktop app is just not as convenient
(DIR) Post #AhqRRdvWAkvIllTLEW by matk@mastodon.social
2024-05-13T09:55:24Z
0 likes, 0 repeats
@BrodieOnLinux So, the Debian maintainer reduced the default attack surface as per prior upstream discussions then, right? ;-)Maybe it's time to revise that and default-enable audited code without flag to disable it...But I'm in the peanut gallery here, that's really up to the maintainer(s) to decide!
(DIR) Post #AhqSYhpY9mRGrFc2QC by BrodieOnLinux@linuxrocks.online
2024-05-13T10:07:02Z
0 likes, 0 repeats
@matk The result was providing the options to disable the code but the default remained enabled
(DIR) Post #AhqVrtdMnNsopXkwgi by matk@mastodon.social
2024-05-13T10:44:25Z
0 likes, 0 repeats
@BrodieOnLinux Yes, but providing options and then complaining if someone uses them is a bit odd... If you provide the knobs, you can expect someone to turn them, so if you don't want that, don't provide the options (or gate them behind a clear "use this at your own risk, using these options will result in an unsupported configuration" warning).E.g. you can build AppStream without systemd, but it's not recommended, and an error is thrown if a function is run that relies on systemd features.
(DIR) Post #AhqYUjIBNZnvxTUaLQ by enthusiast101@fosstodon.org
2024-05-13T11:14:17Z
0 likes, 0 repeats
@BrodieOnLinux I think what Firefox is doing is a good way to go about this. You can ship it how you want, but you can't use the Firefox name and branding unless it meets certain requirements from the dev.I get many people have issues with this and call it non free, but it's free enough for most IMO
(DIR) Post #AhqkV0zGmxp0HvY4XI by ghast@liberdon.com
2024-05-13T13:26:36Z
0 likes, 0 repeats
@nicemicroThis assumes users are idiots, and unworthy to report issues to the source. @BrodieOnLinux
(DIR) Post #AhqmVfirXG8MXEJbW4 by BrodieOnLinux@linuxrocks.online
2024-05-13T13:50:23Z
0 likes, 0 repeats
@matk My main issue is a lot of users don't see the difference between upstream and downstream and a lot of bug reports are being sent to upstream because of a solely downstream choice. Maybe it's going to far but I see why projects like xscreensaver have added giant "unsupported" messages when running on platforms like Debian in the past
(DIR) Post #AhqvgOT6vQ0FnN8Puy by gianmarcogg03@mastodon.uno
2024-05-13T15:29:20Z
0 likes, 0 repeats
@taken @gnomelibre @BrodieOnLinux that has never been an issue? At most browsers have trouble with stuff like KeePassXC-Browser which needs some funky workaround to communicate with the KeePassXC desktop app.
(DIR) Post #AhqvgPFK2AZGCtgv44 by sarvo@novoa.nagoya
2024-05-13T15:34:20.861Z
0 likes, 0 repeats
@gianmarcogg03@mastodon.uno @taken@sakurajima.moe @gnomelibre@mamot.fr @BrodieOnLinux@linuxrocks.online having two package managers is a fucking mess, plus flatpak is slow, although not as slow as snap.I rather have a distro that only and exclusively use flatpak or that only has the distro package manager.The other issue with flatpak is that people build their apps isolated, there is no shared libs, that's good and bad, but mostly what happens is that everyone packages as whoever they want, there is no cohesion and some package terribly. At least with package managers the packaging has a cohesive sense for the most part.
(DIR) Post #AhqwOv8Kq4vFqTeJMG by gianmarcogg03@mastodon.uno
2024-05-13T15:35:53Z
0 likes, 0 repeats
@sarvo @BrodieOnLinux @taken @gnomelibre there are some shared libraries (e.g. GNOME or KDE frameworks in different versions).
(DIR) Post #AhqwOvhmiHHLcQEcc4 by sarvo@novoa.nagoya
2024-05-13T15:42:25.049Z
0 likes, 0 repeats
@gianmarcogg03@mastodon.uno @BrodieOnLinux@linuxrocks.online @taken@sakurajima.moe @gnomelibre@mamot.fr but it is the exception, not the rule
(DIR) Post #AhqxsOGvgIPEZMHkaO by matk@mastodon.social
2024-05-13T15:57:47Z
0 likes, 0 repeats
@BrodieOnLinux TBH, my personal opinion is that xscreensaver was pretty silly.However, users should include the software version number in bug reports when they go upstream, always. And for distros, ideally bugs should end up in the distro bugtracker first and then be sent upstream by the package maintainer.That said, by introducing AppStream, I am probably directing more people to the upstream bugtracker...And also, for new users, Debian's bugtracker is particulary user-unfriendly too...
(DIR) Post #AhrjA5XekoMtXL3ASu by BrodieOnLinux@linuxrocks.online
2024-05-14T00:47:55Z
0 likes, 0 repeats
@matk I agree that they should typically end up in the distro bugtracker, the question is how do you most effectively make that happen
(DIR) Post #Ahrn5q4SjRtcDGckfg by matk@mastodon.social
2024-05-14T01:31:58Z
0 likes, 0 repeats
@BrodieOnLinux If people report bugs at all it's already a miracle...The lowest possible bar would likely be to at least make the Debian bugtracker more user friendly (e.g. with a non-email interface), but I doubt that will happen anytime soon.On the AppStream side, I should maybe add a global bug report URL override option, or the package maintainer should just patch it if the packaging delta is too large. That'd require everyone to play nice...
(DIR) Post #AhrnUREoCLIgQyC31M by BrodieOnLinux@linuxrocks.online
2024-05-14T01:36:34Z
0 likes, 0 repeats
@matk I don't think an email interface should be done away with, there are a lot of people who are happy with it but some way for non email reporters to interact I think would be a big improvement there
(DIR) Post #Ahrp26D6z32V1E0wIy by matk@mastodon.social
2024-05-14T01:54:16Z
0 likes, 0 repeats
@BrodieOnLinux The Debian bugtracker is controlled *exclusively* via mail. As developer, it's fine and I memorized all the commands and formatting I have to send, but for a drive-by bugreport by a non-technical average user it's pretty much impossible to file issues reliably (and then their e-mail address is public too, which they might not have wanted...).This won't change soon though, because of -ENOMANPOWER as well as debbugs having its hardcore fans for the way it is.
(DIR) Post #AhrrERNgIX7Q3qyEqm by BrodieOnLinux@linuxrocks.online
2024-05-14T02:18:53Z
0 likes, 0 repeats
@matk It would obviously require a new solution but I know there are options out there which do provide both options. But it probably won't happen anyway