Post AhwhaGvJpcDMFPH7ui by Orca@nya.one
(DIR) More posts by Orca@nya.one
(DIR) Post #AhlxpI3XMdyWdDk8xM by keepassxc@fosstodon.org
2024-05-10T14:51:19Z
1 likes, 3 repeats
Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.
(DIR) Post #Ahr1RSHX44kn0FylOa by juliank@mastodon.social
2024-05-11T10:03:41Z
0 likes, 0 repeats
@nik @healsdata @Zugschlus @keepassxc The rename will happen, ftpteam willing.As for the direction of the trixie transitional package, maybe that is the best. We'll certainly kill it after Trixie, then apt install keepassxc tells you the two choices and you can decide for yourself.
(DIR) Post #Ahr1RTBtgVq9p4LmFc by malte@anticapitalist.party
2024-05-13T16:20:17Z
1 likes, 0 repeats
@juliank i appreciate your diligence, and personally i am very happy with the minimized version of keepassxc, but i don't understand why you needed to insult the keepassxc developers for that? (https://github.com/keepassxreboot/keepassxc/issues/10725#issuecomment-2104401817)
(DIR) Post #AhsaqGAcvGiuEYGwDI by Ray_Of_Sunlight@mastodon.social
2024-05-10T14:53:09Z
1 likes, 0 repeats
@keepassxc Wuh- Why??
(DIR) Post #Ahv6kMBPEzjNzdmlqS by tuxwise@social.tchncs.de
2024-05-10T16:17:46Z
0 likes, 0 repeats
@keepassxc An exceptionally bad decision to wreck a huge existing installation base, "because I can".The rude reply by @juliank is condescending, and far from what I am used to read.https://github.com/keepassxreboot/keepassxc/issues/10725#issuecomment-2104401817
(DIR) Post #Ahv6kNgdeMJAenPEAK by juliank@mastodon.social
2024-05-10T16:30:46Z
0 likes, 0 repeats
@tuxwise @keepassxc why do you think it's rude and condescending?The first thing Debian users should be looking at when something changes unexpectedly is the /usr/share/doc/<package>/NEWS.Debian.gzThat is the way breaking changes are communicated. Users of testing/unstable are expected to have apt-listchanges installed to see them automatically.Stable release users should read the release notes.People annoying upstream isn't something I can solve.
(DIR) Post #Ahv6kP6COoLf2MN9e4 by stardust@fosstodon.org
2024-05-11T05:59:44Z
0 likes, 0 repeats
“Stable release users should read the release notes.”No they shouldn't. That's exactly why they use stable: so things don't break unexpectedly and they can work on problems that they want/need to work on.--@juliank @tuxwise @keepassxc
(DIR) Post #Ahv6kQFS7tLQbLi3hw by juliank@mastodon.social
2024-05-10T16:34:40Z
0 likes, 0 repeats
@tuxwise I took my time to reach the decision it went back and forth for a year, and the xz-utils thing eventually tilted things in favour of shipping as little code builtin as possible by default.I do not believe however that there is a significant overlap between people who use Debian, keepaasxc, and people looking for a featureful password manager.It just makes no sense to go with a local only password manager and then put gaping holes in it.@keepassxc
(DIR) Post #Ahv6kR8OpbITLlPwLw by juliank@mastodon.social
2024-05-11T06:34:07Z
0 likes, 0 repeats
@stardust @tuxwise @keepassxc That's a misunderstanding, they should read the release notes when upgrading to the next release
(DIR) Post #Ahv6kS5xGAw4KTHVBI by keepassxc@fosstodon.org
2024-05-11T09:36:31Z
0 likes, 0 repeats
@juliank @stardust @tuxwise@tchncs.de I disagree with this statement on a fundamental level. If you see Debian as an expert tool for a very specific expert target group, then fine, whatever. But Debian is the base for a general-purpose operating system for millions of users with no technical background or simply no nerve and time to deal with things like this. You cannot and should not expect these users to know about any obscure text files, let alone read and understand the tech babble that's in them.
(DIR) Post #Ahv6kTLwaDJsELlmk4 by vv221@fediverse.dotslashplay.it
2024-05-15T15:39:43Z
1 likes, 0 repeats
You cannot and should not expect these users to know about any obscure text files, let alone read and understand the tech babble that's in them.Debian NEWS files are nothing like full changelog. They only document major changes that happen when upgrading from a Debian stable release to the next one.The users do not have to hunt for this information, the content of the NEWS files is shown automatically during the upgrade.Since these are targeting end users, they usually do not include "tech babble".The only alternative to NEWS files that I can think of would be to never change anything from one Debian stable release to the next. Of course if Debian were to do that they would quickly lose all relevance as an operating system.CC: @juliank@mastodon.social @stardust@fosstodon.org
(DIR) Post #Ahv6kTPUN29gPLQcGe by keepassxc@fosstodon.org
2024-05-11T09:36:43Z
0 likes, 0 repeats
@juliank @stardust @tuxwise@tchncs.de I certainly don't fire up a text editor and check the NOTES files first before I run apt upgrade or click the "Install now" button on the update reminder popup and I am probably much more of an expert user. We can only implore you to revert your decision. Your concerns about supply chain attacks in particular are certainly not unfounded, but you cannot export the complexity of this decision to your users in a way they will not and cannot understand.
(DIR) Post #AhvAz5f3Ln5Iubvx2G by juliank@mastodon.social
2024-05-11T07:42:12Z
0 likes, 0 repeats
@ubernostrum1. Please leave my employer out of it. That's crossing a line.2. It's entirely normal to refer to stuff considered superfluous as crap, at least in German, that's quite a normal expression.3. I wrote this quickly after waking up before hopping on a train and a plane to be nice and let them know that there's no going back. That doesn't mean there's no way forward.1/2 @tuxwise @keepassxc
(DIR) Post #AhvAz6l7GjWqJhmJ7o by juliank@mastodon.social
2024-05-11T07:44:47Z
0 likes, 0 repeats
@ubernostrum4. If I could step down from maintaining it I would. My KeePass database stores a handful of high value passwords and the password to my Bitwarden where the majority of day to day password lives so I can use it on all devices.People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought.*This* would be breaking the trust implied in my relationship with my users.2/3@tuxwise @keepassxc
(DIR) Post #AhvAz7hFma27E0yjk8 by varjolintu@mastodontti.fi
2024-05-11T09:31:27Z
0 likes, 0 repeats
@juliank "People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought.""The upstream developments have been very concerning, I can't be the only one feeling that way." Could you elaborate these a bit?
(DIR) Post #AhvAz7nHQAqzWhnY8W by juliank@mastodon.social
2024-05-11T07:52:14Z
0 likes, 0 repeats
@ubernostrum5. Checking against online password databases can be nice to have but sadly we can't have everything and it's misaligned with being a local database password manager.We are talking about a tool where you have to manually synchronise your password databases over your myriad of devices. Only die hard security fanatics would use such a contraption in the first place.3/4@tuxwise @keepassxc
(DIR) Post #AhvAz8bGQKpu1jBT2u by juliank@mastodon.social
2024-05-11T07:56:25Z
0 likes, 0 repeats
@ubernostrum6. This did not happen in an instant but you can clearly see it took over a year to reach this point where the plan could be finalised and executed.The upstream developments have been very concerning, I can't be the only one feeling that way.In fact I know I'm not the only one feeling that way because I've had users tell me. Actually security engineers too. @tuxwise @keepassxc
(DIR) Post #AhvAz8sHP4RmsV93ZI by juliank@mastodon.social
2024-05-11T10:16:21Z
0 likes, 0 repeats
@varjolintu What happens with keepassxc packaging is exactly the same thing what happened with xz-utils. People demand new upstream releases getting merged quickly, some with upload rights threaten to upload them themselves, people "helpfully" package new upstream versions for you. I employ a 0 trust model, so I need to redo it all anyway to make sure it was not tampered with.Now they may be honest, but after being burned out by time_t and then xz-utils you can understand I'm very cautious
(DIR) Post #AhvAz9NpVlgUSLuFkG by juliank@mastodon.social
2024-05-11T10:20:35Z
0 likes, 0 repeats
@varjolintu On the upstream side, I think there's some misalignment between various fractions.I need my password manager to manage my passwords. In fact I use keepaasxc only for high value targets, like my backup encryption keys, or the key to my day-to-day bitwarden account (as I need the sync to Chromebooks, family account sharing, etc, I do self host a vaultwarden for it).
(DIR) Post #AhvAzA5QteYwdaJ4i0 by juliank@mastodon.social
2024-05-11T10:23:58Z
0 likes, 0 repeats
@varjolintu There are several people like this, and what they are looking for is not a constant influx of new features or large changes to fix bugs.And that to me is the most logical choice. You went to all that trouble to pick the hardest to use (across devices) password management solution in the world, you're paranoid and trust nobody, you don't suddenly want to poke holes in it for convenience like browser extensions, just use the clipboard, it's much more secure.
(DIR) Post #AhvAzAfEkXCcQd3fW4 by varjolintu@mastodontti.fi
2024-05-11T10:36:31Z
0 likes, 0 repeats
@juliank As far as I know, clipboard can be accessed by any application, especially in Windows. Encouraging to use it instead of more secure alternatives might not be the way to promote any "secure defaults". Speaking of password managers in general, as a Bitwarden user, do you think their browser extension and Vaultwarden is more secure than KeePassXC's browser integration that works only locally? Or are you using only clipboard with Bitwarden too?
(DIR) Post #AhvAzBBUob0U2g9QnY by juliank@mastodon.social
2024-05-11T10:40:15Z
0 likes, 0 repeats
@varjolintu No I do not think Bitwarden is more secure. I only trust it with 2nd tier passwords, most web accounts.It is more secure in the context that I don't need to keep my high security KeePass database open. But then one could have two databases.But I wouldn't trust my backup encryption keys, to it, or my Google account 2 factor code.
(DIR) Post #AhvAzBioohf5i1k2jo by juliank@mastodon.social
2024-05-11T10:42:43Z
0 likes, 0 repeats
@varjolintu The clipboard thing is a bit annoying, as far as I understand it's privileged in Wayland to some extent, and the autotype doesn't work there.But having one password in there for 15s, that a malicious software would need to correlate with what you are doing to find out what it's for is very much a better choice than exposing APIs to query any password IMO.
(DIR) Post #AhvAzCK2aJR5ZT9lku by varjolintu@mastodontti.fi
2024-05-11T10:47:29Z
0 likes, 0 repeats
@juliank There's an API but it isn't exposed in a way that anyone could query something from it without user knowing about it. Plus it only works locally and is not exposed to outside world. Is these one of the features that are insecure in your opinion?
(DIR) Post #AhvAzCtqRC4lMVuMYy by juliank@mastodon.social
2024-05-11T10:53:30Z
0 likes, 0 repeats
@varjolintu I understand there are some access controls, but they can be buggy. A bug in the browser extension IPC access control could reveal your entire database to your browser.If you don't have the means to query the database from other processes the entire attack vector goes away.i.e. keepassxc-light or whatnot could only ever have critical CVEs if it messed up the database encryption.
(DIR) Post #AhvAzDP2ZD1svGVHBg by juliank@mastodon.social
2024-05-11T11:00:03Z
0 likes, 0 repeats
@varjolintu Optimally I'd go a step further:- make keepassxc open files using portals (it might already, I don't know)- write an AppArmor profile that only allows r/w configuration files, and read access to /usrThen you can select databases, key files, and work with them and rest assured that even if keepassxc core is compromised (whether that's a new malicious maintainer sneaking in, or a gcc backdoor 😄) it can't talk anywhere else.
(DIR) Post #AhvAzDwiXzy4biGAgC by coin@asimon.org
2024-05-15T16:44:42.441423Z
0 likes, 0 repeats
@juliank Do everyone a favor and stop maintaining keepassxc altogether.
(DIR) Post #Ahwg621cYi7rOpEuEy by Zugschlus@zug.network
2024-05-10T15:01:47Z
0 likes, 0 repeats
@keepassxc I dont find it so problematic to offer two versions of your program: One minimal one that does the basic job (which is enough for me) and has less attack vectors, and the fully-blown "monster" with all those nifty features.
(DIR) Post #Ahwg63hUKXD4axpr8a by healsdata@fosstodon.org
2024-05-11T00:01:12Z
1 likes, 0 repeats
@Zugschlus Sure, but the problem comes from the fact that users have had the full version installed as one package for X amount of time and now that package is suddenly the minimal version.Most users will blame the change on @keepassxc rather than realizing that their distro made a change. Both the maintainer and KeePassXC agree on this pain point and the maintainer even said he anticipates it will last a year.Crippling a user's installed software feels more like M$ than FOSS.
(DIR) Post #AhwhPkYPKGTqxXXcgK by zeh@mstdn.io
2024-05-13T00:27:17Z
0 likes, 0 repeats
@reallychris you are behaving like entitled brats. no one owes you anything. nothing. much less "professionalism". there is no "job"! this is a gift. these people are contributing to a commons.and the developer has thoroughly explained the reasons and evaluation behind the decision. you may disagree, but you are not doing the work and so you don't get to decide. you get to decide if you step up and do the work. you can become a dd and then you'll have a word on it.@rfg @keepassxc @debian
(DIR) Post #AhwhPltiKX7N7uW9Wy by katzenberger@social.tchncs.de
2024-05-13T09:50:08Z
1 likes, 0 repeats
@zehThat person is not the developer, but the Debian package maintainer who has decided to wreck the installation base, solely because he could and wanted to lecture the actual developer on what a password manager should do, in their opinion.Among other things, the package maintainer decided to remove browser integration. From a password manager.@reallychris @rfg @keepassxc @debian
(DIR) Post #AhwhRhiWqNTMjyCuky by rfg@bark.lgbt
2024-05-12T20:00:16Z
1 likes, 0 repeats
@keepassxc This maintainer clearly doesn't care much for the users of @debian .Interestingly, `keepass2` is maintained by the "Debian CLI Applications Team"; but `keepassxc` for some reason has been left in the hands of this rude, clown-child.I believe it's time for Debian to find someone else for the job!Btw, I use Debian, and I don't read any 'news files'.#keepassxc #debian
(DIR) Post #AhwhaGJ27xacKfMYEq by juliank@mastodon.social
2024-05-11T09:40:44Z
0 likes, 0 repeats
@keepassxc I think renaming the package to keepassxc-minimal will make it much clearer, and I'll try to do that and I hope it gets accepted.I'm very torn on the upgrade path with a transitional keepassxc package, we can depend on keepassxc-minimal|keepassxc-full or the other way around.Once we drop the transitional package is when things become nice: apt install keepassxc will tell you that there's a minimal and a full, and you can select it.@stardust @tuxwise
(DIR) Post #AhwhaGvJpcDMFPH7ui by Orca@nya.one
2024-05-11T09:53:36.807Z
1 likes, 0 repeats
@juliank@mastodon.social Sorry for the sudden request:I hope that users that already have KeepassXC installed be transitioned to the full version. I don't want someone to woke up one day and found that their KeepassXC was upgraded to a minimin version (by themselves or automatically) without the feature they need. Newly installed users on the other hand can take some time to tinkering with their installation and figure it out.Debian has been the OS that has least nasty suprise for decades, I hope it keeps this way.❤️@keepassxc@fosstodon.org @stardust@fosstodon.org @tuxwise@social.tchncs.de
(DIR) Post #Ai5a08bmJqIOmEb6g4 by yoshir@lor.sh
2024-05-12T16:10:00Z
1 likes, 0 repeats
@juliankYou CAN solve that by not making stupid changes
(DIR) Post #ArgAP42TL8dJg1jYv2 by kraftner@mastodon.social
2024-05-11T10:02:05Z
0 likes, 0 repeats
@keepassxc Am I right that this won't affect the Ubuntu PPA?
(DIR) Post #ArgAP50jj4q4gvvgqu by keepassxc@fosstodon.org
2024-05-13T20:43:33Z
1 likes, 1 repeats
@kraftner If you are referring to our own upstream PPA, then yes, that will continue to ship the full package.