The officially official Devuan Forum!

soren

Member

Registered: 2023-04-30

Posts: 142  

KeepassXC

The debian maintainer for keepassxc has decided to reduce the functionality of keepassxc in debian sid due to what he percieves as  unwanted/needed security attack surface, not sure if this affects devuan ceres. In my opinion this is not warranted, the software is built to have all this functionality around it.

https://github.com/keepassxreboot/keepa … ues/10725/

tldr:

droidmonkey

@julian-klode this needs to be reverted asap. This is now our fourth bug report because of the decision to neuter the base KeePassXC package in Debian. Put the base package back where it was and create a keepassxc-minimal.

julian-klode

I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that.

It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.

Altoid

Member

Registered: 2017-05-07

Posts: 1,529  

Re: KeepassXC

Hello:

... these features are superfluous and do not really belong in a local password database manager ...

Makes a lot of sense to me.

Much more so with what we have seen happening lately.

As I understand it, julian-klode's point of view is clearly aligned with the Unix/Linux philosophy.
ie: doing one thing and doing it well.

Something to be lauded, not criticised.
As always, YMMV.

Best,

A.

ab

Member

Registered: 2023-07-19

Posts: 6  

Re: KeepassXC

If one needs more functionality than is included in the neutered Debian KeepassXC package, this is probably a good time to consider the KeepassXC AppImage or Flatpak.  There might be an extra step with each in getting browser integration working.

I wouldn't be able to use the current Debian package.  That's a no go.

Altoid

Member

Registered: 2017-05-07

Posts: 1,529  

Re: KeepassXC

Hello:

... wouldn't be able to use the current Debian package.

From what I make out of the OP, the reduced functionality has only been applied to sid, the unstable developement Debian, meaning Excalibur in Devuan.

I'd opine that there is still a long way to go till the package with the reduced functionality actually gets into the Debian stable repositories.

In the meantime, I'm sure a way to get what different users need without going against the basic do one thing and do it well philosophy will be found.

eg: base package for most users plus a set of separately packaged plugins (or similar) for those who need the different additional functionalities.(?)

Just my $0.02.

Best,

A.

soren

Member

Registered: 2023-04-30

Posts: 142  

Re: KeepassXC

Altoid wrote:
As I understand it, julian-klode's point of view is clearly aligned with the Unix/Linux philosophy.
ie: doing one thing and doing it well.

So how far does this mindset go to preempt a perceived security risk, not an actual risk? Lets start ripping build features out of xorg that might seem superfluous shall we?

I dont understand the reasoning as the password manager has features that directly relate to safe password storage and usage, nothing more nothing less. And on another note, from what i can gather is there could be two packages in the pipeline, one full one minimal. So why bother when the program itself has these build options/features that have been accused of having security risks as opt in not opt out and are turned off by default. On the one hand the full keepassxc is le bad but they will still ship it but have a minimal debian built version?? It kind of reminds me of something microsoft would do.

Last edited by soren (2024-05-13 02:01:38)

delgado

Member

Registered: 2022-07-14

Posts: 205  

Re: KeepassXC

It kind of reminds me of something microsoft would do.

Microso~1 uploads and stores your passwords in its cloud - without asking of course. Just try the new outlook, it's great!

Edit:
I don't see a problem at all. The full feature version is still existing; beside a more secure, minimal version.

Last edited by delgado (2024-05-13 20:57:08)

Publiclewdness

Member

From: Canada

Registered: 2024-07-02

Posts: 3  

Re: KeepassXC

I can understand both sides. I don't use the unstable branch so I doubt I will get affected by this but if I were the App Image and Flatpack options are there. Each camp has options at their disposal to gett he result they want.

siva

Member

Registered: 2018-01-25

Posts: 282  

Re: KeepassXC

Does anyone have a list of the features that were omitted re: this bug ticket? One of the commenters mentions it's the "fourth" bug ticket related to feature-removal.

Edit: Unrelated to the question but I found this... https://news.ycombinator.com/item?id=40320166

All they did was change the XC_ALL build parameter to OFF [0] which happens to be the default in upstream's CMakeLists.txt

And

INSTALL.md [0] recommends passing -DWITH_XC_ALL in the Build Steps section.

From Soren's GH issue, it sounds like the maintainers may remove such functionality in the future. https://github.com/keepassxreboot/keepa … 2104750715

As @droidmonkey said, none of these features are plugins. All of them are built-in functionality that belong to the main product. If anything, we will reduce the number of such compile-time flags in the future, so these things cannot be disabled anymore.

I'm not gonna take a position on this since all of this boils down to "free labor" from all parties. The "drive-by contributor attack" is certainly a valid concern these days, notably with respect to the XZ/LZMA fiasco. This could be an interesting case to investigate...

Edit: The Debian packages site isn't loading for me, but my search engine is fetching results for keypasscx-full and keypassxc-minimal. So...

Last edited by siva (2024-07-02 15:51:01)