KeePassXC - A bit of a developer tiff going on

Soldato
Joined
1 Nov 2004
Posts
4,851


An Ubuntu/Debian developer has taken it upon himself to disable parts keepassxc for debian sid without asking or discussing it with anyone.
 
As usual all blown completely out of proportion. All that's been done is common in Debian is to provide a minimal and a full package.


One which retains all of the network functionality and one that provides minimal dependencies. I expect to see people moaning about vim and various other Debian packages which have done this for years.

https://www.reddit.com/r/linux/comments/1couviy/keepassxc_debian_maintainer_has_removed_all/

This, ignoring the clickbait title has some decent info upvoted. This is a good security decision.

Edit: I would say they should have done keepassxc and keepassxc-minimal instead.
 
Last edited:
The Ubuntu/Debian developer has crippled the Sid version so much that only copy and paste now works ( not even yubikey works any more) and says he is only going to offer this version because he has issues with the plugins security with no further explanation.

Keepass uses plugins, KeePassXC does not.

When the project owner of KeePassXC pointed out that it doesn't use plugins and asked the Ubuntu/Debian developer to explain what plugin and security issues he is referring to the Ubuntu/Debian developer refused to explain and repeated again that he will only offer the crippled version and started using demeaning language that the full version is the crap version.

Something dotty is going on.

 
The Ubuntu/Debian developer has crippled the Sid version so much that only copy and paste now works ( not even yubikey works any more) and says he is only going to offer this version because he has issues with the plugins security with no further explanation.

Keepass uses plugins, KeePassXC does not.

When the project owner of KeePassXC pointed out that it doesn't use plugins and asked the Ubuntu/Debian developer to explain what plugin and security issues he is referring to the Ubuntu/Debian developer refused to explain and repeated again that he will only offer the crippled version and started using demeaning language that the full version is the crap version.

Something dotty is going on.


Have you tried using the keepassxc-full package? That will have all of the functionality. If it doesn't in Sid, then that's kind of expected, as Sid is not stable.
 
Have you tried using the keepassxc-full package?

I guess that either he has relented or something has been resolved between them in private to now include a full sid package.

We might never know why he suddenly turned pissy, cast aspersions and called it crap after years of a good working relationship?
 
I guess that either he has relented or something has been resolved between them in private to now include a full sid package.

We might never know why he suddenly turned pissy, cast aspersions and called it crap after years of a good working relationship?

This package was already there when you'd posted this thread. People simply don't understand the way Debian prefer packaging to be done. I linked it in my first response. I haven't read all of the responses etc from the dev, but from a packaging perspective this is normal.
 
This package was already there when you'd posted this thread.


droidmonkey commented May 10th, 2024

@julian-klode this needs to be reverted asap. This is now our fourth bug report because of the decision to neuter the base KeePassXC package in Debian. Put the base package back where it was and create a keepassxc-minimal.

julian-klode commented May 10, 2024

I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that.

It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.

Maybe they have had a disagreement about the correct name for the standard package, i dont know but it doesn't change the fact that they have had a disagreement and it got people concerned about keepassxc security.
 
Last edited:
Maybe they have had a disagreement about the correct name for the standard package, i dont know but it doesn't change the fact that they have had a disagreement and it got people concerned about keepassxc security.

I get what the maintainers saying to be fair, I also get the users issues, it was named badly originally, there is an overarching issue in the FOSS community with maintainers being difficult, cranky and not particular good with the whole interactive side, which is a whole thing in itself as they do this for free, in their spare time mostly. I also think the timing doesn't help with xz being recently and that people don't understand the Debian packaging system despite Ubuntu being so popular and bastardising it.
 
Apparently there has been friction in the past between droidmonkey and Ubuntu developers as Firefox Snap sandboxing keeps breaking native messaging to the browser plugin, not sure if that's the plugin julian-klode is referring to, i'll have a look through github when i can be arsed to see if i can find the previous disagreements.

It might be unrelated but it's pretty juvenile if there is some sort of tit for tat going on.
 
So a while ago (maybe 6 months) I found that Keepassxc had abandoned snap and was only offering flatpak packages.

Today whilst installing Noble Nombat I found that Keepassxc is available again and on the latest version as a snap.
 
All seems dotty, i can't make heads or tails of it.

Have you tried it with Firefox snap and the KeePassXC-Browser Extension as not everyone uses it like that?
 
Ubuntu 24.04 LTS (codenamed ‘Noble Numbat’) has been released.

Comical that they are now blocking 3rd-party deb files for security but they seem perfectly happy with bitcoin miner infected snaps.

This has just been announced for 24.10

Canonical is outlining plans for Ubuntu 24.10 which will be launched in October 2024. Some of the plans include switching to a Wayland session by default, even when using NVIDIA drivers, getting Ubuntu Core Desktop ready for general use and making the software centre work with third-party Deb packages.

It's like Canonical and its Devs have lost their damn minds and just making stuff up as they go along in regards to security.
 
Last edited:
Back
Top Bottom