KeePassXC - A bit of a developer tiff going on

[Ice Tea]

Debian Sid No-Feature KeePassXC Package · Issue #10725 · keepassxreboot/keepassxc

Overview I'm using the Brave and Firefox browsers under Ubuntu testing using keepassxc version 2.7.7, suddenly the browser integration doesn't work anymore. So I went into the settings menu to enab...

github.com

https://www.reddit.com/r/KeePass/comments/1coyiyj/team_keepassxc_keepassxcfosstodonorg_debian_users/

An Ubuntu/Debian developer has taken it upon himself to disable parts keepassxc for debian sid without asking or discussing it with anyone.

 

[Ice Tea]

The Ubuntu/Debian developer has crippled the Sid version so much that only copy and paste now works ( not even yubikey works any more) and says he is only going to offer this version because he has issues with the plugins security with no further explanation.

Keepass uses plugins, KeePassXC does not.

When the project owner of KeePassXC pointed out that it doesn't use plugins and asked the Ubuntu/Debian developer to explain what plugin and security issues he is referring to the Ubuntu/Debian developer refused to explain and repeated again that he will only offer the crippled version and started using demeaning language that the full version is the crap version.

Something dotty is going on.

​

 

[Ice Tea]

Have you tried using the keepassxc-full package?

I guess that either he has relented or something has been resolved between them in private to now include a full sid package.

We might never know why he suddenly turned pissy, cast aspersions and called it crap after years of a good working relationship?

 

[Ice Tea]

This package was already there when you'd posted this thread.

droidmonkey commented May 10th, 2024

@julian-klode this needs to be reverted asap. This is now our fourth bug report because of the decision to neuter the base KeePassXC package in Debian. Put the base package back where it was and create a keepassxc-minimal.

julian-klode commented May 10, 2024

I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that.

It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.

Maybe they have had a disagreement about the correct name for the standard package, i dont know but it doesn't change the fact that they have had a disagreement and it got people concerned about keepassxc security.

 

[Ice Tea]

Apparently there has been friction in the past between droidmonkey and Ubuntu developers as Firefox Snap sandboxing keeps breaking native messaging to the browser plugin, not sure if that's the plugin julian-klode is referring to, i'll have a look through github when i can be arsed to see if i can find the previous disagreements.

It might be unrelated but it's pretty juvenile if there is some sort of tit for tat going on.

 

[Ice Tea]

All seems dotty, i can't make heads or tails of it.

Have you tried it with Firefox snap and the KeePassXC-Browser Extension as not everyone uses it like that?

 

[Ice Tea]

Ubuntu 24.04 LTS (codenamed ‘Noble Numbat’) has been released.

Comical that they are now blocking 3rd-party deb files for security but they seem perfectly happy with bitcoin miner infected snaps.

This has just been announced for 24.10

Canonical is outlining plans for Ubuntu 24.10 which will be launched in October 2024. Some of the plans include switching to a Wayland session by default, even when using NVIDIA drivers, getting Ubuntu Core Desktop ready for general use and making the software centre work with third-party Deb packages.

It's like Canonical and its Devs have lost their damn minds and just making stuff up as they go along in regards to security.