💾 Archived View for namno.duckdns.org › blog › 2024-05-15.gmi captured on 2024-12-17 at 09:39:57. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-05-26)
-=-=-=-=-=-=-
On 23rd of April 2023 Julian Andres Klode, Debian maintainer of keepassxc package have removed all networking and IPC features, including support for YubiKeys, from that package, following a very slow-flowing bugreport thread that complained that additional features may increase attack surface. Additionally, keepassxc-full package was created, that retained all these features.
I consider this move to be misguided and harmful for following reasons:
In one of the threads created following this decision Julian have said that he would expect complains for a year because no one reads NEWS file. He is correct that no one reads NEWS file (or knows about it in general) but he is wrong in his estimate of complains. Complains will not stop after a year, they will continue untill keepassxc package stops giving people cut-down version of KeepPassXC, like it does on all other distros.
KeePassXC is advertised with all these features, they are the main reason to choose this package manager over any other. Even Debian package description mentions them:
In contrast to KeePassX (package keepassx), KeePassXC is actively developed and has more features, e.g., connectivity to a Web Browser plugin (package webext-keepassxc-browser).
connectivity to a Web Browser plugin
https://packages.debian.org/testing/keepassxc
If someone needed "more secure" option, they could have picked one of the many alternatives that support same database format, but without features that are unnecessary for them. So the only useres that this "benefit" are those who don't know difference between different package managers and just install what's popular, in which case they probably are even more confused as to why their version of program doesn't work like it does for other people.
Many other people defended this descision by saying that many other Debian packages do not include plugins by default. First of all, there is plenty of packages that have (1st party) plugins included in their package, or as a dependency.
Second of all. they are not plugins. They are #ifdef-ed pieces of code, that only tested with all of them enabled. Option to disable all of the options (as is the current debian situation) is tested only for its ability to compile and no further. This leads to my third point.
Many features disabled by Julian are necessary for keeping the security. From physical USB keys, to browser plugin, that among other things helps distinguishing between real and phishing sites, they activly increase security. Disabling these features leads to users opting into less secure options, like transfering password using clipboard.
I hope that Julian eventualy reevaluates his decision and if not reenables these features in main keepassxc package with optional keepasssc-core/minimal/whatever package that you could opt in, at least enables some of the features that actually provide security, like browser integration or secret provider. I also hope that Debain stops thinking that they are center of the universe and stops breaking packages for no good reason.