back to article In Debian, APT 3 gains features – but KeepassXC loses them

The intrepid users of Debian's "testing" branch just discovered that a bunch of their password manager's features disappeared… but their package manager is going to get new ones. Version 3.0 of Debian's default package manager, APT, will receive a significant improvement - developer Julian A Klode describes the new solver in …

  1. jonha

    While splitting KPXC into two versions was v badly communicated I am quite happy with the change in itself. The No 1 reason why I use KPXC vs LastPass, Bitwarden etc etc is that I want a strictly local database with no need (and no code) to go online. So I fully understand (and support) where Klode is coming from. But yeah, perhaps he could've been a bit more "diplomatic".

    1. lizjohnson

      I'm guessing you only read the headlines, but do you think that Yubikey support and auto type is "network support"? But let's just focus on the security aspect of this action. Is disabling auto type actually a good thing? It promotes the use of the clipboard to store passwords. Whilst the browser plugin could arguably be considered network support, without that again another avenue of not using the clipboard to transfer the password is lost. The anti phising feature of the browser plugin is lost and ofc the Passkeys support is no longer available.

      No before you say "just install the full version", isn't this about sane defaults? Isn't the sane default to provide access to the majority of normal users a modern password manager rather than what basically could be considered an encrypted spreadsheet? Shouldn't the more paranoid user be the one to install the "less crappy" version of the software as they would be the ones more motivated and prbly with the knowledge to do so.

      It feels to me this is just some ego elitism gate keeping going on here. Some of the people who respond defending the decision to make the crippled version the primary version feels like to me be the type of person who brags about using Kali as their daily driver coz its "more secure"....

      1. yetanotheraoc Silver badge

        Agree to disagree

        My ideas about security are nearer to Klode-the-maintanier and jonha-the-commenter than to you. The basic problem is that reasonably smart people in complex scenarios can draw 180-degrees opposite conclusions about what is best to do. How to reconcile that? I don't know that Klode handled it correctly; on the other hand I'm not Klode and I don't know what happened before in his maintainer days. However, I'm pretty sure calling it "ego elitism gate keeping" is not right. I read the github issue with interest and found myself changing my mind multiple times. So there is room for assuming good faith all around, despite serious disagreement with the other side's viewpoint.

        1. lizjohnson

          Re: Agree to disagree

          The thing about security is its dependent on an individuals security model. Imposing your security model on everyone else isn't security its gate keeping and can end up reducing someones actual security. Read up about security theater vs actual security, for example how our beloved politicians have such a boner in regards to putting a back door into encryption....

          So how does that affect Klode's decisions in crippling KeePassXC to make a "less crappy" version. KeePassXC from the very first page of their website is described as "Let KeePassXC safely store your passwords and auto-fill them into your favorite apps, so you can forget all about them." a little bit down the page it is described as modern. I dunno what your idea of modern is but something that has less functionality than its predecessors KeePass and KeePassX isn't mine.

          On the same page it describes support for Passkeys.

          All of these functions are removed from the Klode's version of the package, so any user who installs KeePassXC without realizing it may end up logging a call with upstream causing wasted time for the devs or even worse it just gets dismissed which may allow a real issue to be dismissed due to the devs being desensitized to bug reports involving Debian derivatives. Remember going forward this isn't edgy tech savvy bleeding edge test users, but your average Debian derivative users. I'm hoping Clem's team will realize how stupid this is and will sensibly link keepassxc to keepassxc-full and keepassxc-min to keepassxc in someway.

          If Klode followed what I think is the spirit of open source he would have either forked KeePassXC to a different project which incorporates his ideas or just created a keepassxc-min package as suggested very early on in this whole mess, but you know ego!

          1. yetanotheraoc Silver badge

            Re: Agree to disagree

            I agree with all your post ... except the last four words. You keep saying that. I already said I don't agree with how Klode handled it (but with some wiggle room because I am ignorant of any possible backstory). He might just have _very_ strongly held views on security. Coupled with an absolutist world view and there you go. Unless you know him personally I think it's unfair to say ego. Even if you do know him personally and it is indeed ego, probably more constructive not to say it.

            Anyway, upvoted.

            1. lizjohnson

              Re: Agree to disagree

              From the github response of Klode:

              "I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that.

              It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

              Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks."

              Lets break this down.

              - "I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that."

              -- Knows that it will impact people but ¯\_(ツ)_/¯

              - "It is our responsibility to our users to provide them the most secure option possible as the default."

              -- SystemD? keepass2? keepassx?

              -- We know that they can rename/fork apps when it suits them e.g. Waterfox

              - "All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided."

              -- Its not his project, if he doesn't like the direction of it, fork it and user adoption will show who is misguided.

              -- This is an attack on the KeePassXC dev team, hey they also have feelings and are also FOSS devs, do some FOSS devs get more rights than others???

              - "Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks."

              -- An attack on users who choose to use a feature rich password manager.

              -- Blinkered view on security, supply chain isn't the only attack. Clipboard, phising, lack of MFA on the password DB are compromised from his change.

              The attack on the KeePassXC devs and users is why I personally see this as ego. I don't need to know someone to look at their response that they posed on a public forum on the projects github and just be totally shocked at how toxic it is.

        2. Yukkuri

          Re: Agree to disagree

          Good faith but bad manners... Pretty typical Open Source experience.

      2. doublelayer Silver badge

        It probably depends how granular you can be when putting them back. If you can reasonably easily install the basic versions and just the plugins you are going to use, then you can have the password manager, U2F support, and automatic typing without all the other things, and then you're only open to the vulnerabilities in things you're deliberately using. However, the more complex this gets, the more users will either install all the plugins, thereby giving them the same set of vulnerabilities, or getting confused and not using it at all, making their situation worse.

        1. lizjohnson

          KeePassXC doesn't have actual plugins, this is a legacy term from KeePass, KeePass2, KeePassX and so on. For KeePassXC these are functions built into the app, which the package manager removed during compilation time. I've noticed there is no keepass2-full or keepassx-full and these packages actually does have plugins!

          1. doublelayer Silver badge

            Ah, so the answer to how granular you can be is not at all. That changes the calculus a little. If you can't have some but not all of the features without building from source, then people will probably expect the package to have all of the features. That also means the maintainers do not have the choice of splitting it into a core package and another package and users just have to pick between the two offered versions.

            1. lizjohnson

              Just some additional info about "plugins" and security from the horses mouth (aka the FAQ on their site):

              "Does KeePassXC support (KeePass2) plugins?"

              "No, KeePassXC does not support plugins at the moment and probably never will. KeePassXC already provides many of the features that need third-party plugins in KeePass2, so for most things you don't even need plugins, nor should you ever want them. Plugins are inherently dangerous. Many KeePass2 plugins are barely maintained (if at all), some have known vulnerabilities that have never been (and probably never will be) fixed, and none of them are as thoroughly tested and reviewed as we test and review code that goes into our main application. We find that encouraging users to install untested (and often quickly-abandoned) third-party plugins is inherently incompatible with the security demands of a password manager.

              If you really need external functionality not available in KeePassXC, you can look for "plugins" that use the KeePassXC-Browser API, which is a much more secure way of sharing passwords with third-party applications than loading those applications as plugins directly into KeePassXC."

              So the KeePassXC devs go to all this effort to reproduce a lot of useful functionality as native functions in their app, just to get judged as wasting their time and having it stripped out of the primary package. When people talk about demotivating FOSS developers, this defo feels like a prime example of it!

      3. jonha

        > I'm guessing you only read the headlines

        No, I read the whole article.

        > but do you think that Yubikey support and auto type is "network support"?

        Again no, I don't. But in my post I concentrated on the issue most important to me personally. Inflated ego I presume.

    2. Anonymous Coward
      Anonymous Coward

      Sounds like Klode was just Poettering about in the code when he decided to make the change.

  2. JeffP
    Thumb Up

    Kudos for the seamless integration of a barely modified Hitchhikers quote. This represents a quality of writing (and specifically generational humour) that I suspect many of us come back for!

    1. Yankee Doodle Doofus Bronze badge

      Agreed. I smiled. I haven't read those books in probably 30 years. I think it's overdue.

      1. David 132 Silver badge
        Coat

        > I think it's overdue.

        I wish you'd return it. The fines will be horrendous by now, plus, it's their only copy, and I've been waitlisted to get it since 1994.

  3. Steve Graham

    I tried keepassxc but it takes 15 seconds to start up on my system (8-core i7). There is a debug command-line option, but it doesn't print anything useful, so I've always meant to grab the source code and try to work it out. I don't think there's much point submitting a bug report if I have no idea what's wrong, but I'm guessing that there is a very long timeout waiting for something which I haven't got. Like PolicyKit, or consolekit, or a session manager. Something Ubuntu.

    Programmers always always make timeouts vastly too long. "Hmmm. Let's try five seconds. With three retries." It's the 21st century: if something doesn't talk to you in half a second, it's not going to talk to you at all.

    1. jonha

      Yeah, there's probably something in your environment. On my Ryzen 5 5600u lappy KPXC needs around 1.5sec from fresh and is even faster 2nd time round.

    2. nintendoeats

      If something you depend on is waiting for a network resource, half a second is not a reliable target in all situations.

      1. nintendoeats

        I wrote that and completely forgot that people still run hard drives in desktops. If a hard drive has to spin up, half a second is nowhere near long enough of a timeout.

  4. KSM-AZ
    Facepalm

    KeePassXC change was backwards . . .

    You should not change functionality of a package by splitting it and taking things out and putting them in a new package, that was abjectly ignorant. The 'keepassxc' package should have been changed to a dependency package, dependent on keepassxc-core, keepassxc-plugins or something.

    1. mark l 2 Silver badge

      Re: KeePassXC change was backwards . . .

      I think some distro maintainer forget that they aren't making a distro for themselves and a few mates but something that is going to be used by millions of end users who are just going to assume that installing Keepassxc on Debian is going to get them the same software they would get on any other distro and not some crippled version with networking and plugins removed.

      If the distro maintainer wanted to have a local only version then they should have forked it and called it Keepassxc-local or such like and not dicked about with the main package.

    2. lizjohnson

      Re: KeePassXC change was backwards . . .

      Ugh whilst they are called plugins, this is a legacy term from its parent application, KeePassXC doesn't actually have plugins, these are functions built into the application. The functions were actually removed from the package when it was compiled to produce the "less crappy" version. I noticed that both KeePass2 and KeePassX don't actually have -full version of them and these actually do have plugins!

  5. KSM-AZ

    I run keepassxc on dozens of machines in a variety of environments. It loads quickly on every single platform.

  6. Eecahmap

    "This has made a lot of people very unhappy and been widely regarded as a bad move"

    I see what you did there.

    1. Anonymous Coward
      Anonymous Coward

      Re: ".... regarded as a bad move" but slightly smaller in scope :)

      In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

  7. nijam Silver badge

    Apropos KeePassX, the features turned off in the latest Debian release were that (1) I never used anyway, and (2) had always felt a bit attack-surfacey (admittedly with bothering to do any kind of proper analysis.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like