Posts by lizjohnson

Re: Agree to disagree

From the github response of Klode:

"I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that.

It is our responsibility to our users to provide them the most secure option possible as the default. All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided.

Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks."

Lets break this down.

- "I'm afraid that's not going to happen. It was a mistake to ship with all plugins built by default. This will be painful for a year as users annoyingly do not read the NEWS files they should be reading but there's little that can be done about that."

-- Knows that it will impact people but ¯\_(ツ)_/¯

- "It is our responsibility to our users to provide them the most secure option possible as the default."

-- SystemD? keepass2? keepassx?

-- We know that they can rename/fork apps when it suits them e.g. Waterfox

- "All of these features are superfluous and do not really belong in a local password database manager, these developments are all utterly misguided."

-- Its not his project, if he doesn't like the direction of it, fork it and user adoption will show who is misguided.

-- This is an attack on the KeePassXC dev team, hey they also have feelings and are also FOSS devs, do some FOSS devs get more rights than others???

- "Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks."

-- An attack on users who choose to use a feature rich password manager.

-- Blinkered view on security, supply chain isn't the only attack. Clipboard, phising, lack of MFA on the password DB are compromised from his change.

The attack on the KeePassXC devs and users is why I personally see this as ego. I don't need to know someone to look at their response that they posed on a public forum on the projects github and just be totally shocked at how toxic it is.

KeePassXC doesn't have actual plugins, this is a legacy term from KeePass, KeePass2, KeePassX and so on. For KeePassXC these are functions built into the app, which the package manager removed during compilation time. I've noticed there is no keepass2-full or keepassx-full and these packages actually does have plugins!

Re: Agree to disagree

The thing about security is its dependent on an individuals security model. Imposing your security model on everyone else isn't security its gate keeping and can end up reducing someones actual security. Read up about security theater vs actual security, for example how our beloved politicians have such a boner in regards to putting a back door into encryption....

So how does that affect Klode's decisions in crippling KeePassXC to make a "less crappy" version. KeePassXC from the very first page of their website is described as "Let KeePassXC safely store your passwords and auto-fill them into your favorite apps, so you can forget all about them." a little bit down the page it is described as modern. I dunno what your idea of modern is but something that has less functionality than its predecessors KeePass and KeePassX isn't mine.

On the same page it describes support for Passkeys.

All of these functions are removed from the Klode's version of the package, so any user who installs KeePassXC without realizing it may end up logging a call with upstream causing wasted time for the devs or even worse it just gets dismissed which may allow a real issue to be dismissed due to the devs being desensitized to bug reports involving Debian derivatives. Remember going forward this isn't edgy tech savvy bleeding edge test users, but your average Debian derivative users. I'm hoping Clem's team will realize how stupid this is and will sensibly link keepassxc to keepassxc-full and keepassxc-min to keepassxc in someway.

If Klode followed what I think is the spirit of open source he would have either forked KeePassXC to a different project which incorporates his ideas or just created a keepassxc-min package as suggested very early on in this whole mess, but you know ego!

Re: KeePassXC change was backwards . . .

Ugh whilst they are called plugins, this is a legacy term from its parent application, KeePassXC doesn't actually have plugins, these are functions built into the application. The functions were actually removed from the package when it was compiled to produce the "less crappy" version. I noticed that both KeePass2 and KeePassX don't actually have -full version of them and these actually do have plugins!

I'm guessing you only read the headlines, but do you think that Yubikey support and auto type is "network support"? But let's just focus on the security aspect of this action. Is disabling auto type actually a good thing? It promotes the use of the clipboard to store passwords. Whilst the browser plugin could arguably be considered network support, without that again another avenue of not using the clipboard to transfer the password is lost. The anti phising feature of the browser plugin is lost and ofc the Passkeys support is no longer available.

No before you say "just install the full version", isn't this about sane defaults? Isn't the sane default to provide access to the majority of normal users a modern password manager rather than what basically could be considered an encrypted spreadsheet? Shouldn't the more paranoid user be the one to install the "less crappy" version of the software as they would be the ones more motivated and prbly with the knowledge to do so.

It feels to me this is just some ego elitism gate keeping going on here. Some of the people who respond defending the decision to make the crippled version the primary version feels like to me be the type of person who brags about using Kali as their daily driver coz its "more secure"....