Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.

@keepassxc

@amin and other #debian peeps, just FYI

@keepassxc I dont find it so problematic to offer two versions of your program: One minimal one that does the basic job (which is enough for me) and has less attack vectors, and the fully-blown "monster" with all those nifty features.

@keepassxc Though I appreciate having a minimal package, I think naming the packages the other way round would be less confusing to existing users - keepassxc-minimal and keepassxc.

@keepassxc
Can you link to a clarification of what 'all' means please?

@keepassxc it this for Debian Stable or Testing?

@keepassxc is this specific to the debian distro or does it affect other distros that use apt?

@RL_Dane @keepassxc @amin

@keepassxc An exceptionally bad decision to wreck a huge existing installation base, "because I can".

The rude reply by @juliank is condescending, and far from what I am used to read.

https://github.com/keepassxreboot/keepassxc/issues/10725#issuecomment-2104401817

@Ray_Of_Sunlight @keepassxc

Trying to reduce the size of an iso by fifteen kilobytes?? lol no idea.

@Ray_Of_Sunlight Read the discussion here:
https://github.com/keepassxreboot/keepassxc/issues/10725
@keepassxc

@Zugschlus @keepassxc Keepassxc is not the only package that is split this way. Vim and Nginx are packaged like that too.

@njoseph @keepassxc I agree with this take

@pootriarch this might end up flowing down to ubuntu at some point.

@AlisonW All means no yubikey, auto-type, browser integration, ssh agent, fdo secrets, and networking (favicon download, HIBP).

@joel @keepassxc @amin

I'm sleepwalking today, aren't I? 😅

@RL_Dane @Ray_Of_Sunlight @keepassxc looks to be security related when reading https://packages.debian.org/sid/keepassxc: This package includes only the bare minimal functionality, and no security complications like networking, SSH agent, browser plugin, fdo secret storage. See keepassxc-full if you absolutely need those.

@lieven @RL_Dane @Ray_Of_Sunlight @keepassxc original "bug report" is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953529

@lieven @RL_Dane @Ray_Of_Sunlight @keepassxc there is a bit more reasoning in the corresponding bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953529

@j_r @lieven @RL_Dane @Ray_Of_Sunlight that bug report is bunk. He removed ALL features, not just networking. That includes yubikey support, auto-type and browser integration.

@charlotte @keepassxc People are free to migrate to the full version then without losing their data.

@Zugschlus @keepassxc debian could also have a -minimal package for the ~0 people that would prefer that

@Zugschlus @keepassxc it’s an example of bad defaults and also breaking things for the users on purpose. entirely uncalled for and the no-feature version of keepassxc actively harms user security vs the normal version

@charlotte @keepassxc i disagree with that. As a free software project one has to live with the fact that people are free to do things you don't like. That's life.

Please, don't get keepassxc in the "hostile upstream" range, that would be really sad.

@Zugschlus @keepassxc I don’t think that upstream should have to live with bug reports that stem entirely from intentionally bad decisions downstream

@Zugschlus @keepassxc And debian making a user-hostile change should not be the problem of the software developers who had absolutely zero input in this decision

@Zugschlus @keepassxc a lot of the cases of “hostile upstream” are really just cases where downstream were being assholes and upstream did not want to deal with the fallout again

@charlotte @keepassxc

I'm finished with the discussion and will consider other programs to be my password safe in the future.

@Zugschlus @keepassxc like yes, with free software anyone can do what they want. but upstream can also just do what they please. Freedom goes both ways.

@Zugschlus @keepassxc don’t let the door hit you on the way out. btw i have nothing to do with the keepassxc project aside from using it

@charlotte @keepassxc @Zugschlus
Can they enforce a trademark in this case to make them rename the package? I think that would be a good call to avoid bad propaganda.

@SrEstegosaurio @keepassxc @Zugschlus building without the plugins is supported upstream, they didn’t just tear out necessary functionality like debian has done before with openssl before. It’s just that it’s definitely not the intended experience

@charlotte @keepassxc @SrEstegosaurio The Debian OpenSSL desaster happened sixteen years ago, and it was a honest mistake. Can we put that at rest please?

While we're looking at security nightmares, I'm all for ripping out unused code and unnecessary features. It's the best thing we can do after learning about the recent liblzma compromise.

@Zugschlus @keepassxc @SrEstegosaurio i don’t just accidentally remove the random seeding code out of a cryptography library

also the recent liblzma disaster was specifically targeting distros that added code to security critical components

@charlotte @keepassxc @SrEstegosaurio Oh. I must be talking to the ONE person in the world who has NEVER done a stupid coding mistake.

You must be a real uberperson.

#medonewiththis

@keepassxc ok, but their points are kinda reasonable except for how they are doing it

@Zugschlus @charlotte @keepassxc I heartily recommend @bitwarden, and you can self-host it if you'd like.

@charlotte @keepassxc @Zugschlus >don’t let the door hit you on the way out

What a shitty thing to say.

@apicultor @Zugschlus @keepassxc @bitwarden bitwarden would probably also not appreciate it if debian broke basic functionality on purpose, especially since it’s a lot more corporate than keepassxc

@apicultor @keepassxc @Zugschlus idk, i wasn’t the one who basically pulled the open source version of “I demand to speak to your manager” on someone who is completely unrelated

@Zugschlus @charlotte The are breaking people’s existing passwords manager without warning or reason. That should never happen.

@Zugschlus @charlotte They’re free to fork the project. They’re not free to steal the name.

@charlotte @bitwarden @keepassxc @Zugschlus I agree, but thankfully I don't depend on a distribution to package it for me.

@charlotte @keepassxc @Zugschlus I disagree; I took what they said as not wanting to engage further and that they'd be looking into alternatives instead.

Your reply was tantamount to "good riddance".

To each their own.