Debian Breaks KeepassXC Package For "Security"

For consistency Debian should disable networking in all packages. Anything else would be unfair!

This is 100% maintainer overreach. The maintainer believes that he should have a say in what features are and aren't enabled in the software. That is simply not true. The maintainer's job is to package the software and make sure it can be installed and run with no issues.
If the maintainer wants to offer a "minimal" version with no networking, he's free to make a "keepassxc-minimal" or "keepassxc-nonetwork" package. But mutilating the default package to the point where users feel the package is broken? No. Just no.

In other words, a maintainer deliberately broke a package then got mad when people didn't like that he deliberately broke a package.

Next up: Firefox, localhost only 👍
Edit: wait wait, even better: Firefox, but automatically block ports 80, 8080, 443, and 8443.

I think the solution is simple, 1. Debian needs a clear policy and 2. Debian maintainers MUST have a conversation with the upstream dev before gimping their application.

As a user (On Windows anyway) It doesn't take a genius to know, if a feature suddenly doesn't work
people will not be pleased. I agree with the XScreensaver thing, you mess with my stuff. I mess with you
I don't care what the reason is, pulling the rug like that on people is incredibly inconsiderate.
It's not a single maintainer's job to be opinionated, but to follow whatever rules the distro sets,
while also not causing the developer grief by gutting a feature or whatever else. Shame on him

Seems to me that severely downgrading a package that users already have and expect to function mostly the same is a really bad idea.
And no, people aren't going to read every release note of every package on their system. Why would they? Maybe I'm just a casual user, but when I do an update, I don't expect to LOSE most of the functionality. Maybe I'll have to do something a different way. Maybe I'll need to convert some old file. Not "suddenly nothing works any more".
Also, Julian seems to hate the people that use his distribution.

the debian team might as well disconnect their PC's from the internet and leave to our devices whilst they hand deliver git diff's to eachother, it is after all the most secure option :P

Am I the only one using more than one computer? What's next? Disabling network support in the OS itself? Back to the good old times when I was an operator on a HP 3000 Micro where networking was a rarely use extra expensive option?

Very interesting dilemma. I can respect a distribution for trying to package binaries with minimal features and therefore minimal attack vectors. If this is the case then Debian should probably not be identified as a general purpose distribution any more but rather a hardened point-release server distribution or something else. If maintainers / packagers have different visions, then it's a problem because their individual decisions will not be coherent and represent the projects vision.
In my opinion I think the packager is in the wrong here. Debian is advertised as easy to use, wide OOTB support and for wide range of use cases. Which means that the default should be to maximize the support and availability not the other way around.

I think a potential solution is for flatpack to have maintainers who review packages for issues, cebtralizing the process and cutting down on duplicate work, but ensuring that every package still has a second set of eyes on it

I could have in a very small part justified the choice to impose a downgrade if it were only that. Unfortunately, we have the Yubikey issue - so the mantainer's choice is not a downgrade, it is actively harmful, and it should be treated as a critical bug.

Using Flatpak for all non system stuff. Works great and little to no trubbleshooting neccesary!
Yes it does use a bit more space on my drive - i dont care.

In debian, they did a thing with python3 and python3-minimal. Why not for Keepass too?

An update on this: keepassxc 2.7.7+dfsg.1-3 turns keepassxc into a transitional package which depends on keepassxc-full or keepassxc-minimal, with -full being the default. I previously said this was the correct behavior, and anything else was a bug because it broke functionality and upgrades. The bug has been fixed.
I didn't follow this, and only noticed by chance (a side-effect of using Debian's aptitude and reviewing new available packages), so if it was someone convincing the developer to do the right thing or if there was some internal Debian drama over it I don't know. And I don't care, because fixing it before a stable release is all that really matters.
I am still considering that maybe my next installation won't be Debian… we shall see.

I REALLY do not understand the problem. If you want the full functionality, install the -full package. If it had been split like this from the beginning, i dont think anyone would have a problem.
This is not ideal, but to never be able to change a package is stupid for the maintainer. Packages have been split for years.
Also, EVERYONE should have taken notice now

I've always maintained that standard user applications should be flatpaks now, whilst leaving the server stuff for the distro maintainers. It's a happy medium where users get the latest, greatest and unmolested software and server admins know to report CVEs, bugs, regressions to the distro maintainer instead of some random upstream dev.

and third post to answer Brodie's questions:
distros should patch as few things as possible. A build patch here or there for example.
also I am using keepassxc
also I am using gentoo, where it is the users choice what to turn on (browser integrations) and what to turn off (yubikey, because I am not using it). The strenght of gentoo. You want a feature, you enable it yourself. You do not want, you disable it.

Forget sometimes Linux is a religious undertaking for some people.

Migrating from a system package to flatpak is not painless. I just today had to do it on my media center that I updated to noble and that broke Kodi (noble ships python 3.12 but same Kodi 20 as mantic, but you need Kodi 21 for python 3.12 support, otherwise it crashes). Migrating to Kodi flatpak solves the problem, but then you have to rebuild your config - which is a pain for a large app like Kodi.

Imo Flatpak basically make the vetting process a conscious choice, rn most of the vetting is done kind of as a side effect of every distro packaging the software. With flatpak that practice might be shrinking, but that only means distros need to act like every other os and check the software they're using. (Also, I think system lvl software shouldn't really be flatpaks as it doesn't need the sandbox and at that point you might as well just stick to the traditional packages, so that way yu still get the "vetting by repackaging" effect)

KeePassXC User, hard agree with droidmonkey.
If Julian was that concerned either work out a solution with upstream -or- split the package into two new ones, no direct upgrade to something with distro broken functionality.

Julian's reasoning is terrible. It comes from a reasonable place. No one wants to ship bad packages, but if he did this because "what if there's another backdoor like with xz" then Debian should be stripping every package down to minimal features and breaking it for everybody.
Also, minimal feature set doesn't automatically mean "more secure." There were probably a lot of Yubikey users burned by this decision when suddenly they were locked out of their database because some idiot though "less features means more security."
There's a reason I don't use Debian on my servers anymore.
Also, using the Flatpak works, but I'm personally no fan of Flatpaks. I'd prefer to use a distro that allows package customization as a first-class feature, like Arch, Gentoo, or NixOS. If I were still using KeepassXC and the nixpkgs maintainers broke KPXC like this, I'd just make an overlay of the package re-building it with the bits I want.

Yes, i am a keepassxc user. But I'm not on Debian (thankfully).
Here is my solution:
When updating the system, the package that is installed should be uninstalled automatically and the new version should be installed. Effectively just replacing the package automatically because it is the exact same package. The user does not need to know this at all, as only the name of the package changes. Any new user would see both versions and the old user switched to -full version automatically, because the old version was -full version already (just different package name).

I use 1password, so don't really have stake on this one... but if maintainer did that to my app, i would add prompt on start up stating that they are using unsupported version of the app and should seek support from debian if need arises, give link where to send bug reports and add recommendation to use flatpack instead for "supported by devs" version. I really think people responsible for app should have saying what the naming scheme is. What debian can do is set it so that apt install keepassxc installs minimum by default, but there would be keepassxc-minimal and keepassxc-full packages in the background. I don't know how apt update works, it should still point old users to keepassxc-full if they previously installed apt install keepassxc and received keepassxc-full. If that doesn't work like that then apt is trash and that functionality should be created to it asap.

I would actually choose to use a keepassxc minimal package. I don't use the extra features so it makes sense to reduce my attack surface. That said, this should be an optional secondary package!

classic case of doing the right thing the wrong way

Debian was my first distro 20 years ago, but they have a long history of doing weird feature removals and shipping really old software. When I first started using Debian, you could not get sound without recompiling the kernel because the maintainer disabled those drivers for... some reason. I can't say any of this surprises me.

As someone who specifically uses keepass as a local manager, I agree with klode. (other than yubikey part)

Suddenly breaking user's ability to access their own password vault is INSANE. Especially based on hypothetical concerns & nothing concrete. The maintainer should be removed from Debian asap for something as hostile & irresponsible as locking users out of their vault. People need passwords for daily purchases of food & meds these days. What is this idiot even thinking? Fire him.

If Debian continues this road they would literally discard their key selling point: stability.

RUclips is unsubbing me from random people I am subbed you. It's happened to you, Louis, and what would you do so far. Idk why. I try to resub, get errors, it "works" but then I refresh and its unsubbed again.

"Just install Flatpak" Mmmmm nah, I'll pass

i'd install the KeepassXC minimal package of i had the choice, but i don't like that existing packages get neutered.

As a Debian stable user, I'm very happy I got used to flatpaks lol

If the maintainer correctly predicted that people wouldnt read the release notes, couldn't he add a note in the settings area (where one would look if a feature got turned off after an update) that features were removed and they would need to switch to the complete package instead?
I'm newer to Linux, so I'm not sure if thats "kosher" or not, but it seems like Julian is screwing with the Keypass team on purpose based on everything said...

It's unsettling to learn that package maintainers can go rogue like this

i shall not use the flatpack before my time

re: the suggestion of doing what xscreensaver did
Debian's response was to tell jwz (the author of xscreensaver) to go **** himself and edited out the warning. So if KeepassXC were to also take a similar route, I highly suspect Julian's respnse will be to do the same.

Idk if this is totally related (maybe in the same realm of assuming what's best for users) but I've encountered an example of a developer of a Windows GUI program who made his program literally refuse to start up if it was run as administrator, showing an error message. Surprise, surprise, he not only did he start getting GitHub issues from confused users about why such an restriction even exists (this software literally just rips certain physical media: thats all it does) but someone then made a batch script that overrides it. I've seen Windows applications before that just give you a warning about running as admin, but never this.

And this is why people use in-browser password managers in place of independent programs - which is a bitch in games like Warframe ( Just use Steam log in like normal game devs DE! Also, keep me logged in.).

This is a nothingburger. Distributions are empowered to package software as they see fit and that's a good thing. The consequence of this change will be to make more users aware that KeepassXC is packed (not to say bloated) with complex features that may or may not compromise security. A net positive.

Mozilla already found the solution to this back when they were at odds with Debian over long feature freezes and the security and compatibility implications.
Trademark rights. It's well within the upstream developers rights to say *sure, you can do this but you can't call it KeepassXC anymore"
Normally I frown on that tactic, but here it's entirely reasonable in order to deflect all the bug reports that should be going to the maintainer

I'm a KeepassXC user on Debian 12. I support a keepassxc-minimal and a keepassxc (full-fat) version so as not to break existing users ingrained workflow. The Yubikey issue is particularly egregious.

they should remove the build option that allows a broken package to be built, then watch julian lose his mind 🤣🤣

I wonder if Debian will disable js by-default in Firefox going forward, that stuff is wild to exploit and is not safe for everyday users.
I just gotta go with Linus with this one "Don't break user-space", make a new package called minimal.

I've encountered people who consider any password manager insecure, so maybe Debian should just ship a book and pen by default to make those people happy?

The approach of the package mentainer was really out of line. Especially since better options exist. If they don't want to make the full version the default they could have created two equal options, like -minimal and -full and set -full as the replacement for the existing package.
This way people upgrading won't loose functionality and new users have to make a deliberate choice.
Change the package so drastically and keeping the same name is just disrespectful to the developers.

I understand the change and wanting to avoid bloat, but a minimal package probably is more practical considering that this version has already been out, especially considering I’ve never heard the term “news file”.

KeepassXC itself has the ability to enable/disable the browser integration built-in by default in the settings, that's up to the user and secure enough IMO.
I really don't want distro/repo maintainers to babysit me and make me loose hours asking myself what happened only to find out the packages i downloaded and installed are behaving differently and read each news files package just to check they f*d up base features.
Don't make me regret Windows MSI installer packages!

Does Debian have any process in place for when a maintainer is straight up hostile towards upstream? I mean, they have to care about their relationships with the larger free and open source community, right?

If I felt like being a jerk, I would just remove that compile flag entirely. Let them patch it back in every time if they want to keep using it. If they want to keep ruining the software I make, that's their problem!

As a security person myself i'm all for secure defaults. But it's a bit ridiculous to not compile in many values features which come in an disabled configuration anyway. Code that isn't executed isn't a real risk. Furthermore one can argue it's even less secure to have no autofill. So you're actually removing a feature that makes people more secure. What comes next? Debian ships a with a default kernel without netfilter because that code can have vulnerabilities?

DON'T. BREAK. USERSPACE.

I basically get the arguments of both sides.
Calling it crappy was way over the top tho.
The MAJOR issue here is the hardware key issue. Password managers are a very integral part of most users workflows. Can we seriously allow an update to LOCK THEM OUT of their password manager? Seriously, nobody would ever imagine that happening. Imagine somebody has their root password in their database and elusively unlock using hardware keys. They only notice it after next restart of the app and then they might already be logged out of any privileged users, so they can't even install the full package.
Major oversight from the package maintainer!

I do use keepassxc but not Debian. I couldn't imagine doing a simple system upgrade then suddenly the YubiKey is not functioning. That sounds cray!

Funny enough, I was reading an article about this a few hours ago and figured you'd be making a video about it. :D

If only these options were configurable at runtime..... oh wait, they were opt in already. This is so dumb.
If you want to prevent an app from using network, have a firewall rule (I assume linux can attach firewall rules to program signatures?!?)

I love how they make it sound like using the functionality in the full version is basically the same as completely disabling your firewall. I would hope people this worried about networking functionality have their network unplugged whenever they're not actively downloading updates.

I think that the Debian council should formulate some simple procedures to keep package maintainers from knee-jerking like this. While it is very important to ensure that reactions are as quick as humanly possible in the case of issues like the XC debacle, bad decision-making like this should be tempered with common sense. The first major error was not including upstream in discussions, and the second (arguably even larger) error was to dig in an try to save face. This is a fight that nobody won, in fact there are only victims here. Debian is an enormously influential project, but even so it should not steamroll over upstream in this manner. Trust has been damaged. Julian, please grow up.

While security is the responsibility of the distro, overreaching and removing core features that will affect upstream like this is not their responsibility nor should they do it. provide a secondary package for those that don't need the feature. Browser integration, etc are very important and many many users use it, including me.

I'm using Ubuntu with KeepassXC and I use my fido2 key to unlock my database. I vehemently disagree with Julian Klode here. The autofill option with sequence shuffeling is more secure than a simple copy-paste. Note that all the extra features apart from the basic functionality are disabled by default.

I've never complained about my software being compiled with too many features, but I have had issues with missing features/dependencies/codecs. For server applications sure, tighten things up, but for desktop applications I expect all the features are available to me and just work at least on parity with the Windows builds of the same software. If features are intentionally disabled there should be clear indications of why. If I want some very specific compile flags and hardening which fit exactly my use case I'll used a source based distribution or otherwise compile it myself.

So why should people not be vocal about these guy? Cause it hurts his feelings ? i can live with that. Thats how society works, if you act like shit towards others you get a fitting response. In times before the internet being a ass to others would sooner or later lead to someone giving you a smack. I dont advocate for something like this, but being disliked, maybe vocal disliked, is the response of you act mean against others. Its not even hate, its the result of your own actions

I am a keepassxc user. The unfortunate thing is browser integration and some of those features don’t work with the flatpak due to how flatpacks are isolated. Giving off the inferior feeling yes there is a way around it but at that point it’s just always easier to run the actual package because you basically have to break the flat pack.
Thankfully I’m on arch. But decisions like this make it really hard to recommend these distributions to family members who would be in that same case of not knowing what’s going on and then I have to fix it not knowing what happened either. It’s just too much work. I’m not sure about any of you but I don’t appreciate having to deal with tech Support phone calls at 3 am lol.

I actually have a solution to this problem: it's called "not being an entitled dickhead". The maintainer's job is to provide users with the application they need. The maintainer's job is _not_ to tell the users what they need and don't need, or tell the developers how to develop their application, or pretend like he has ultimate authority over the developers' work. This maintainer should resign or be removed from the project immediately.

As a long time open source maintainer I see where both parties are coming from. I think it’s entirely fair for Debian to package a minimal version as default, though arguably they should have done it via a more user friendly transition (e.g. a -full and -minimal package where the default package is equal to -full for now and then switched to -minimal in a new major version of Debian). I also think the bug reports against the repo are fair, features when compiled out provide no indication to the user that their omission is intentional because they were not enabled. The maintainers are not helpless in reducing incoming bug reports by updating the user experience when features are disabled. A simple documentation page can go a long way, or even updating their issue template to guide confused Debian users to the solution.

that guy's about to get hired by EA, ubisoft, microsoft, and sony all at once for their rugpulling specialty

Julian works for Canonical. So of course he’ll assume what’s best for end users, not listen to valid criticism, and not communicate effectively.

So many things are done in the name of security which prevent security. One example is when some applications started preventing the user from cutting and pasting a password into the password field which made the use of password managers with really long passwords much more difficult. I haven't seen this for a while now, thankfully. Sometimes in the effort to make software idiot proof it ends up being smart person proof.

They should just make droidmonkey the maintainer of the package, and take this julian out of the loop completely. As the project owner it should be their decision on how their project is being packaged and deployed.

That maintainer is like a reddit moderator. Absolute edgelord looking to cause turmoil in the guise of "security". This is just silly.

I can so see julian just wanting to disable networking and it snowballing into everything else for _reasons_

I'm support of a giant red bar saying "YOU ARE USING A MINIMAL VERSION OF THE APPLICATION. DO NOT LEAVE BUG REPORTS RELATED TO NETWORKING"

creating a minimal one was the best choice for everyone, Julian just being a total cannonical employee as always!

Wow that guy actually said on the fedi that calling other people's hard work that they provide to you for free "crap" is just a normal thing that we do here in Germany.
For the record: No. It's not. Like in pretty much any other country/culture that is obviously unacceptable. That's exclusively a this guy thing, not a german thing.

13:58 another gnome L

Thanks for the resources in the info box. Almost no "daily upload" youtuber provides their sources in the info box anymore. I am positively surprised you still do that.

As i asked before, is there no way to remove him as maintainer?

Up next: canonical employee creates a minimal KeePassXC Snap build 🤭

Shit like this is why I run Gentoo.

This was just fixed in Debian unstable a few hours ago. Now there are 2 packages: keepassxc-minimal and keepassxc-full, and normal keepassxc is a transitional package depending on keepassxc-full | keepassxc-minimal, i.e. people upgrading (or just installing keepassxc) will get the full version by default, but they can choose to install the minimal version if they want to.
Also, YubiKey support was reintroduced into keepassxc-minimal.

>debian sid
>literally the "arch" version of debian
thanks, but i will stick with debian
thank you for beta testing for me

😑
Debian always had their philosophy of being stable, long tested and secure, fixing bugs, aligning the packages to work well together in a way that doesn't break system for any reason and fixing security vulnerabilities. I've never thought Debian remove or implement features and treat that as if it wasn't a fork.
In this case, Devuan should be called Debian-Without-SystemD and Debian called Debian-with-SystemD. 🙄

Lmao, Debian should also disable network support for Firefox and only allow running local HTML files for SecURitY.

Distro wants to create separate package? Ok. Distro wants to make that package default for it's users? Ok. Distro changing the feature set of package without changing name? That is a dick move. If I use a package named XYZ on ubuntu, and then I move on Fedora or Debian and download package with same name, generally I expect same versions have same feature sets. So the package name is meaningul. In debian land tho, it is meaningless.
Probably will stay away from Debian, that maintainer is not all right.

XZ was not "drive by" ... it was like 2 years of gaining more maintenance responsibility

"GNOME detected. Things will be broken." Really cracked me up somehow! 🤣

Bundling a custom package for your own liking and making it the default for everyone, instead of labeling it as a custom derivative, has nothing to do with a community effort. Especially when the actual developer of the software is getting issues from this. Also calling the default build "crappy" is just crappy behavior.
It's one person abusing their power to shove their opinion down the throats of others. But I guess that's just what it's like to live the Debian SID style ;-)
Also I've got better things to do than reading news files for all my software... playing minecraft for example lol

The whole lesson from xz is developer exhaustion and mental health issues that caused the vulnerability to happen.
Julian, by doing this, created an enormous amount of unnecessary headache and inadvertently directing (potentially toxic) user complaints to the dev. And then also have the audacity to reference xz in his response.
This is not security. This is masturbation.

"if you absolutely need those" are you freaking joking me? What in the world do they think we use this for? julian, you're a fool.

I use KeePassXC on my mac, and always compile it without the networking code, but it's a bit of a hassle. Every time there is an update I have to download the new sourcecode and run through all the steps to compile it the way I want. I would actually love it if there was an easier way to install and maintain it without any networking code. If there was just a specific homebrew package that did this for me, I would be so happy.
That being said, I feel this Debian situation was not handled properly. The current package should have been full feature, and then a new minimal version would have been more appropriate

Are you telling me that DT password is not strong enough?

Don't worry systemd-password-man is coming right up :).

It's funny that this maintainer is using the XZ incident as a reason, to validate his own "course correction". That's very pot calling kettle black.
As for the question: yes, I'm a KeePassXC user, but no, I am not (yet) affected, simply because I don't give a fuck about updates until something /needs/ an update.
So just like with XZ, I dodged a bullet through my ignorance. XZ was actually the first time I got worried enough to even bother checking the version I'm running, only to find out I was using the original version of the "emergency fix" revert.
And the more things like this happen, the more I feel validated in my reluctance to update shit. At first I only was like that because of Windows back then. Then Android started being just as much of a pain. And now Linux too. At this point, I feel like you should never update something once it's working to your liking.
Unless something like XZ happens and you're forced to update.

One of the reasons to use Arch. The packaging story is so much more chill and non elitist

Wtf... Should it not be implied that the base package *is* the full package?

Why would you even maintain the package of software you think is crappy??? Typical Canonical employee.

I disagree on having to read a random file on every package you update. The default should be "nothing has changed that could possibly break the app for my workflow", and if not, the package manager should **warn** about it, and offer an option to show the relevant changes.

I love Gentoo in that regard, I can disable and enable features with USE flags myself