GNU bug report logs - #27909
Replace keepassx with keepassxc

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27909 in the body.
You can then email your comments to 27909 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: guix-patches <at> gnu.org
Subject: Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 18:08:16 +0300

[Message part 1 (text/plain, inline)]

The original keepassx hasn't seen much activity in quite a while, no
bugs fixed or features added. Keepassxc is the community fork of
keepassx.

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[0001-gnu-Add-keepassxc.patch (text/plain, attachment)]

[0002-gnu-keepassx-Superseded-by-keepassxc.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 27909 <at> debbugs.gnu.org
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 15:43:19 -0400

[Message part 1 (text/plain, inline)]

On Tue, Aug 01, 2017 at 06:08:16PM +0300, Efraim Flashner wrote:
> The original keepassx hasn't seen much activity in quite a while, no
> bugs fixed or features added. Keepassxc is the community fork of
> keepassx.

The last keepassx release was in October 2016. That's not *that* long
unless there are some serious bugs in the program.

Are other distros replacing keepassx?

Is keepassxc a "seamless" replacement for keepassx, or would users maybe
have to adjust somehow?

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27909 <at> debbugs.gnu.org
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 23:11:50 +0300

[Message part 1 (text/plain, inline)]

On Tue, Aug 01, 2017 at 03:43:19PM -0400, Leo Famulari wrote:
> On Tue, Aug 01, 2017 at 06:08:16PM +0300, Efraim Flashner wrote:
> > The original keepassx hasn't seen much activity in quite a while, no
> > bugs fixed or features added. Keepassxc is the community fork of
> > keepassx.
> 
> The last keepassx release was in October 2016. That's not *that* long
> unless there are some serious bugs in the program.
> 

The maintainer is MIA. I'm not aware of serious bugs, other than it
still relying on Qt-4.

> Are other distros replacing keepassx?
> 

I don't believe Debian is, but there is active work on packaging
keepassxc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855173

> Is keepassxc a "seamless" replacement for keepassx, or would users maybe
> have to adjust somehow?

It is supposed to be a seamless replacement, using the same .kdbx files
as keepassx.



-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Manolis Ragkousis <manolis837 <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 27909 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 23:27:11 +0300

[Message part 1 (text/plain, inline)]

Wouldn't it be a better option to keep both version for the time being?
Unless of course there is a security issue if we keep keepassx.

Manolis

[Message part 2 (text/html, inline)]

Message #17 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 27909 <at> debbugs.gnu.org
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 17:12:39 -0400

[Message part 1 (text/plain, inline)]

On Tue, Aug 01, 2017 at 11:11:50PM +0300, Efraim Flashner wrote:
> On Tue, Aug 01, 2017 at 03:43:19PM -0400, Leo Famulari wrote:
> > The last keepassx release was in October 2016. That's not *that* long
> > unless there are some serious bugs in the program.
> 
> The maintainer is MIA. I'm not aware of serious bugs, other than it
> still relying on Qt-4.

Ah, still using Qt-4 is my pet peeve! :) That means it will have to be
removed sooner or later.

> > Are other distros replacing keepassx?
> > 
> 
> I don't believe Debian is, but there is active work on packaging
> keepassxc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855173
> 
> > Is keepassxc a "seamless" replacement for keepassx, or would users maybe
> > have to adjust somehow?
> 
> It is supposed to be a seamless replacement, using the same .kdbx files
> as keepassx.

Okay, I'll defer to what others think, especially since I'm not using
keepass*.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Manolis Ragkousis <manolis837 <at> gmail.com>
Cc: 27909 <at> debbugs.gnu.org, Efraim Flashner <efraim <at> flashner.co.il>
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 17:17:40 -0400

[Message part 1 (text/plain, inline)]

On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
> Wouldn't it be a better option to keep both version for the time being?
> Unless of course there is a security issue if we keep keepassx.

I think that using Qt-4 is a security issue because it's unmaintained
for a long while now, relative to its complexity.

But we still have it in Guix because some packages would have to be
removed if we remove it, and we don't have a clear or simple policy
about what to do in cases like that. By the way, I'm not suggesting we
need such a policy.

Eventually we should remove those things, because it's not great to
offer users programs that we suspect have security bugs.

If somebody starting publishing details of how to exploit Qt-4 apps,
then I think the choice would be clear. But I haven't read any such
reports, so I don't know for sure that it's vulnerable. I think it's a
good bet, however.

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 27909 <at> debbugs.gnu.org (full text, mbox):

From: Manolis Ragkousis <manolis837 <at> gmail.com>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 27909 <at> debbugs.gnu.org, Leo Famulari <leo <at> famulari.name>
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Wed, 2 Aug 2017 21:28:47 +0300

On 08/02/2017 12:17 AM, Leo Famulari wrote:
> On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
>> Wouldn't it be a better option to keep both version for the time being?
>> Unless of course there is a security issue if we keep keepassx.
> 
> I think that using Qt-4 is a security issue because it's unmaintained
> for a long while now, relative to its complexity.
> 
> But we still have it in Guix because some packages would have to be
> removed if we remove it, and we don't have a clear or simple policy
> about what to do in cases like that. By the way, I'm not suggesting we
> need such a policy.
> 
> Eventually we should remove those things, because it's not great to
> offer users programs that we suspect have security bugs.
> 
> If somebody starting publishing details of how to exploit Qt-4 apps,
> then I think the choice would be clear. But I haven't read any such
> reports, so I don't know for sure that it's vulnerable. I think it's a
> good bet, however.
> 

I tested keepassxc locally and it opens my .kdbx file correctly. I think
there will be no problems with the change.

If no one else objects please push your patch. We don't want a possible
security issue in the future. :)

Thank you,
Manolis

Message #28 received at 27909-done <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Efraim Flashner <efraim <at> flashner.co.il>
Cc: 27909-done <at> debbugs.gnu.org
Subject: Re: [bug#27909] Replace keepassx with keepassxc
Date: Wed, 16 Aug 2017 17:10:55 +0200

Efraim Flashner <efraim <at> flashner.co.il> writes:

> The original keepassx hasn't seen much activity in quite a while, no
> bugs fixed or features added. Keepassxc is the community fork of
> keepassx.

I’m closing this because I see that this is in master already.  (Commits
b7ac10e6da6e2199aa379fdfa19bd43ca8fddc4d and
99672f7b1d255b5cdac73870dfc272ca6799485b).

Thank you!

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.