GNU bug report logs - #27909
Replace keepassx with keepassxc

Previous Next

Package: guix-patches;

Reported by: Efraim Flashner <efraim <at> flashner.co.il>

Date: Tue, 1 Aug 2017 15:09:02 UTC

Severity: normal

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Leo Famulari <leo <at> famulari.name>
To: Manolis Ragkousis <manolis837 <at> gmail.com>
Cc: 27909 <at> debbugs.gnu.org, Efraim Flashner <efraim <at> flashner.co.il>
Subject: [bug#27909] Replace keepassx with keepassxc
Date: Tue, 1 Aug 2017 17:17:40 -0400

[Message part 1 (text/plain, inline)]
On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
> Wouldn't it be a better option to keep both version for the time being?
> Unless of course there is a security issue if we keep keepassx.

I think that using Qt-4 is a security issue because it's unmaintained
for a long while now, relative to its complexity.

But we still have it in Guix because some packages would have to be
removed if we remove it, and we don't have a clear or simple policy
about what to do in cases like that. By the way, I'm not suggesting we
need such a policy.

Eventually we should remove those things, because it's not great to
offer users programs that we suspect have security bugs.

If somebody starting publishing details of how to exploit Qt-4 apps,
then I think the choice would be clear. But I haven't read any such
reports, so I don't know for sure that it's vulnerable. I think it's a
good bet, however.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 284 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.