Summer's Words

Place your Bets: KeePassXC vs Debian

The internet has recently become ablaze with a Debian maintainer once again forgetting to pull from upstream for 10 years straight changing build flags with little notice

The timeline

2020/03/10

Kepassxc provides a cmake option (-DWITH_XC_NETWORKING=OFF) to disable networking support(like download the favicon something). I believe most of the people don't want their password manager to connect somewhere they don't know and it will improve user privacy.

2022-12-27 - On behalf of Julian Andres Klode (Debian maintainer)

Added tag(s) pending

2024-04-23 - On behalf of Julian Andres Klode (Debian maintainer)

We believe that the bug you reported is fixed in the latest version of keepassxc, which is due to be installed in the Debian FTP archive.

2024-05-10 - Jonathan White (KeePassXC developer)

[Julian Andres Klode] this needs to be reverted asap. This is now our fourth bug report because of the decision to neuter the base KeePassXC package in Debian.

2024-05-10 - Julian Andres Klode (Debian maintainer)

[No]

2024-05-10 - Janek Bevendorff (KeePassXC developer)

I think this is a fundamental misunderstanding of the relationship between lines and code and attack surface. Bugs are not directly CAUSED by more code, though there is a strong correlation between more code and more bugs. So far I do agree. However, this is not something that can be rectified by more ifdef guards. Bugs are correlated with lines of source code, not with binary size. More ifdef guards mean MORE source code, therefore MORE bugs.

2024-05-11 - Julian Andres Klode (Debian maintainer)

People just are acting very suspicious, trying to push new features or new upstream releases in without giving it any review or thought.

The upstream developments have been very concerning, I can't be the only one feeling that way.

In fact I know I'm not the only one feeling that way because I've had users tell me. Actually security engineers too.

2024-05-11 - Julian Andres Klode (Debian maintainer)

I think renaming the package to keepassxc-minimal will make it much clearer, and I'll try to do that and I hope it gets accepted.

I'm very torn on the upgrade path with a transitional keepassxc package, we can depend on keepassxc-minimal|keepassxc-full or the other way around.

Once we drop the transitional package is when things become nice: apt install keepassxc will tell you that there's a minimal and a full, and you can select it.

2024-05-11 - Julian Andres Klode (Debian maintainer)

What happens with keepassxc packaging is exactly the same thing what happened with xz-utils.

People demand new upstream releases getting merged quickly, some with upload rights threaten to upload them themselves, people "helpfully" package new upstream versions for you. I employ a 0 trust model, so I need to redo it all anyway to make sure it was not tampered with.

Now they may be honest, but after being burned out by time_t and then xz-utils you can understand I'm very cautious

2024-05-14 - Team KeePassXC

Let us be clear: KeePassXC does NOT "randomly" connect to the internet in the background, regardless of whether you build with the flag on or off. Claims to the contrary of KeePassXC "surfing in the background" or "calling home" are false.

KeePassXC connects with the internet in only three [manually started] situations

That's it. That's all that is removed from your build when you disable the flag. There is no web server running or anything, it's only client code requiring a manual action that is removed (as well as a link dependency to OpenSSL, which may be more significant).

What this flag DOES NOT do is sandbox KeePassXC in any way. It will also not remove Qt's internal networking modules, since these are still required for certain offline functionality such as URL parsing and local sockets (blame Qt for not separating this functionality). It will also not prevent a local attacker from loading other DLLs/SOs/DYLIBs containing network code at runtime.

The bet

So, what'll it be? $10 on no backdoors (and or if there is a backdoor, its not affected by build flags) in the next X years? or $10 on backdoors that get blocked by the build flags?

What I'm betting on

I don't know! Hard decision, and there are not many other options for a multiple platform password manager, so I'm probably staying on (sandboxed) KeePassXC

#place-your-bets