Watching Linux distros (and yes, it is usually Debian packagers who act the most sanctimonious) shoot themselves in the face and then insult upstream AND the users of a popular package under the delusion that only the distro's self-declared experts are capable of making decisions is always a good reminder as to why you will never be able to waterboard me into using Linux as my primary desktop. Very sorry this is happening Team KeePassXC. https://fosstodon.org/@keepassxc/112417353193348720
@film_girl As someone who has spent a lot of time in this ecosystem, I’m gonna devils advocate this a bit.
Being a Debian maintainer is largely a thankless task. Your community are extremely hardcore privacy advocates who gladly make the trade off for less functionality to more privacy all the time. The software project you do this work for often doesn’t acknowledge your existence. The act of packaging stuff, keeping track of the project and all that associated work is a lot of headache.
Your package ends up being a massive percentage of the codes usage around the globe but you are forced to effectively defend the projects decisions against the Debian maintainers mailing list without having much active say in how the project develops.
It’s a lot of drama that largely goes without any public acknowledge of what you are doing. So I can see how this happened, even if the result in this case was wrong.
@matdevdug in general, I agree with you. But thankless task or not, this maintainer decided to make decisions without even trying to coordinate for upstream — problems that will primarily affect upstream, and not this person or Debian — and did it in a way that will be most disruptive. And then when faced with the edge cases and problems of his own making, this asshole decides to insult the project and its users. Users he then claims belong to him.
@film_girl I mean in this situation no question the maintainer made the wrong call. Like as much as I wanna go to bat for maintainers this is pretty indefensible.
@matdevdug I don’t like criticizing maintainers either but decisions like this are why so many developers are trying to cut the middleman of the packagers all together for the much clunkier world of flatpaks and snaps and appimages. And it’s frustrating to see.
@keyboardg@keepassxc I mean, this is the natural evolution. And I don’t always love Flatpak or Snaps, but I fully understand why so many pieces of software want to avoid the distro packagers at all costs. It’s a role that made a ton of sense 25 years ago. I think it is a role that still makes sense for non-GUI tools. But when packagers make decisions that negatively impact users without even communicating with upstream, that’s just not cool.
@film_girl You do realize that all software engineering come with drama right? It's just in this case the dirty laundry is aired for the entire world to see.
I would love to be a fly on the wall for software release retrospectives, the "blameful post-mortem"
@johnmark no. Me, a person who loves drama and mess is completely unaware that software development comes with drama. That’s why I haven’t spent fully half my life enmeshed in open source circles. /s
The KeePassXC GitHub repo where Debian users are filing bugs (b/c people by default blame upstream, in part b/c the distros love to blame upstream for everything, even when the changes are clearly the packagers fault) and the Debian packager responds by calling the software crap is my favorite part. https://github.com/keepassxreboot/keepassxc/issues/10725
I’ve been around the block a few times with security folks and, let me tell you, this kind of dismissive discourse is far more common than you think.
Moreover, it has nothing really to do with open-source, per se. It’s just that we get to see (read) the back-and-forth that is otherwise obscured behind the walls of most corporations.
@drwhitt oh, I think it is very emblematic of a lot of the bad/toxic parts of open source culture. It isn’t unique to OSS, but OSS culture (and I’m a huge OSS fan, but we have to be able to call the baby ugly) empowers and promotes lots and lots of anti-social behavior and even worse, puts those people in power.
@idlestate@film_girl but also that was the upstream dev being an ass hiding that time bomb message & generally sabotaging an orderly packaging process.
Other distros just patched that one out, while Debian tried to be nice and coordinate with upstream ...
This time, the Debian maintainer does seem kinda rude. And while I think the reasoning behind the change is sound, they're definitely late to the party and should really use a more delicate approach
On the other hand, this is what happens when you use the testing distribution.
I use stable because I don't want these kind of changes. In two years, I might have to switch a few packages around when I switch to the next stable. And that's fine, because before I make that decision, I won't.
PS: I use Debian stable on my gaming rig. Backports kernel and bam, works. I don't see the motivation to use testing when you're not willing to be exposed to these processes.
If you wanna chase the latest version numbers, there are other distros for that ...
@kgMadee2 I agree with this but again, a change of this magnitude without any rational reason (I’m worried about future xz-like backdoors is not rational), especially when the features are turned off by default, and with Debian’s complete lack of willingness to alert users who now can’t access their password database b/c YubiKey support was removed, goes far beyond the RTFM expectations of using testing.
@kgMadee2 More disturbingly, these problems were found in testing and when users bring up the very real issues with this approach, the asshole packager has the nerve to insult upstream, insult users who use a password manager differently than him, and then has the temerity to call them “his” users. No. They use KeePassXC. They don’t belong to him just because they happen to use Debian.
@film_girl I agree on the communication issue: insulting everyone around is bad.
The change itself is just not that surprising to me: It would have to happen in unstable, then testing.
I want to avoid breaking changes myself, so I stick to stable.
@kgMadee2 But this will trickle down to stable! Ubuntu and all its derivatives use Debian testing for their repos and so that’s even more headache for upstream. And unless they have a CLI and GUI pop-up about the new keepassxc-full, existing users are still very much going to be out of the loop. There are ways to make this change and this was not the way.
@film_girl Debian stable? Sure, next release when Trixie steps up. That's, what, a year to go still? And even then there's another year of support for oldstable. When I finally upgrade to Trixie (or the one after that), I will have to look out for the things that have changed.
If I used unstable or testing as a daily driver, I'd (have to) be careful with any updates. Because that is where these changes are introduced before they go into the next stable release.
No, maintainers shouldn't insult upstream devs or users. But users obviously shouldn't be filing bugs upstream in the first place for issues that are explained in their distribution's release notes.
And if Ubuntu and others quietly, or blindly, just copy everything from Debian testing, that is their own fault and I again don't see why you would blame the next stage upstream for Ubuntu's mistakes.
@kgMadee2 I mean, I’m blaming Debian downstream because this is a problem that will proliferate for a year or longer. I’m not saying users shouldn’t be aware of what they are doing (but Debian testing is used by lots of distros and Debian knows this so saying don’t blame Debian for Ubuntu’s decisions, esp when this Debian maintainer works for Canonical doesn’t work when this has been status quo for 20 years), I’m saying this decision is bad and wrong.
@film_girl I just don't see why Debian should be responsible for whatever Ubuntu does further downstream. Surely they're aware of this issue by now and can re-package the -full package if that is what they/their users want and expect
@kgMadee2 should be, no. But after 20 years, it’s obtuse to pretend/ignore that Debian changes don’t have broader impact is my point. So changes need to be more considerate. But the real loser is upstream, who already has a heavier burden just from Debian users, even advanced users who knowingly choose Sid, because they file bugs upstream instead of with Debian. In this case, the person who maintains the Ubuntu package is almost certainly the same person anyway. Because he works at Canonical.
@glassresistor ok, but how are users expected to know about this when this hits stable or Ubuntu or Mint and their various derivatives? All the user sees is that features they used to have enabled don’t work. Or that they now can’t access their password manager with their YubiKey. And Debian is historically very against any sort of user-alert. If there was actual user awareness, fine. But the response is “read the Debian.NEWS file” as if that is sufficient. And there should be complaints here!
@film_girl apt-get lets packages print warnings, idk if the guis show this. also a first start flag or a bunch of options
idk which is easiest, also dont no if i think full was better over minimal and debian guy seems like a jerk. originally i thought it was removing plugins not compile flags
just feels pretty small potatoes. like i suspect 50% of apt installing keepassxc people have now been informed
@glassresistor I just think it’s a lousy decision and incredibly anti-user and it’s going to cause a lot of problems for upstream because downstream made unilateral decisions about what is and isn’t necessary. This is like what they did to @jwz all over again, except somehow worse, b/c these changes could mean people with YubiKeys can’t access their databases without installing a new package and downstream doesn’t seem to care as long as they put the poorly-worded update in the NEWS file.
> Kepassxc provides a cmake option (-DWITH_XC_NETWORKING=OFF) to disable networking support(like download the favicon something). I believe most of the people don't want their password manager to connect somewhere they don't know and it will improve user privacy.
Wonder how long it's been since these people used a computer. So strange.
Add comment