I gave up because pipx refuses to install urwid, and I think Debian's version is drumroll way too old. ;)
I wish pipx just had scli. There's an scli package in PyPI, but it's literally an empty placeholder for nothing.
Infuriating.
The funny part about the removal of networking from the default #keepassxc package on #debian, is that they did it for "security" reasons, without thinking that the MOST INSECURE way to transfer a #password to your #browser is via the CLIPBOARD. Absolutely every running app or service can read the clipboard! And yet, that's the default way they expect users to do it now!
🌀 16 years of CVE-2008-0166 - Debian OpenSSL Bug
— 16years.secvuln.info
"A patch in Debian's and Ubuntu's OpenSSL packages broke the random number generator, effectively limiting the number of possible keys to a few ten thousand plausible variations"
On the topic of "key rotation, it's not just for HTTPS", @hanno finds hundreds of DKIM keys apparently generated using the #Debian#OpenSSL predictable PRNG vulenrability from 2008 (CVE-2008-0166):
Schade das der Maintainer des Debian-Paketes nicht ansatzweise die Funktionalität eines Passwortmanagers verstanden hat. Meiner Meinung nach missbraucht hier ein Paketbetreuer seine Kompetenzen. Letzlich schadet er mit seiner Vorgehensweise Debian insgesamt als Linuxdistribution.
@goebbe@bluelupo aber anders herum wäre es besser und Debian konform. KeepassXC mit vollem Funktionsumfang, wie gewohnt und erwartbar, und daneben eine KeepassXC-tiny ohne die Netzwerk- und Browserfunktionen anbieten.
Wenn der Package-Maintainer die Software die er packertiert selber nicht nutzt... Ich hab schon wieder massive Kopfschmerzen...
"...schreibt Klode, dass er die [...] diese Funktionen entfernt. Diese dienten vermutlich dem Nachladen eines favicon einer Webseite, meint der Maintainer. Er gehe davon aus, dass die meisten Leute nicht wollten, dass ihre Passwort-Manager irgendwohin verbinden, wovon sie nichts wüssten."
@wonka trotzdem ist das nicht der richtige Weg. Wenn der Package maintainer meint es besser zu wissen als die Entwickler, dann soll er das Programm forken und unter eigenem Namen weiterführen.
Abgesehen davon wäre es auch nicht das erste Mal, dass Sicherheitslücken erst durch unsachgemäße Patches aufgetreten sind oder ausnutzbar wurden
@nixCraft Using it with Pi-Hole for a couple years or so, works like a charm!
Didn't know it has built-in support for blocking, but Pi-Hole at least has a great Web UI with stats et al. 😉
The whole #KeePassXC#Debian thing is kinda giving me second thoughts wrt. the whole #Linux distro and #opensource packaging thing in general. My understanding of the implied agreement between me as a dev and a distro's package maintainer is: the maintainer, to the best of their ability, tries to make my software work "as intended". In return, they get to publish it under my software's name.
That's clearly not how Debian views things. And I can't accept distros publishing broken sw w/ my name.
@deshipu Yeah, I get that. But the "threat model" here isn't really "someone else writes different software and releases it under the same name as my software", but "Debian takes my source code, breaks it in key ways, and releases it under the same name"
I see some people are really disappointed about Debian packaging a stripped-down version of KeePassXC. But hey, I actually wish there was also a minimal @thunderbird package without integrations of IRC or Matrix etc, just with core email functionality.
@thunderbird I joined Mozilla Connect just to submit this proposal. From what I've seen, submissions on there tend to be lengthy paragraphs lacking in clarity. I've written it in the structured style of Fedora changes, thanks to @Conan_Kudo :P
@triskelion@Conan_Kudo Okay, thanks not only for posting the submission AND for doing it with such an awesome template! (We're sort of a fan of Neal's here!)