keepassxc, 17 days ago

KeePassXC connects with the internet in only three situations:

1. to check for updates (we ask you first if you agree to that and this feature is disabled in downstream packages such as Debian's anyway)

2. when you manually click the button to download a website's favicon on the Edit Entry form

3. when you decide to check your credentials against the online Hibp service (again, by explicitly clicking a button).

2/4

keepassxc, 17 days ago

That's it. That's all that is removed from your build when you disable the flag. There is no web server running or anything, it's only client code requiring a manual action that is removed (as well as a link dependency to OpenSSL, which may be more significant).

3/4

keepassxc, 17 days ago

What this flag DOES NOT do is sandbox KeePassXC in any way. It will also not remove Qt's internal networking modules, since these are still required for certain offline functionality such as URL parsing and local sockets (blame Qt for not separating this functionality). It will also not prevent a local attacker from loading other DLLs/SOs/DYLIBs containing network code at runtime.

4/4

neo, 17 days ago

@keepassxc People that were going to fearmonger about this are not going to be stopped because of your wall of text. They will still say "THING BAD" without understanding what they're saying.

keepassxc, 17 days ago

@neo This is not for those spreading misinformation, it’s for those receiving it without knowing the context.

larsmb, 17 days ago

@keepassxc It does also break the browser plugin functionality though, right?

Also: keep up the great work, I love keepassxc.

keepassxc, 17 days ago

@larsmb Yes. Although that is a separate flag that was also turned off.

urig, 17 days ago

@keepassxc this might be a good opportunity to say a

BIG THANK YOU

to all of you, dear team members, for your hard effort put into one of the most useful FOSS tools available today to enhance personal data security.

Many thanks!

melroy, 16 days ago

@keepassxc I also don't agree with Debian maintainers. They just needed to leave the package as is. Create a minimal version if really wanted.

Arcaik, 16 days ago

@melroy @keepassxc That's what they did.

vintprox, 16 days ago

@Arcaik @melroy @keepassxc Sure, after stirring the pot that packager could avoid by, maybe, not shoving defaults major userbase didn't ask for.

Arcaik, 16 days ago

@vintprox @melroy @keepassxc Just install keepassxc-full and be done with it.

melroy, 16 days ago

@Arcaik @vintprox @keepassxc understood. But normal users are confused and from user perspective this is a bug, suddenly features are not working anymore.

melroy, 16 days ago

@Arcaik @keepassxc no. The debian maintainers created a minimal version using the existing package name.

r1w1s1, 17 days ago

@keepassxc many thanks guys!!! keep your great work!!!