Mastodawn

Christina Warren May 11, 2024

Watching Linux distros (and yes, it is usually Debian packagers who act the most sanctimonious) shoot themselves in the face and then insult upstream AND the users of a popular package under the delusion that only the distro's self-declared experts are capable of making decisions is always a good reminder as to why you will never be able to waterboard me into using Linux as my primary desktop. Very sorry this is happening Team KeePassXC. https://fosstodon.org/@keepassxc/112417353193348720

Team KeePassXC (@[email protected])

Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.

Fosstodon

Christina Warren

The KeePassXC GitHub repo where Debian users are filing bugs (b/c people by default blame upstream, in part b/c the distros love to blame upstream for everything, even when the changes are clearly the packagers fault) and the Debian packager responds by calling the software crap is my favorite part. https://github.com/keepassxreboot/keepassxc/issues/10725

Debian No-Feature KeePassXC Package · Issue #10725 · keepassxreboot/keepassxc

Overview I'm using the Brave and Firefox browsers under Ubuntu testing using keepassxc version 2.7.7, suddenly the browser integration doesn't work anymore. So I went into the settings menu to enab...

GitHub

Danny Whitt May 11, 2024

@film_girl Fascinating read… seriously.

I’ve been around the block a few times with security folks and, let me tell you, this kind of dismissive discourse is far more common than you think.

Moreover, it has nothing really to do with open-source, per se. It’s just that we get to see (read) the back-and-forth that is otherwise obscured behind the walls of most corporations.

Christina Warren May 11, 2024

@drwhitt oh, I think it is very emblematic of a lot of the bad/toxic parts of open source culture. It isn’t unique to OSS, but OSS culture (and I’m a huge OSS fan, but we have to be able to call the baby ugly) empowers and promotes lots and lots of anti-social behavior and even worse, puts those people in power.

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️May 11, 2024

@film_girl "read every NEWS or get of my lawn". Wow.

goat May 11, 2024

@film_girl That amount of contempt for users and upstream devs is pretty on-brand for Canonical and Red Hat employees, in my experience. Not sure where it comes from, you'd think that having social skills should be a requirement for professional open source work.

idlestate's SDF liason acct May 11, 2024

my favorite part was the call back to the xscreensaver fracas from days long gone by

part of the answer is the same now as then: The bugs from Debian users belong in Debian channels

(deleted & redrafted into the "my favorites" part of the thread)

Kg. Madee Ⅱ.May 11, 2024

@idlestate @film_girl but also that was the upstream dev being an ass hiding that time bomb message & generally sabotaging an orderly packaging process.
Other distros just patched that one out, while Debian tried to be nice and coordinate with upstream ...

This time, the Debian maintainer does seem kinda rude. And while I think the reasoning behind the change is sound, they're definitely late to the party and should really use a more delicate approach

Kg. Madee Ⅱ.May 11, 2024

On the other hand, this is what happens when you use the *testing* distribution.
I use stable because I don't want these kind of changes. In two years, I might have to switch a few packages around when I switch to the next stable. And that's fine, because before I make that decision, I won't.

Kg. Madee Ⅱ.May 11, 2024

PS: I use Debian stable on my gaming rig. Backports kernel and bam, works. I don't see the motivation to use testing when you're not willing to be exposed to these processes.
If you wanna chase the latest version numbers, there are other distros for that ...

Christina Warren May 11, 2024

@kgMadee2 I agree with this but again, a change of this magnitude without any rational reason (I’m worried about future xz-like backdoors is not rational), especially when the features are turned off by default, and with Debian’s complete lack of willingness to alert users who now can’t access their password database b/c YubiKey support was removed, goes far beyond the RTFM expectations of using testing.

Christina Warren May 11, 2024

@kgMadee2 More disturbingly, these problems were found in testing and when users bring up the very real issues with this approach, the asshole packager has the nerve to insult upstream, insult users who use a password manager differently than him, and then has the temerity to call them “his” users. No. They use KeePassXC. They don’t belong to him just because they happen to use Debian.

Kg. Madee Ⅱ.May 11, 2024

@film_girl I agree on the communication issue: insulting everyone around is bad.
The change itself is just not that surprising to me: It would have to happen in unstable, then testing.
I want to avoid breaking changes myself, so I stick to stable.

Christina Warren May 11, 2024

@kgMadee2 But this will trickle down to stable! Ubuntu and all its derivatives use Debian testing for their repos and so that’s even more headache for upstream. And unless they have a CLI and GUI pop-up about the new keepassxc-full, existing users are still very much going to be out of the loop. There are ways to make this change and this was not the way.

Kg. Madee Ⅱ.May 11, 2024

@film_girl Debian stable? Sure, next release when Trixie steps up. That's, what, a year to go still? And even then there's another year of support for oldstable. When I finally upgrade to Trixie (or the one after that), I will have to look out for the things that have changed.
If I used unstable or testing as a daily driver, I'd (have to) be careful with any updates. Because that is where these changes are introduced before they go into the next stable release.

No, maintainers shouldn't insult upstream devs or users. But users obviously shouldn't be filing bugs upstream in the first place for issues that are explained in their distribution's release notes.

And if Ubuntu and others quietly, or blindly, just copy everything from Debian testing, that is their own fault and I again don't see why you would blame the next stage upstream for Ubuntu's mistakes.

Christina Warren May 11, 2024

@kgMadee2 I mean, I’m blaming Debian downstream because this is a problem that will proliferate for a year or longer. I’m not saying users shouldn’t be aware of what they are doing (but Debian testing is used by lots of distros and Debian knows this so saying don’t blame Debian for Ubuntu’s decisions, esp when this Debian maintainer works for Canonical doesn’t work when this has been status quo for 20 years), I’m saying this decision is bad and wrong.

Kg. Madee Ⅱ.May 11, 2024

@film_girl I just don't see why Debian should be responsible for whatever Ubuntu does further downstream. Surely they're aware of this issue by now and can re-package the -full package if that is what they/their users want and expect

Christina Warren May 11, 2024

@kgMadee2 should be, no. But after 20 years, it’s obtuse to pretend/ignore that Debian changes don’t have broader impact is my point. So changes need to be more considerate. But the real loser is upstream, who already has a heavier burden just from Debian users, even advanced users who knowingly choose Sid, because they file bugs upstream instead of with Debian. In this case, the person who maintains the Ubuntu package is almost certainly the same person anyway. Because he works at Canonical.

Christina Warren May 11, 2024

@kgMadee2 the problem is unstable and testing find its way to downstream distros that have more normie users more quickly. And although I agree in theory that people who use unstable branches should read release notes, fundamentally breaking a package — which let’s be very clear here, is what this Debian packager did — for existing users and giving those users no info about that change, a change that includes removing a way some users might unlock the program (yubikey) in anti-user and bad.

idlestate's SDF liason acct May 11, 2024

yeah, if it were me, I'd have gone through a keepassxc-minimal package with an aim to shuffle things around eventually, with more lead time

but part of the point is that it's *not* me

idlestate's SDF liason acct May 11, 2024

my second favorite part was

> "Is Debian now suckless.org?"

I can't resist the idea that this calls for the Astronauts by Earthshine "always has been" image macro

(to be fair Debian is a big project with a deep history, including a lot of people who do a lot better than that)

idlestate's SDF liason acct May 11, 2024

that said, minimalism's least problematic defenders even now tend to hail from the school of

"lol. complexity got you down? no worries! just gather enough privilege to roll your own bespoke bare-metal environment"

💥meta physical deflationist💥May 11, 2024

@film_girl as a person who this is totally going to effect I dont see the big deal "apt-get install keepassxc-full" and problem solved right?

easier to do that then complain, adding a popup on first upgrade or putting a warning during upgrade could solve that though

Christina Warren May 11, 2024

@glassresistor ok, but how are users expected to know about this when this hits stable or Ubuntu or Mint and their various derivatives? All the user sees is that features they used to have enabled don’t work. Or that they now can’t access their password manager with their YubiKey. And Debian is historically very against any sort of user-alert. If there was actual user awareness, fine. But the response is “read the Debian.NEWS file” as if that is sufficient. And there should be complaints here!

💥meta physical deflationist💥May 11, 2024

@film_girl apt-get lets packages print warnings, idk if the guis show this. also a first start flag or a bunch of options

idk which is easiest, also dont no if i think full was better over minimal and debian guy seems like a jerk. originally i thought it was removing plugins not compile flags

just feels pretty small potatoes. like i suspect 50% of apt installing keepassxc people have now been informed

Christina Warren May 11, 2024

@glassresistor I just think it’s a lousy decision and incredibly anti-user and it’s going to cause a lot of problems for upstream because downstream made unilateral decisions about what is and isn’t necessary. This is like what they did to @jwz all over again, except somehow worse, b/c these changes could mean people with YubiKeys can’t access their databases without installing a new package and downstream doesn’t seem to care as long as they put the poorly-worded update in the NEWS file.