Mastodawn

Michael Potts (HMHackMaster)May 11, 2024

Christina Warren

Watching Linux distros (and yes, it is usually Debian packagers who act the most sanctimonious) shoot themselves in the face and then insult upstream AND the users of a popular package under the delusion that only the distro's self-declared experts are capable of making decisions is always a good reminder as to why you will never be able to waterboard me into using Linux as my primary desktop. Very sorry this is happening Team KeePassXC. https://fosstodon.org/@keepassxc/112417353193348720

Team KeePassXC (@[email protected])

Debian Users - Be aware the maintainer of the KeePassXC package for Debian has unilaterally decided to remove ALL features from it. You will need to switch to `keepassxc-full` to maintain capabilities once this lands outside of testing/sid.

Fosstodon

Christina Warren May 11, 2024

The KeePassXC GitHub repo where Debian users are filing bugs (b/c people by default blame upstream, in part b/c the distros love to blame upstream for everything, even when the changes are clearly the packagers fault) and the Debian packager responds by calling the software crap is my favorite part. https://github.com/keepassxreboot/keepassxc/issues/10725

Debian No-Feature KeePassXC Package · Issue #10725 · keepassxreboot/keepassxc

Overview I'm using the Brave and Firefox browsers under Ubuntu testing using keepassxc version 2.7.7, suddenly the browser integration doesn't work anymore. So I went into the settings menu to enab...

GitHub

Danny Whitt May 11, 2024

@film_girl Fascinating read… seriously.

I’ve been around the block a few times with security folks and, let me tell you, this kind of dismissive discourse is far more common than you think.

Moreover, it has nothing really to do with open-source, per se. It’s just that we get to see (read) the back-and-forth that is otherwise obscured behind the walls of most corporations.

Christina Warren May 11, 2024

@drwhitt oh, I think it is very emblematic of a lot of the bad/toxic parts of open source culture. It isn’t unique to OSS, but OSS culture (and I’m a huge OSS fan, but we have to be able to call the baby ugly) empowers and promotes lots and lots of anti-social behavior and even worse, puts those people in power.

⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️May 11, 2024

@film_girl "read every NEWS or get of my lawn". Wow.

goat May 11, 2024

@film_girl That amount of contempt for users and upstream devs is pretty on-brand for Canonical and Red Hat employees, in my experience. Not sure where it comes from, you'd think that having social skills should be a requirement for professional open source work.

idlestate's SDF liason acct May 11, 2024

my favorite part was the call back to the xscreensaver fracas from days long gone by

part of the answer is the same now as then: The bugs from Debian users belong in Debian channels

(deleted & redrafted into the "my favorites" part of the thread)

Kg. Madee Ⅱ.May 11, 2024

@idlestate @film_girl but also that was the upstream dev being an ass hiding that time bomb message & generally sabotaging an orderly packaging process.
Other distros just patched that one out, while Debian tried to be nice and coordinate with upstream ...

This time, the Debian maintainer does seem kinda rude. And while I think the reasoning behind the change is sound, they're definitely late to the party and should really use a more delicate approach

Kg. Madee Ⅱ.May 11, 2024

On the other hand, this is what happens when you use the *testing* distribution.
I use stable because I don't want these kind of changes. In two years, I might have to switch a few packages around when I switch to the next stable. And that's fine, because before I make that decision, I won't.

Kg. Madee Ⅱ.May 11, 2024

PS: I use Debian stable on my gaming rig. Backports kernel and bam, works. I don't see the motivation to use testing when you're not willing to be exposed to these processes.
If you wanna chase the latest version numbers, there are other distros for that ...

Christina Warren May 11, 2024

@kgMadee2 I agree with this but again, a change of this magnitude without any rational reason (I’m worried about future xz-like backdoors is not rational), especially when the features are turned off by default, and with Debian’s complete lack of willingness to alert users who now can’t access their password database b/c YubiKey support was removed, goes far beyond the RTFM expectations of using testing.

Christina Warren May 11, 2024

@kgMadee2 More disturbingly, these problems were found in testing and when users bring up the very real issues with this approach, the asshole packager has the nerve to insult upstream, insult users who use a password manager differently than him, and then has the temerity to call them “his” users. No. They use KeePassXC. They don’t belong to him just because they happen to use Debian.

Kg. Madee Ⅱ.May 11, 2024

@film_girl I agree on the communication issue: insulting everyone around is bad.
The change itself is just not that surprising to me: It would have to happen in unstable, then testing.
I want to avoid breaking changes myself, so I stick to stable.

Christina Warren May 11, 2024

@kgMadee2 But this will trickle down to stable! Ubuntu and all its derivatives use Debian testing for their repos and so that’s even more headache for upstream. And unless they have a CLI and GUI pop-up about the new keepassxc-full, existing users are still very much going to be out of the loop. There are ways to make this change and this was not the way.

Kg. Madee Ⅱ.May 11, 2024

@film_girl Debian stable? Sure, next release when Trixie steps up. That's, what, a year to go still? And even then there's another year of support for oldstable. When I finally upgrade to Trixie (or the one after that), I will have to look out for the things that have changed.
If I used unstable or testing as a daily driver, I'd (have to) be careful with any updates. Because that is where these changes are introduced before they go into the next stable release.

No, maintainers shouldn't insult upstream devs or users. But users obviously shouldn't be filing bugs upstream in the first place for issues that are explained in their distribution's release notes.

And if Ubuntu and others quietly, or blindly, just copy everything from Debian testing, that is their own fault and I again don't see why you would blame the next stage upstream for Ubuntu's mistakes.

Christina Warren May 11, 2024

@kgMadee2 I mean, I’m blaming Debian downstream because this is a problem that will proliferate for a year or longer. I’m not saying users shouldn’t be aware of what they are doing (but Debian testing is used by lots of distros and Debian knows this so saying don’t blame Debian for Ubuntu’s decisions, esp when this Debian maintainer works for Canonical doesn’t work when this has been status quo for 20 years), I’m saying this decision is bad and wrong.

Kg. Madee Ⅱ.May 11, 2024

@film_girl I just don't see why Debian should be responsible for whatever Ubuntu does further downstream. Surely they're aware of this issue by now and can re-package the -full package if that is what they/their users want and expect

Christina Warren May 11, 2024

@kgMadee2 should be, no. But after 20 years, it’s obtuse to pretend/ignore that Debian changes don’t have broader impact is my point. So changes need to be more considerate. But the real loser is upstream, who already has a heavier burden just from Debian users, even advanced users who knowingly choose Sid, because they file bugs upstream instead of with Debian. In this case, the person who maintains the Ubuntu package is almost certainly the same person anyway. Because he works at Canonical.

Christina Warren May 11, 2024

@kgMadee2 the problem is unstable and testing find its way to downstream distros that have more normie users more quickly. And although I agree in theory that people who use unstable branches should read release notes, fundamentally breaking a package — which let’s be very clear here, is what this Debian packager did — for existing users and giving those users no info about that change, a change that includes removing a way some users might unlock the program (yubikey) in anti-user and bad.

idlestate's SDF liason acct May 11, 2024

yeah, if it were me, I'd have gone through a keepassxc-minimal package with an aim to shuffle things around eventually, with more lead time

but part of the point is that it's *not* me

idlestate's SDF liason acct May 11, 2024

my second favorite part was

> "Is Debian now suckless.org?"

I can't resist the idea that this calls for the Astronauts by Earthshine "always has been" image macro

(to be fair Debian is a big project with a deep history, including a lot of people who do a lot better than that)

idlestate's SDF liason acct May 11, 2024

that said, minimalism's least problematic defenders even now tend to hail from the school of

"lol. complexity got you down? no worries! just gather enough privilege to roll your own bespoke bare-metal environment"

💥meta physical deflationist💥May 11, 2024

@film_girl as a person who this is totally going to effect I dont see the big deal "apt-get install keepassxc-full" and problem solved right?

easier to do that then complain, adding a popup on first upgrade or putting a warning during upgrade could solve that though

Christina Warren May 11, 2024

@glassresistor ok, but how are users expected to know about this when this hits stable or Ubuntu or Mint and their various derivatives? All the user sees is that features they used to have enabled don’t work. Or that they now can’t access their password manager with their YubiKey. And Debian is historically very against any sort of user-alert. If there was actual user awareness, fine. But the response is “read the Debian.NEWS file” as if that is sufficient. And there should be complaints here!

💥meta physical deflationist💥May 11, 2024

@film_girl apt-get lets packages print warnings, idk if the guis show this. also a first start flag or a bunch of options

idk which is easiest, also dont no if i think full was better over minimal and debian guy seems like a jerk. originally i thought it was removing plugins not compile flags

just feels pretty small potatoes. like i suspect 50% of apt installing keepassxc people have now been informed

Christina Warren May 11, 2024

@glassresistor I just think it’s a lousy decision and incredibly anti-user and it’s going to cause a lot of problems for upstream because downstream made unilateral decisions about what is and isn’t necessary. This is like what they did to @jwz all over again, except somehow worse, b/c these changes could mean people with YubiKeys can’t access their databases without installing a new package and downstream doesn’t seem to care as long as they put the poorly-worded update in the NEWS file.

@film_girl but Christina, you don’t understand why *THEIR* walled garden is different actually.

Jim May 11, 2024

@film_girl From a "bug" report linked in the replies to @keepassxc's toot:

> Kepassxc provides a cmake option (-DWITH_XC_NETWORKING=OFF) to disable networking support(like download the favicon something). I believe most of the people don't want their password manager to connect somewhere they don't know and it will improve user privacy.

Wonder how long it's been since these people used a computer. So strange.

Christina Warren May 11, 2024

@mambocab @keepassxc by doing this they also broke YubiKey support. So it's just great decisions all-around.

Jim May 11, 2024

@film_girl @keepassxc Users doing things with software is a common security flaw, I see how package maintainers got there

blobcatverified

☑️May 11, 2024

@film_girl You do realize that all software engineering come with drama right? It's just in this case the dirty laundry is aired for the entire world to see.

I would love to be a fly on the wall for software release retrospectives, the "blameful post-mortem"

Christina Warren May 11, 2024

@johnmark no. Me, a person who loves drama and mess is completely unaware that software development comes with drama. That’s why I haven’t spent fully half my life enmeshed in open source circles. /s

blobcatverified

☑️May 11, 2024

@film_girl 😂😱😜

Greg Brooks May 11, 2024

@film_girl @keepassxc Its why I try to get Flatpaks from the software vendor directly.

Christina Warren May 11, 2024

@keyboardg @keepassxc I mean, this is the natural evolution. And I don’t always love Flatpak or Snaps, but I fully understand why so many pieces of software want to avoid the distro packagers at all costs. It’s a role that made a ton of sense 25 years ago. I think it is a role that still makes sense for non-GUI tools. But when packagers make decisions that negatively impact users without even communicating with upstream, that’s just not cool.

Kev Kitchens May 11, 2024

@film_girl I wonder how much of this is a knee jerk reaction to the xz compromise affecting Debian Sid due to liblzma being unexpectedly pulled in to sshd via libsystemd

Christina Warren May 11, 2024

@kitchens_sync the packager is using that as his justification. It’s idiotic is what it is. The two scenarios are completely different. And the features are all off by default. Users have to enable them. What he’s doing hasn’t improved security at all. He’s just broken stuff for a ton of users.

Migrated to @[email protected] 🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈May 11, 2024

@film_girl what does this even have to do with “using Linux as my primary desktop”, smh

Jes Moved to @[email protected]May 11, 2024

@luana @film_girl if you don't want the disadvantages of the distro package that's literally the point of flatpak/appimage or whatever
so like I don't get the argument.
seems to be completely unrelated jab just to piss off linux users

Christina Warren May 11, 2024

@Jessica @luana If some Linux users are so illiterate and lacking in cognitive abilities that they can’t read a post that is very obviously and unambiguously opinonated and about the author and author only (I said you couldn’t waterboard me into using Linux as my primary desktop, I didn’t say anything about anyone else) without getting pissed off, that’s on them.

Jes Moved to @[email protected]May 11, 2024

@film_girl @luana but I mean you used an excuse to not use linux that doesn't exist

Christina Warren May 11, 2024

@Jessica @luana but it does exist. Your solution of app image or flat or snap doesn’t cover everything. It also ignores the past 25+ years of distros insisting they package everything. And I appreciate that commitment and consistency on the server. On the desktop, I have better things to do than fight with my distro over what version and what source of a package I can install. But all of this is my opinion. I don’t know why you are arguing with me over what I choose to use as my primary OS.

Jes Moved to @[email protected]May 11, 2024

@film_girl @luana I'm not arguing over what you choose to use as a primary OS
I'm taking an issue with the fact that your argument still doesn't make any sense in this case.
I don't use Linux as my primary OS either and I can see straight through your argument. distros like ubuntu use snaps whenever possible anyways so "distro maintainers insist they package everything" isn't even true for the most popular linux distribution.

Christina Warren May 11, 2024

@Jessica putting aside the fact that there aren’t snaps or flatpaks or appimages for everything (not even close), and that those formats have their own problems, the most popular Ubuntu derivatives (Mint, Pop!_OS) don’t use snaps and are actively anti-snap (you have to install snapd yourself)! So no, distros very much want to control packaging and yes that includes Ubuntu. And the person who made this particular decision for Debian works at Canonical.

Jes Moved to @[email protected]May 11, 2024

@film_girl if a company truly wanted control over all their packages they could simply not allow those containers
and all of this is a non-issue anyways because you just download the full version from the debian repos. all they did was seperate a lite version for higher security and a full version for people who want the full version.
debian has always intentionally shipped light versions of the packages.
this is nothing new to do with debian.
I do think they could've handled it better IMO but at the same time I also don't think it's that big a deal

debian is for experienced users and ubuntu is for noobs.

Christina Warren May 11, 2024

@Jessica I’ve been using Linux and Debian longer than you have been alive, so you should really stop with the attitude that I don’t know what I’m talking about and that you somehow know better. You disagree with one of the reasons why I don’t use Linux as a primary desktop OS. Fine. But miss me with trying to act as if I don’t know how packaging works in this ecosystem. I do know how it works. My whole point was that that system is one of the reasons *I* don’t use Linux as my primary.

Christina Warren May 11, 2024

@Jessica I read your edited post after I sent my reply. I don’t think you actually grasp the problem with this change. It actively broke the program for users who rely on things like YubiKey support. There isn’t a notification beyond the NEWS file, so upstream has to handle. And Ubuntu, Mint, Pop and others adopt the Debian apt repo. So this will trickled down. A snap or flatpak or appimage isn’t a solution when downstream actively breaks a package for users.

Jes Moved to @[email protected]May 11, 2024

@film_girl that's the problem that upstream container formats solve

Kg. Madee Ⅱ.May 11, 2024

@Jessica @film_girl also, in the current case: use the stable branch, precisely zero drama.

Christina Warren May 11, 2024

@luana because for me, it’s yet another reminder of what a toxic clusterfuck and anti-user hellscape desktop Linux distros are, which means that for ME (the only person I’m speaking for), outside from my Steam Deck, I don’t run Linux as my primary desktop, even when I’m ideologically aligned.