Mayanter, a provider of assembly services for debian packages with password managers, recently made a significant change by offering a cut version of the popular program KeepassXC. This cut version only includes basic functionalities required for secure password storage on the local system, eliminating extended features such as network interaction, code for control through IPC, integration with web browsers, auto-vault functions for passwords, and support for Yubikey keys. The decision to release this cut version was to reduce the attack surface and enhance security and confidentiality. This change can be found in the debian sid (Unstable) and Testing repositories.
For users in need of the full version of KeepassXC, a separate package called keepassxc-full has been made available, which includes all the extended functionalities that were present in the original version. This move has led to some confusion and outrage among users who were accustomed to the old complete package. Some users have criticized the decision and have suggested that the cut version should be renamed as KeepassXC-Minimal to avoid any misunderstandings.
The developer of KeepassXC also expressed concerns about the negative impact this change could have on the reputation of the project. They emphasized that users might wrongly associate the loss of functionalities with the main project and create an unnecessary burden on the project’s developers. The distribution of a package under the same name but with significantly reduced functionalities raises questions about legitimacy.
Supporters of the change argue that each additional plugin introduces potential vulnerabilities and backdoors, hence the need for a cut version with reduced functionalities. The cut package is currently only available in the Unstable and Testing repositories, which are meant for testing purposes and not stable releases.
KeepassXC developers clarified that the functionalities present in the cut version are built-in and can be enabled in user settings, refuting claims about reliance on external libraries like Libyubikey. All the necessary components for supporting Yubikey keys are now integrated into the main codebase of KeepassXC.