[bug#27909] Replace keepassx with keepassxc

[bug#27909] Replace keepassx with keepassxc

[Efraim Flashner]

[-- Attachment #1.1: Type: text/plain, Size: 360 bytes --]

The original keepassx hasn't seen much activity in quite a while, no
bugs fixed or features added. Keepassxc is the community fork of
keepassx.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #1.2: 0001-gnu-Add-keepassxc.patch --]
[-- Type: text/plain, Size: 2452 bytes --]

From e933a81a46dcdd48a34ba767145d490ffd892ef1 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Tue, 1 Aug 2017 18:02:40 +0300
Subject: [PATCH 1/2] gnu: Add keepassxc.

* gnu/packages/password-utils.scm (keepassxc): New variable.
---
 gnu/packages/password-utils.scm | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index 08591d108..cdd705956 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2015 Steve Sprang <scs@stevesprang.com>
-;;; Copyright © 2015, 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2015, 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2015 Aljosha Papsch <misc@rpapsch.de>
 ;;; Copyright © 2016 Christopher Allan Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2016 Jessica Tallon <tsyesika@tsyesika.se>
@@ -75,6 +75,39 @@
 human.")
     (license license:gpl2)))
 
+(define-public keepassxc
+  (package
+    (name "keepassxc")
+    (version "2.2.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri (string-append "https://github.com/keepassxreboot/" name
+                           "/releases/download/" version "/keepassxc-"
+                           version "-src.tar.xz"))
+       (sha256
+        (base32
+         "0nby6aq6w8g7c9slzahf7i34sbj8majf8rhmqqww87v6kaypxi3i"))))
+    (build-system cmake-build-system)
+    (inputs
+     `(("libgcrypt" ,libgcrypt)
+       ("libxi" ,libxi)
+       ("libxtst" ,libxtst)
+       ("qtbase" ,qtbase)
+       ("qtx11extras" ,qtx11extras)
+       ("zlib" ,zlib)))
+    (native-inputs
+     `(("qttools" ,qttools)))
+    (home-page "https://www.keepassxc.org")
+    (synopsis "Password manager")
+    (description "KeePassXC is a password manager or safe which helps you to
+manage your passwords in a secure way.  You can put all your passwords in one
+database, which is locked with one master key or a key-file which can be stored
+on an external storage device.  The databases are encrypted using the
+algorithms AES or Twofish.")
+    ;; Non functional parts use various licences.
+    (license license:gpl3)))
+
 (define-public keepassx
   (package
     (name "keepassx")
-- 
2.13.3


[-- Attachment #1.3: 0002-gnu-keepassx-Superseded-by-keepassxc.patch --]
[-- Type: text/plain, Size: 1003 bytes --]

From c4968c3f9cbf0f82c80a5b20203b7d763dd3e429 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Tue, 1 Aug 2017 18:04:43 +0300
Subject: [PATCH 2/2] gnu: keepassx: Superseded by keepassxc.

* gnu/packages/password-utils.scm (keepassx)[properties]: New field.
---
 gnu/packages/password-utils.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm
index cdd705956..bde1ea854 100644
--- a/gnu/packages/password-utils.scm
+++ b/gnu/packages/password-utils.scm
@@ -136,7 +136,8 @@ database, which is locked with one master key or a key-file which can be stored
 on an external storage device.  The databases are encrypted using the
 algorithms AES or Twofish.")
     ;; Non functional parts use various licences.
-    (license license:gpl3)))
+    (license license:gpl3)
+    (properties `((superseded . ,keepassxc)))))
 
 (define-public shroud
   (package
-- 
2.13.3


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 474 bytes --]

On Tue, Aug 01, 2017 at 06:08:16PM +0300, Efraim Flashner wrote:
> The original keepassx hasn't seen much activity in quite a while, no
> bugs fixed or features added. Keepassxc is the community fork of
> keepassx.

The last keepassx release was in October 2016. That's not *that* long
unless there are some serious bugs in the program.

Are other distros replacing keepassx?

Is keepassxc a "seamless" replacement for keepassx, or would users maybe
have to adjust somehow?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

On Tue, Aug 01, 2017 at 03:43:19PM -0400, Leo Famulari wrote:
> On Tue, Aug 01, 2017 at 06:08:16PM +0300, Efraim Flashner wrote:
> > The original keepassx hasn't seen much activity in quite a while, no
> > bugs fixed or features added. Keepassxc is the community fork of
> > keepassx.
> 
> The last keepassx release was in October 2016. That's not *that* long
> unless there are some serious bugs in the program.
> 

The maintainer is MIA. I'm not aware of serious bugs, other than it
still relying on Qt-4.

> Are other distros replacing keepassx?
> 

I don't believe Debian is, but there is active work on packaging
keepassxc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855173

> Is keepassxc a "seamless" replacement for keepassx, or would users maybe
> have to adjust somehow?

It is supposed to be a seamless replacement, using the same .kdbx files
as keepassx.



-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Manolis Ragkousis]

[-- Attachment #1: Type: text/plain, Size: 145 bytes --]

Wouldn't it be a better option to keep both version for the time being?
Unless of course there is a security issue if we keep keepassx.

Manolis

[-- Attachment #2: Type: text/html, Size: 306 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 947 bytes --]

On Tue, Aug 01, 2017 at 11:11:50PM +0300, Efraim Flashner wrote:
> On Tue, Aug 01, 2017 at 03:43:19PM -0400, Leo Famulari wrote:
> > The last keepassx release was in October 2016. That's not *that* long
> > unless there are some serious bugs in the program.
> 
> The maintainer is MIA. I'm not aware of serious bugs, other than it
> still relying on Qt-4.

Ah, still using Qt-4 is my pet peeve! :) That means it will have to be
removed sooner or later.

> > Are other distros replacing keepassx?
> > 
> 
> I don't believe Debian is, but there is active work on packaging
> keepassxc. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855173
> 
> > Is keepassxc a "seamless" replacement for keepassx, or would users maybe
> > have to adjust somehow?
> 
> It is supposed to be a seamless replacement, using the same .kdbx files
> as keepassx.

Okay, I'll defer to what others think, especially since I'm not using
keepass*.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 910 bytes --]

On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
> Wouldn't it be a better option to keep both version for the time being?
> Unless of course there is a security issue if we keep keepassx.

I think that using Qt-4 is a security issue because it's unmaintained
for a long while now, relative to its complexity.

But we still have it in Guix because some packages would have to be
removed if we remove it, and we don't have a clear or simple policy
about what to do in cases like that. By the way, I'm not suggesting we
need such a policy.

Eventually we should remove those things, because it's not great to
offer users programs that we suspect have security bugs.

If somebody starting publishing details of how to exploit Qt-4 apps,
then I think the choice would be clear. But I haven't read any such
reports, so I don't know for sure that it's vulnerable. I think it's a
good bet, however.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#27909] Replace keepassx with keepassxc

[Manolis Ragkousis]

On 08/02/2017 12:17 AM, Leo Famulari wrote:
> On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
>> Wouldn't it be a better option to keep both version for the time being?
>> Unless of course there is a security issue if we keep keepassx.
> 
> I think that using Qt-4 is a security issue because it's unmaintained
> for a long while now, relative to its complexity.
> 
> But we still have it in Guix because some packages would have to be
> removed if we remove it, and we don't have a clear or simple policy
> about what to do in cases like that. By the way, I'm not suggesting we
> need such a policy.
> 
> Eventually we should remove those things, because it's not great to
> offer users programs that we suspect have security bugs.
> 
> If somebody starting publishing details of how to exploit Qt-4 apps,
> then I think the choice would be clear. But I haven't read any such
> reports, so I don't know for sure that it's vulnerable. I think it's a
> good bet, however.
> 

I tested keepassxc locally and it opens my .kdbx file correctly. I think
there will be no problems with the change.

If no one else objects please push your patch. We don't want a possible
security issue in the future. :)

Thank you,
Manolis

bug#27909: Replace keepassx with keepassxc

[Ricardo Wurmus]

Efraim Flashner <efraim@flashner.co.il> writes:

> The original keepassx hasn't seen much activity in quite a while, no
> bugs fixed or features added. Keepassxc is the community fork of
> keepassx.

I’m closing this because I see that this is in master already.  (Commits
b7ac10e6da6e2199aa379fdfa19bd43ca8fddc4d and
99672f7b1d255b5cdac73870dfc272ca6799485b).

Thank you!

--
Ricardo

GPG: BCA6 89B6 3655 3801 C3C6  2150 197A 5888 235F ACAC
https://elephly.net