From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:40637)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcyOI-0000OW-Eb
	for guix-patches@gnu.org; Wed, 02 Aug 2017 14:29:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcyOE-0001pr-6j
	for guix-patches@gnu.org; Wed, 02 Aug 2017 14:29:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:36090)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dcyOE-0001pc-0V
	for guix-patches@gnu.org; Wed, 02 Aug 2017 14:29:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dcyOD-00064v-QG
	for guix-patches@gnu.org; Wed, 02 Aug 2017 14:29:01 -0400
Subject: [bug#27909] Replace keepassx with keepassxc
Resent-Message-ID: <handler.27909.B27909.150169853723349@debbugs.gnu.org>
References: <20170801150815.GJ2406@macbook42.flashner.co.il>
	<20170801194319.GA31810@jasmine.lan>
	<20170801201150.GQ2406@macbook42.flashner.co.il>
	<CAFtzXzNLwfPYKMH17x1Lijhgevjr0-DvxBBw31QP6tYnNBUExg@mail.gmail.com>
	<CAFtzXzMoODFaqFjApZLHBZiQ+eHJ0qun71k7qpinX2rfXpdxug@mail.gmail.com>
	<CAFtzXzPtn6Pb1oxF5USZ7gb1Z9iV4dri8_EmanHDE8SaOk+nGw@mail.gmail.com>
	<20170801211740.GB5844@jasmine.lan>
From: Manolis Ragkousis <manolis837@gmail.com>
Message-ID: <73a1c825-d354-8fa0-d878-90c8c6f644be@gmail.com>
Date: Wed, 2 Aug 2017 21:28:47 +0300
MIME-Version: 1.0
In-Reply-To: <20170801211740.GB5844@jasmine.lan>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 8bit
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 27909@debbugs.gnu.org

On 08/02/2017 12:17 AM, Leo Famulari wrote:
> On Tue, Aug 01, 2017 at 11:27:11PM +0300, Manolis Ragkousis wrote:
>> Wouldn't it be a better option to keep both version for the time being?
>> Unless of course there is a security issue if we keep keepassx.
> 
> I think that using Qt-4 is a security issue because it's unmaintained
> for a long while now, relative to its complexity.
> 
> But we still have it in Guix because some packages would have to be
> removed if we remove it, and we don't have a clear or simple policy
> about what to do in cases like that. By the way, I'm not suggesting we
> need such a policy.
> 
> Eventually we should remove those things, because it's not great to
> offer users programs that we suspect have security bugs.
> 
> If somebody starting publishing details of how to exploit Qt-4 apps,
> then I think the choice would be clear. But I haven't read any such
> reports, so I don't know for sure that it's vulnerable. I think it's a
> good bet, however.
> 

I tested keepassxc locally and it opens my .kdbx file correctly. I think
there will be no problems with the change.

If no one else objects please push your patch. We don't want a possible
security issue in the future. :)

Thank you,
Manolis