Hah, the Linux version points you to the original website (only the Mac and Windows versions appear to be modified)! The year of the Linux desktop is truly here.
I've had discussions with coworkers on why you shouldn't ve downloading putty from putty.org. Sure, they seem to be linking to the official downloads now, but imho it's just poor hygiene to use such pages. It takes just a moment of carelessness to get pwned
Rather unfortunate that "putty.org" is the first result in searches and looks a lot more legit than "chiark.greenend.org.uk" even if it (currently) links there.
I've had discussions with coworkers on why they shouldn't look up "free online json beautifier" and dump thousands of lines of crown jewels into them (http too). Meanwhile we're doing web dev and JSON responses are autoformatted in Firefox dev tools so there's an amazingly convenient and perfectly safe alternative right there...
It's putty's own fault. They used to (and perhaps still do) have a section on how they don't want your donated domain - they like their current one.
From their FAQ:
> No, thank you. Even if you can find one (most of them seem to have been registered already, by people who didn't ask whether we actually wanted it before they applied), we're happy with the PuTTY web site being exactly where it is. It's not hard to find (just type ‘putty’ into google.com and we're the first link returned), and we don't believe the administrative hassle of moving the site would be worth the benefit.
PuTTY's been a thing for almost two decades at this point. That's quite a lot of inertia; It will take a lot more than three months for people to migrate, nevermind the people who aren't on W10.
This. And the benefit is it's easy to add your own fixes to your local version too. Stuff like removing the PerformSelfTest() call, adding items to the ListView in batch, item bounds checking when refreshing the ListView, etc. can quite noticeably speed up the UI, and random window focusing/sizing issues aren't too hard to fix either.
In a perfect world I would love to, but every time I've tried to submit improvements to open-source software I've come out extremely frustrated with how many hoops I have to jump through just to get my code properly considered, let alone merged. Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, or that their upstream code is responsible, etc., and the other half the time they're admittedly quite welcoming but present hoops that on my end I simply don't feel like jumping through (like putting more personal info on the internet than I care to), especially when I'm already going out of my way to help people. Maybe you'd think the problem is with me, or maybe Dominic would be an exception in all regards, but wherever the problem is, I've grown very reluctant about the idea in general, so I just fix bugs on my own computer and let someone else who cares & has the time/energy to put up a real fight fix the issues for everyone else.
Then you're not going to the good people. Stop going through intermediaries, go straight for the source (package specific issues on Ubuntu must be reported to Ubuntu -like python not recognizing a new module-, but bad code inside the package must be dealt with with upstream).
> Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, [...]
That's why I take the habit of jumping on IRC first, talking with devs a bit and trying to understand why I find a specific piece of code problematic.
I was trying to add support for i686 on an AUR package I maintain; quickly dismissed "we don't support i686 anymore anyway, just slap comments in your PKGBUILD and ship it".
I was working with the btrfs(8) util, which has the most horrific interface ever designed; "OK, we're not hostile to a new interface design, but you'll have to provide a comprehensive explanation of what you want and how it should behave".
And finally, documentation usually gets merged real fast (recently on cbsd(8) and nextcloud).[0][1]
I agree, that's why signed source code releases are the safest thing you can get.
Keepass has signed releases (including the source code archive) that can be checked with OpenPGP.
If you trust the signed source code there's no reason you shouldn't trust the signed binary - unless you have sufficient time and expertise to audit the source.
* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.
* Signed code archive prevents against a compromised hosting site.
Are you imparting trust on checksums downloaded from the same source page?
Not implying you are but there is plenty of software where that is how they expect users to verify the integrity of the download. Useful for checking bit errors, but in the event that someone has replaced the binary then they could probably also replace the checksum...
I didnt think about that, but there's not always a reputable alternative checksum source.
I was thinking about all the times I had to download a windows ISO. And how microsoft had openly published what the checksum values were so I could verify this after downloading from a 3rd party
I would need to do more research here you make a good point
It doesn't have built-in syncing, unlike KeePass. So if you want cloud syncing you have to install an entire syncer on your file system just for the sake of that one program. The assumption that everyone has or wants an automatic behind-the-scenes file syncer installed on every system they use the program on is quite a big and incorrect one.
No, the question is what if you do want cloud syncing for your passwords (you need to sync with your phone somehow without manually uploading/downloading from a browser every time...), but unable or unwilling to install a background cloud syncer installed on every system you use KeePassXC on. People blindly suggest KeePassXC without realizing not everyone has or wants a cloud syncer installed on their entire system.
Pretty ironicly, Terms of use warn to be very careful when downloading files with an exe.,. Vbs,. Lnk,. Bat,. Sys, or a suffix com., Because these files may contain a virus or spyware !
It's a common technique used by hucksters, "here's some friendly advice ...", it's both an attempt to signal good intent and to load the mark with a subconscious sense of having been done a favour (and so needing to do a favour back to the huckster/salesman.
Not ironic: totally intentional marketing trick. It makes you more inclined to trust the provider of the warning. They seem knowledgable about something important, and they're sharing that information with you. More insidiously, it makes you less likely to apply the warning to them. Because (unconsciously you think this) why would someone warn you about a trick they themselves are trying to pull?
one of those "make money online"/"internet marketing" type people just wanting to get the affiliate commissions from a pay-per-install network of the PUP bundler type.
Unrelated to the topic, the article points out a lot of things about certificates in the URL bar. That got me to think about the URLs themselves, can I set my browser up so it displays the punycode representation of my url?
Examples? There's some subject and possession disagreement here and there ("Cette clé, que vous définissez ... accéder à tous ses autres mots de passe"), but otherwise looks pretty good.
