Hacker News new | ask | show | jobs
by taviso 743 days ago
I dunno, I think Debian are being wise here.

A while ago KeePassXC published a glowing audit report, but the report just ignored the scary stuff -- i.e. the things being disabled here like browser integration. I took a quick look, and thought the design could use some work -- but when I tried to discuss it they were very dismissive.

I did file a bug for one of the vulnerabilities we discussed, but I don't think they changed anything and didn't seem interested.
1 comments
jeltz 743 days ago
This also disabled features which increased security like the browser plugin. The browser plugin increases the attack surface by adding more code but at the same does a lot for security by making sure to check domain names and avoid using the quite vulnerable X clipboard.

With the argument of the maintainer he might as well delete the package since without any functionality nothing can be exploited.

link
guilhas 742 days ago
Never used browser or clipboard

I always thought keepass key feature was the 'Global Auto-Type' that works in most applications

link