Keepassxc-browser: Recommended method for "ordinary" Debian users to keep extension compatible with KeePassXC?
Expected Behavior
Background: How ordinary users are supposed to use Debian
- The Debian documentation is clear that Debian stable is "the official released version of Debian", the version that "Ordinary users should use", the version that "we primarily recommend using", etc.
- The Debian documentation is also clear that most users should avoid using the unstable release ("Sid").
- The Debian documentation is also clear that "Debian Stable should not be combined with other releases. If you're trying to install software that isn't available in the current Debian Stable release, it's not a good idea to add repositories for other Debian releases. The problems might not happen right away, but the next time you install updates." Documentation speaks of how "dangerous" it is to run a "mixed system" like that.
- The Debian documentation is also clear that ordinary users should install software only from the Debian repositories.
So, speaking as an ordinary Debian user, the expected behavior is that I install KeePassXC from the Debian stable repository (note: currently version 2.3.4), then install the browser extension through my browser, and the two will be compatible.
Current Behavior
Updates to the browser extension (appear to) occasionally break compatibility with the version of KeePassXC in the Debian stable repository. I've seen this mentioned in various issues here. For whatever it's worth, the problems that _I_, for one, happen to be experiencing are the same as those described in #831.
Visiting the KeePassXC website for help, I noticed that the Download page links to a Sid package as _the_ Debian package(!), with no warning or explanation for that unusual (and problematic) selection.
The only other Debian option listed there is an "Unofficial" Debian package, advertised to work with "wheezy, jessie & stretch". First, this leaves users of the current Debian stable, "Buster", apparently without an option. And, second, the GitHub repository for that unofficial package notes that it no longer receives updates, and it instructs users to install the official Debian package, from the Debian repositories, after all.
Some comments on issues here lead me to believe that, at least in some cases, the recommendation given to ordinary Debian users has been to use Debian's Backports repository. However, while KeePassXC _was_ available in the Backports repository of the previous Debian stable release ("Stretch"), it does not appear to be in Buster's Backports.
Possible Solution
For the sake of ordinary Debian users like me, it would be great for the KeePassXC website and documentation to give clear guidance concerning this.
Am I correct in thinking that there is no effort, on the side of the KeePassXC browser extension project, to ensure compatibility between the browser extension and the version of KeePassXC in the Debian stable repository? [Note, for those unfamiliar with Debian: as I understand it, once the stable release is frozen, only security updates can be applied to packages therein. So the maintainer of the stable Debian package can only do so much.] If so, would it be possible to add a warning to that effect somewhere on the KeePassXC website or documentation? Would it also make sense to request that a warning be added to the description of the package in Debian stable?
Is there any possibility of, or interest in, adding KeePassXC to Buster's Backports repository? (Unlike Sid, Backports is easy, and unproblematic, to use for ordinary users.)
If not, is the Sid package really the project's "official" recommendation for Debian users?
Does it make sense to remove the link to the outdated "unofficial" package from the Download page?
In any case, if the recommended solution requires breaking any of the four Debian "rules" I listed above, it might be helpful to note that explicitly and briefly explain why.
As you're probably aware, KeePassXC is a, or _the_, recommended password manger on a number of popular websites that target "ordinary" users looking for free and open-source software (PRISM Break, Privacy Tools)鈥攁nd those same websites recommend Debian. So I have to imagine that this is a confusion arising for a number of users.
Thanks for the help and for the great software.
Debug info
KeePassXC - 2.3.4
KeePassXC-Browser - 1.6.2
Operating system: Debian stable 10.3 ("Buster")
Browser: Firefox 68.6.1esr
kylesorkness
All 5 comments
There are two fantastic options that immediately solve your problem. You skipped over them on our downloads page. Unfortunately when the "ordinary user" decides to use Debian you can very easily get stuck in a significant version rut. We are certainly not the only software stuck in these ruts. Ubuntu, being a derivative of Debian, is plagued with the same issues. This is the main reason they introduced Snap packages, there is also a KeePassXC FlatPak that is unofficial.
To directly answer your question, no we do not hold any compatibility guarantee between the KeePassXC application and the browser extension beyond the current second digit release (ie, we officially support integration with 2.5.x).
droidmonkey
on 6 Apr 2020
Also via Open Build Service: https://build.opensuse.org/package/show/security:keepassxc/keepassxc
droidmonkey
on 6 Apr 2020
There are two fantastic options that immediately solve your problem. You skipped over them on our downloads page.
Thanks, but I didn't skip over them. They violate the fourth of the Debian "rules" I listed. [From what I understand, a few reasons for this "rule" are that software from outside the official repositories isn't guaranteed to follow the [Debian Free Software Guidelines](https://www.debian.org/social_contract#guidelines) (which guidelines are a primary reason many people use Debian), isn't guaranteed to work correctly with other software in Debian stable, and poses security risks. [Here's an even-more-stern warning](https://wiki.debian.org/DebianSoftware#fnref-59b1a6a24cc7f124d6c7b11f4930cbca3df1145f) from the Debian documentation, concluding that "You are advised to wait until you have navigated several major system upgrades and consider yourself something of a Linux expert before venturing away from the supported Debian software repositories." I realize to many experienced Linux users that will sound like overkill, but the "guarantees" of only free and open-source software, of security, of compatibility, of stability, and of minimal manual configuration are why I think many of us "ordinary" users of Debian stable choose it.]
I see that Snap additionally suffers from the problems that Snap sandboxing apparently doesn't work in Debian and Snap automatic updates can't be turned off.
Also via Open Build Service: https://build.opensuse.org/package/show/security:keepassxc/keepassxc
Obviously, that has the same problems.
Unfortunately when the "ordinary user" decides to use Debian you can very easily get stuck in a significant version rut. We are certainly not the only software stuck in these ruts.
Of course, for those who choose Debian stable, the fact that software in the repository receives only security updates is one of the primary features.
This is the only time I've encountered such a "rut" problem. In hindsight, I now realize this is because my having used Mozilla's add-on repository to install the browser extension _broke this same Debian rule_ and has led to my problems (thereby confirming the Debian documentation's advice). I now see that select Firefox add-ons are included in the Debian repositories to avoid such problems. I see the KeePassXC browser extension is in Debian unstable but not in stable or backports, unfortunately.)
To directly answer your question, no we do not hold any compatibility guarantee between the KeePassXC application and the browser extension beyond the current second digit release (ie, we officially support integration with 2.5.x).
That's very helpful to know. Thanks!
So, some of the questions remaining from my issue:
If [there is no effort, on the side of the KeePassXC browser extension project, to ensure compatibility between the browser extension and the version of KeePassXC in the Debian stable repository], would it be possible to add a warning to that effect somewhere on the KeePassXC website or documentation? Would it also make sense to request that a warning be added to the description of the package in Debian stable?
Is there any possibility of, or interest in, adding KeePassXC to Buster's Backports repository? (Unlike Sid, Backports is easy, and unproblematic, to use for ordinary users.)
@julian-klode? (I see you maintain the existing Debian packages.)
I completely understand if no one here has interest in maintaining this browser-extension compatibility merely for the sake of a "newbie subset" of a single distribution's users. If that's the case, I was just hoping a well-placed warning or two might save other people in my position from spending the time I've spent trying to understand why my trusty password manager stopped working properly.
kylesorkness
on 10 Apr 2020
Unfortunately at this point my response is "Live by the rules, Die by the rules". If you are not willing to use alternative packages then there is nothing we will be able to do to remedy the situation. I strongly doubt with all my heart that an "ordinary user" will be hamstrung by the Debian rules.
droidmonkey
on 11 Apr 2020
BTW you may have missed this part of your rules review:
droidmonkey
on 11 Apr 2020
Related issues
muchqs
路
4Comments
metaxis
路
3Comments
gwerbin
路
4Comments
bwbroersma
路
3Comments
Generator
路
5Comments
Most helpful comment
BTW you may have missed this part of your rules review:
https://wiki.debian.org/DontBreakDebian#line-134