Bug 29233

Summary: KeePassXCBrowser in Firefox calls for update KeePassXC
Product: Mageia Reporter: isadora <magicandsave>
Component: RPM PackagesAssignee: Sander Lepik <mageia>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, magicandsave, ouaurelien
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: keepassxc-2.6.4-1.mga8 CVE:
Status comment:

Description isadora 2021-07-07 14:08:19 CEST 
Description of problem:

You are using an old version of KeePassXC.
Please download the latest version from keepassxc.org. 


Version-Release number of selected component (if applicable):

Current version: 2.6.4-1.mga8
Newest version: 2.6.6-1

More information at:
https://keepassxc.org/download/
isadora 2021-07-07 14:09:40 CEST

CC: (none) => magicandsave

Comment 1 Jani Välimaa 2021-07-07 17:28:57 CEST 
Isn't KeePassXC-Browser 3rd party extension for browsers? In that case we can't do much to silent the update notifications.

I don't know if seeing update notification in browser extension is a valid reason for update in stable releases. It's something for bug squad to decide.
Comment 2 Dave Hodgins 2021-07-07 19:18:38 CEST 
A valid reason for updating it would be to disable the check for newer releases.
Mageia supplied packages should not be checking non-mageia sites for updates,
by default.

Assigning to the registered maintainer.

Source RPM: (none) => keepassxc-2.6.4-1.mga8
Assignee: bugsquad => mageia
CC: (none) => davidwhodgins

Comment 3 Jani Välimaa 2021-07-07 19:31:01 CEST 
KeePassXC-Browser for Firefox isn't our pkg. It's an extension from https://addons.mozilla.org/ to talk with keepassxc. Similar extension is available also for other browsers like Chrome.

Update check in keepassxc itself is disabled.
Comment 4 Dave Hodgins 2021-07-07 19:50:18 CEST 
Thanks for the clarification.

As it's not something under Mageia's control, closing as invalid.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 5 isadora 2021-07-07 20:01:19 CEST 
(In reply to Jani Välimaa from comment #1)
> Isn't KeePassXC-Browser 3rd party extension for browsers? In that case we
> can't do much to silent the update notifications.
> 
> I don't know if seeing update notification in browser extension is a valid
> reason for update in stable releases. It's something for bug squad to decide.

The add-on is calling:
You are using an old version of KeePassXC.

KeePassXC is Mageia-package, In MCC package is found under release: 
Currently installed version: 2.6.4-1.mga8

So my interpretation is, that this package needs update (?).
isadora 2021-07-07 20:53:11 CEST

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 6 Dave Hodgins 2021-07-07 22:25:16 CEST 
The addon is separate from the package. The package keepassxc includes
/usr/bin/keepassxc
/usr/bin/keepassxc-cli
/usr/bin/keepassxc-proxy

It does not include integration into firefox. That integration is done by a
firefox addon that is installed from a third party source, not from Mageia.
Comment 7 isadora 2021-07-08 09:26:53 CEST 
Exactly, the package keepassxc, has new version: keepassxc-2.6.6-1, according to information at https://keepassxc.org/download/#linux

For me that means updating current version keepassxc 2.6.4-1.mga8 to 2.6.6-1, right?
Comment 8 Aurelien Oudelet 2021-07-08 09:56:42 CEST 
For stable release, our policy is to stick with the version present at release date.

We patch security holes by applying specific upstream fixes on the fixed version.
We upgrade to newer version in Cauldron OR in the stable release only if there is an API breakage or if the software uses mandatory newer functions like syncing, online servers,...

In the case of keepassxc between 2.6.4 and 2.6.6 there are only:
2.6.6 Changelog
Fixed

    Fix focusing search when pressing hotkey #6603
    Trim whitespace from TOTP key input prior to processing #6604
    Fix building on macOS #6598
    Resolve compiler warnings for unused return values #6607

2.6.5 Changelog
Added

    Show search bar when toolbar is hidden or in overflow #6279
    Show countdown for clipboard clearing in status bar #6333
    Command line option to lock all open databases #6511
    Allow CSV import of bare TOTP secrets #6211
    Retain file creation time when saving database #6576
    Set permissions of saved attachments to be private to the current user #6363
    OPVault: Use Text instead of Name for attribute names #6334

Changed

    Reports: Allow resizing of reports columns #6435
    Reports: Toggle showing expired entries #6534
    Save Always on Top setting #6236
    Password generator can exclude additional lookalike characters (6/G, 8/B) #6196

Fixed

    Allow setting MSI properties in unattended install #6196
    Update MainWindow minimum size to enable smaller verticle space #6196
    Use application font size when setting default or monospace fonts #6332
    Fix notes not clearing in entry preview panel in some cases #6481
    macOS: Correct window activation when restoring from tray #6575
    macOS: Better handling of minimize after unlock when using browser integration #6338
    Linux: Start after the system tray is available on LXQt #6216
    Linux: Allow selection of modal dialogs on X11 in Auto-Type #6204
    KeeShare: prevent crash when file extension is missing #6174

As it seems there is no security issue and no major changes, I don't think it is worth to upgrade.

CC: (none) => ouaurelien

Comment 9 isadora 2021-07-08 16:30:39 CEST 
Thank Aurelien, that's an answer i can live with.
Call may be closed, again.
Comment 10 Aurelien Oudelet 2021-07-08 16:49:05 CEST 
(In reply to isadora from comment #9)
> Thank Aurelien, that's an answer i can live with.
> Call may be closed, again.

Thanks.
Bugsquad is for this.

Status: REOPENED => RESOLVED
Resolution: (none) => INVALID