In Debian, APT 3 gains features – but KeepassXC loses them

'Sid' is looking a little sickly of late, but it will pass

The intrepid users of Debian's "testing" branch just discovered that a bunch of their password manager's features disappeared… but their package manager is going to get new ones.

Version 3.0 of Debian's default package manager, APT, will receive a significant improvement - developer Julian A Klode describes the new solver in the development version 2.9.3. Last month, we covered some more visible fresh features coming in APT 3: columnar output and use of color in the console. The new solver is more important when it comes to how the program does its job, though.

As we noted last year when 2.6 appeared, Apt is a vital part of Debian: it's the tool that performs automatic dependency resolution. When you install a Debian package, Apt works out what supporting dependencies that program needs – libraries and so on – and automatically installs them too, so most programs can be installed with a single command. Apt first appeared in Debian 2.1 in 1999 and gave the distro a major advantage over the Red Hat family of distros for half a decade.

The part of the system which works out what dependencies it needs, and possibly what dependencies they need, and so on, is the "solver." The new one, known as solver3, should improve on the existing one in two important respects. Firstly, it knows to leave manually installed packages alone and not remove them. Secondly, it will be able to tell you why a given package is installed: it can work out what program caused a given dependency to be pulled in.

This is not entirely new to Debian, but it's new to the core APT suite. In the pre-Ubuntu era, Debian offered a smarter alternative to the separate APT tools (apt-get, apt-cache, apt-file et cetera) called Aptitude. Aptitude has its own solver and offered both why and why-not switches. However, it's largely been superseded by the all-in-one apt command since Ubuntu 14.04.

Hang on – Ubuntu? Weren't we talking about Debian? Well, Ubuntu is based on Debian, and some Canonical developers work on both, including Klode. Many changes and improvements in Ubuntu make their way back upstream into Debian in time.

New features and improvements in such a crucial tool are very welcome. For comparison, when features that users are accustomed to go away, they can get very upset. The bold and fearless users of Debian's "unstable" development edition, codenamed "Sid", recently found this: when they updated, they lost a lot of features from their password manager.

The FOSS app in question is called KeePassXC; it's a modern, cross-platform fork of the Windows-native KeePass, a password manager which the Reg was covering more than a decade ago. It's in Debian's repositories, so all you need to do is type sudo apt install keepassxc and it's ready to use.

That is until very recently, when most of its functionality disappeared, leading users to open bug reports such as this one. It's all changed because now the standard keepassxc package contains a minimal, standalone configuration of the program, with all its extras turned off or removed. If you want features like browser integration now, you will need to install a new package called keepassxc-full which also includes all the plugins.

This has made a lot of people very unhappy and been widely regarded as a bad move, including by the developers of KeePassXC, who posted a warning on Mastodon. You can also read spirited discussions on Hacker News, and the Debian sub-Reddit, and on Lobsters, for instance.

How has this happened and what's the connection?

Well, the maintainer of the KeePassXC package in Debian is none other than our friend Julian Andres Klode. He decided that including all the plugins posed a security risk, so he removed them from the default package and banished them to the "-full" package instead. He defended his decision in a GitHub comment which critics have interpreted as patronizing or condescending. KeePassXC developer Jonathan "droidmonkey" White isn't happy, either.

Others are defending the change: it probably will result in better security overall.

This kind of discussion is the dynamo that powers FOSS development, and we're not criticizing it. (Then again, this vulture doesn't use KeePassXC.) It's good to see this happening out in the open, rather than behind closed doors or at the whim of some big corporation. We merely found the intersection of the two, unrelated changes amusing. ®

More about


Send us news

Other stories you might like