Bug#405896: ITP: keepassx -- light-weight and easy-to-use password manager
Reinhard Tartler wrote:
> Moritz Muehlenhoff <jmm@inutil.org> writes:
>
> >> The complete database is always encrypted either with AES (alias
> >> Rijndael) or Twofish encryption algorithm using a 256 bit key. Therefore
> >> the saved information can be considered as quite safe. KeePassX uses a
> > ^^^^^^^^^^
> > Ummm.
> >
> > Apart from that, just because it uses strong ciphers it doesn't mean it's
> > secure. It appears to only have a single author and to be very fresh and I
> > don't think it has received real review so far. Until it has matured more
> > I wouldn't upload this to unstable, as every flaw will expose all the pass-
> > words and passphrases of a user.
>
> Err, while I agree that the description should make false or misleading
> statements (I will take that part out), I'm a bit confused about your
> statement to not upload it to unstable. I mean, in a truly security
> sensitive environment, every security sensitive tool should be audited
> anyway. I'd still like to upload it to unstable, so that it gets wider
> testing. If someone notices security issues, the package will get an RC
> bug, and if there is no quick fix, it may be removed from testing. But
> why are you saying that it mustn't enter unstable? Did you perhaps
> already audit keepassx or have made any experience while using it?
In reality people use unstable widely. IMHO security-sensitive code that
fresh shouldn't enter unstable, but feel free to ignore me.
> I think your concerns apply to the dozen other password managers we
> already ship in etch as well.
Probably yes. (kwalletmanager appears fine, haven't looked at others.)
Cheers,
Moritz
Reply to: