Perhaps, and that's not unreasonable in and of itself. But to do so in such a user-hostile manner? That's a bit over the top. A new minimal package, advertising it, and only then eventually making it the default would have been far, far more effective.
If an engineer of mine pulled this on our user-base I'd have them reverting it in a heartbeat regardless of the technical merit. They already failed just in how they executed this and have burned good will, the technical merits no longer matter. Once you've lost the faith and trust of the user, it's over.
The original request[0] was more or less simply a user asking for the networking to be removed, and follow-up to just have a -nonetwork variation. Instead, we have comments from the debian maintainer:
The OP report:
> Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.
The debian package description[1]:
> See keepassxc-full if you absolutely need those.
The PR[2]
> Feature creep like SSH agent support, browser integration, Freedesktop.org secret storage, KeeShare pose undue risks for most users.
Each one of these sends a message. And it was entirely avoidable with a bit of grace and kindness to the existing userbase.
Yeah, I agree with you. I'm joking that KeePassXC developers should make parsing .kdbx an optional feature (that's an attack surface by itself for sure!) and see whether Debian package maintainer enable it or not.
The software has been broken - the UI wasn’t designed with those toggles in mind so now users suddenly have non functioning features presented to the in the UI.
The argument the all users should be keeping up to speed on NEWS - especially in the stable channels this will end up in - to explain why their UX is suddenly broken is not exactly ‘user friendly’.
They don't need to, it is shown to them during apt-get upgrade
> especially in the stable channels
This is in testing/unstable. Stable users aren't and won't be affected until until the next major Debian version is released and the users decides to do the upgrade.
If an engineer of mine pulled this on our user-base I'd have them reverting it in a heartbeat regardless of the technical merit. They already failed just in how they executed this and have burned good will, the technical merits no longer matter. Once you've lost the faith and trust of the user, it's over.
The original request[0] was more or less simply a user asking for the networking to be removed, and follow-up to just have a -nonetwork variation. Instead, we have comments from the debian maintainer:
The OP report: > Users who need this crap can install the crappy version but obviously this increases the risk of drive-by contributor attacks.
The debian package description[1]: > See keepassxc-full if you absolutely need those.
The PR[2] > Feature creep like SSH agent support, browser integration, Freedesktop.org secret storage, KeeShare pose undue risks for most users.
Each one of these sends a message. And it was entirely avoidable with a bit of grace and kindness to the existing userbase.
[0]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953529
[1]: https://packages.debian.org/sid/keepassxc
[2]: https://salsa.debian.org/debian/keepassxc/-/commit/7d6d16e3f...