Why not just run keepassxc from the main (extra) repo? Between running a sketchy package from the AUR, and one that’s fully supported and patched, surely this is a problem of your own making? 
3 Likes
I’m using keepassxc from the Arch Extra repo…version 2.7.11-1.
Moving KeePassXC to Qt6 is a work in progress, but until it’s done I’m forced to use obsolete Qt5 version.
Btw.
and whole the issue reaches back to 2022 
1 Like
But why though..? Just use the Qt5 version, - it works? It’s not obsolete, it’s just running off a different framework model?
2 Likes
Given we are talking about a password manager, I would strongly recommend using the official package and not some random AUR package which uses non-official sources.
7 Likes
It is Qt5 obsolete as development and official support has ended.
And now? As long as there are no attack vectors onto the library itself, which are open within the application, it does no matter beyond your “I don’t want old stuff” need.
You have to weight two things against each other: Your need (which I can understand, but has no real argument behind it) and the security of an official arch release. For a password manager I would always go the latter path.
AUR IS an attack vector, which HAS allready been used, as we all know…
1 Like
That is not only about old stuff, but multiplying versions of dependences, that is overloading the system. I could successfully get rid of whole Qt5 and apps depending on it, as they were not essential and not very much needed, besides they have good replacements in Qt6. Indeed I had just a couple of them. Anyway KeePassXC is important enough and unique in its way, reasons enough to install Qt5 deps again and wait until KeePassXC team moves to Qt6 (which is on the way, afaik).
2 Likes
Btw.
1 Like
Well that’s something of a hurry up for the Qt6 upgrade!
Hi! Just a ping about QT5 vs QT6 situation in the Gentoo Linux repos: we have removed a huge chunk of package version depending on QT5.
The only app pkgs in our repos still on QT5 are:
app-admin/keepassxc
app-editors/qxmledit
app-office/onlyoffice-bin
app-text/master-pdf-editor
net-irc/quassel
net-misc/x2goclient
net-p2p/retroshare
x11-misc/projecteurThe QT project is looking to remove QT5 in next month(s). Because of this KeepassXC might get dropped from the Gentoo Linux repo - please see: https://bugs.gentoo.org/show_bug.cgi?id=qt5-removal AFAIK Ubuntu is in a similar situation.
1 Like
I wonder if there are some constraints that are preventing the KeePassXC development team from upgrading the existing app based on QT5 framework to the QT6 framework.
I do share the aversion of the OP to having legacy and unsupported frameworks being used. They have a potential to be a big security vulnerability waiting to be exploited.
Using KWalletManager application might not be palatable for some users. Because from the KDE documentation,
“By using the Frameworks wallet subsystem it not only allows you to keep your own secrets but also to access and manage the passwords of every application that integrates with the wallet.”
What this means that any application integrated with or using the KDE Frameworks wallet subsystem has access to the credentials and passphrases that are stored. A potential big loop hole.
You can limit that loophole quite a bit by not allowing applications to access the wallet without permission.
1 Like
Just remove the kwallet.
If you remove/disable kwallet, many applications will start storing their secrets in plain text or some easily reversible format which is quite a bit worse.
1 Like