KeePass dev refuses to patch security hole in favor of ad revenue

DustinB3403

If anyone is worried the MD5 and SHA1 match.

dafyre

I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.

Alex Sage

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

scottalanmiller

@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

Or forked.

dafyre

@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.

True. But for an application such as Keepass, why risk it? KeePassX works fine with my existing database, and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

Note: I'm not terribly worried about it... but a little paranoia is safe when it comes to security.

gjacobse

@scottalanmiller said in KeePass dev refuses to patch security hole in favor of ad revenue:

I think KeePass with Chocolatey would bypass the insecure updater.

There is also the option of just not installing it.

For a number of years I have used the Portable App version.

Carnival Boy

@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]

and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.

dafyre

@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:

@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]

and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.

There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.

But said "update now" popup can redirect you wherever it wants assuming a hacked update popup. I know I'm pushing it, but as I said... a little paranoia can go a long way.

Dashrender

How does the popup that there is an update happen? Assuming it's that the app checks a website, we're just in for another Firesheep adventure.

wrx7m

I use Keepass and update via Ninite Pro. And I have never seen anything to do with ads in the 10 years I have been using it.

stacksofplates

So I guess I should have specified in the other thread. I use KeePassx and it's updated through yum. And the Android version of Keepass2Android (the one I use) isn't maintained by the same people.