New project fork?
c4llv07e
igor at c4llv07e.xyz
Thu May 22 05:28:00 UTC 2025
> 1. I, as a user, generally consider password-store to be feature
> complete without need for major feature development. I am happy with the
> current implementation and do not wish for it to change. New features
> would mean new complexity which must be maintained/validated and which
> may introduce instability/insecurity.
There's some bugs and some problems with current implementation, fixing
which wouldn't increase complexity. There's some problems with man page
that were fixed in patch from Dec 2024; bash completion is bugged and
doesn't work with pass-otp. This is two bugs was issued here in less
than a year (which is a lot for a dead mailing list). Pass is very good
software, but as any other software, it is not without bugs.
Still, as a user, I would like to see some improvements in current
version, because right now it only works with X11, not on Wayland
(xdotool doesn't work in non-X11 apps). It was also fixed by my patches
long time ago and by some patches from jimum3bxg6c4 at gmail.com. It
isn't in upstream yet.
I understand concern about complexity, but it shouldn't break existing
workflows and should only add small features.
> 2. Social pressure like this is exactly how the XZ supply chain attack
> started. That included multiple users piling onto an already over-
> stressed maintainer to influence them to believe that someone else
> should maintain the project. password-store which naturally handles
> sensitive data seems like a ripe target to me.
This is a really good concern. Maybe since it's a simple Bash script, it
will be easier to check for backdoors inside.
But yes, it is very possible, I can't argue against it.
> If there really is no maintenance happening for security issues or
> similar, I don't want to dissuade. I have admittedly not closely
> followed or ever engaged with this mailing list before.
The only thing I can think of is that pass is built on X-keylogger
protocol, where any app can already read your passwords, so there are no
security vulnerabilities that aren't there by design. /joke
More information about the Password-Store
mailing list