KeePass dev refuses to patch security hole in favor of ad revenue
-
@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:
How does the HTTP update check create ad revenue? I haven't seen that explained.
Lost on that one here, too. I've never seen any ads associated with Keepass.
-
If anyone is worried the MD5 and SHA1 match.
-
I find this quite sad, actually. I've been a happy Keepass user for a while now... Guess I'll check out some of the others now. KeePassX looks pretty good.
-
@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.
-
@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:
@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.
Or forked.
-
@aaronstuder said in KeePass dev refuses to patch security hole in favor of ad revenue:
@dafyre Once again, the problem is the updater, not the program it self. I think at the end of the day, it will be fixed.
True. But for an application such as Keepass, why risk it? KeePassX works fine with my existing database, and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.
Note: I'm not terribly worried about it... but a little paranoia is safe when it comes to security.
-
@scottalanmiller said in KeePass dev refuses to patch security hole in favor of ad revenue:
I think KeePass with Chocolatey would bypass the insecure updater.
There is also the option of just not installing it.
For a number of years I have used the Portable App version.
-
@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]
and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.
There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.
-
@Carnival-Boy said in KeePass dev refuses to patch security hole in favor of ad revenue:
@dafyre said in [KeePass dev refuses to patch security hole in favor of ad revenue]
and I no longer have to worry about an auto updater hijacking my passwords or otherwise infecting my computer with bugs.
There is no auto-updater. You have to manually download new versions from sourceforge. All this (non) issue is is a program that notifies you if there is a new version and advises you to (manually) download it.
But said "update now" popup can redirect you wherever it wants assuming a hacked update popup. I know I'm pushing it, but as I said... a little paranoia can go a long way.
-
How does the popup that there is an update happen? Assuming it's that the app checks a website, we're just in for another Firesheep adventure.
-
I use Keepass and update via Ninite Pro. And I have never seen anything to do with ads in the 10 years I have been using it.
-
So I guess I should have specified in the other thread. I use KeePassx and it's updated through yum. And the Android version of Keepass2Android (the one I use) isn't maintained by the same people.
