Yes, but you also misrepresent it in your original post, both by cherry-picking and making incorrect assumptions.
Not sure what to make of this - you ignore the discussion in the PR and then complain that you were the one being ignored?
Why would you expect me to be familiar with the KeePassXC codebase? Never ever have I seen that being expected for any similar change in nixpkgs or elsewhere. I sincerely hope that upstream have a better understanding of the security pertaining to KeePassXC since they’re the ones making it and we’re just packaging it.
No, it’s a potential attack vector because it provides an API for fetching content from the db and usually connects to a browser, which does much more than parsing jpegs and pngs.
This is certainly not true - not everybody using nix knows knows all of its intricacies or even what nix is, since it can for example be used by operations to deploy software on client machines (on macs in particular). We do this at my company and I know of others who do it too. Also, some old passwords may have been imported without updating them, some may be shared and can’t be updated as easily, etc.
Sure, theoretically a successful attack could give arbitrary code execution and allow the attacker to exfiltrate sensitive data, but exactly how easy or feasible do you think such an attack really is? If it’s easy to pull off, that means almost all KeePassXC users are at risk and the feature should likely be removed upstream.
You wrote the following
I agree about HIBP and it’s arguably useful enough to justify inclusion. That said, we need to consider the average keepass user, and even there the average NixOS user, and there’s a decent chance that all passwords are unique and high entropy.
where the first part is positive and I’ve countered the second part. However, I’m mostly referring to jonafato’s comment on HIBP:
I don’t have strong feelings on the default value of this flag. If it’s going to flip, HIBP integration is probably the best reason to do so, as it provides some tangible security benefit to users.
I learned of the HIBP integration a few hours after submitting the PR; not sure why that’s relevant, though.