Package: qtpass
Version: 1.3.2-3
Severity: serious
I am flagging this as "serious" because it leads to data loss.
Specifically, I already lost the history of my test passwords.
Had I not noticed right away, I could have lost REAL passwords.
I have an existing ~/.password-store.
It has git enabled.
It is read and written to by pass(1).
It is read by applications using python3-pypass.
I installed qtpass, added a test password, and changed it two or three times.
I was very surprised to see that no git commit logs appeared.
It seems that by default, qtpass has
Configuration > Settings
[ ] Use git (off by default)
Configuration > Programs
(X) Native git/gpg (on by default)
( ) Use pass (off by default)
If the user has no existing .password-store, this is a reasonable default.
However, if .password-store is ALREADY using git, qtpass SHOULD use git by
default.
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'stable'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages qtpass depends on:
ii gnupg 2.2.27-2
ii libc6 2.32-4
ii libgcc-s1 10.2.1-6
ii libqt5core5a5.15.2+dfsg-9
ii libqt5gui5 5.15.2+dfsg-9
ii libqt5network5 5.15.2+dfsg-9
ii libqt5svg5 5.15.2-3
ii libqt5widgets5 5.15.2+dfsg-9
ii libstdc++6 10.2.1-6
Versions of packages qtpass recommends:
ii pass1.7.3-2
pn pass-extension-otp
pn pwgen
Versions of packages qtpass suggests:
ii git 1:2.30.2-1
-- no debconf information