Hah, the Linux version points you to the original website (only the Mac and Windows versions appear to be modified)! The year of the Linux desktop is truly here.
I've had discussions with coworkers on why you shouldn't ve downloading putty from putty.org. Sure, they seem to be linking to the official downloads now, but imho it's just poor hygiene to use such pages. It takes just a moment of carelessness to get pwned
Rather unfortunate that "putty.org" is the first result in searches and looks a lot more legit than "chiark.greenend.org.uk" even if it (currently) links there.
I've had discussions with coworkers on why they shouldn't look up "free online json beautifier" and dump thousands of lines of crown jewels into them (http too). Meanwhile we're doing web dev and JSON responses are autoformatted in Firefox dev tools so there's an amazingly convenient and perfectly safe alternative right there...
It's putty's own fault. They used to (and perhaps still do) have a section on how they don't want your donated domain - they like their current one.
From their FAQ:
> No, thank you. Even if you can find one (most of them seem to have been registered already, by people who didn't ask whether we actually wanted it before they applied), we're happy with the PuTTY web site being exactly where it is. It's not hard to find (just type ‘putty’ into google.com and we're the first link returned), and we don't believe the administrative hassle of moving the site would be worth the benefit.
PuTTY's been a thing for almost two decades at this point. That's quite a lot of inertia; It will take a lot more than three months for people to migrate, nevermind the people who aren't on W10.
This. And the benefit is it's easy to add your own fixes to your local version too. Stuff like removing the PerformSelfTest() call, adding items to the ListView in batch, item bounds checking when refreshing the ListView, etc. can quite noticeably speed up the UI, and random window focusing/sizing issues aren't too hard to fix either.
In a perfect world I would love to, but every time I've tried to submit improvements to open-source software I've come out extremely frustrated with how many hoops I have to jump through just to get my code properly considered, let alone merged. Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, or that their upstream code is responsible, etc., and the other half the time they're admittedly quite welcoming but present hoops that on my end I simply don't feel like jumping through (like putting more personal info on the internet than I care to), especially when I'm already going out of my way to help people. Maybe you'd think the problem is with me, or maybe Dominic would be an exception in all regards, but wherever the problem is, I've grown very reluctant about the idea in general, so I just fix bugs on my own computer and let someone else who cares & has the time/energy to put up a real fight fix the issues for everyone else.
Then you're not going to the good people. Stop going through intermediaries, go straight for the source (package specific issues on Ubuntu must be reported to Ubuntu -like python not recognizing a new module-, but bad code inside the package must be dealt with with upstream).
> Half the time the developers are extremely resistant to changes and believe the change is wrong/unnecessary, or the current state is already correct, or that the changes are too big and/or not worth it, [...]
That's why I take the habit of jumping on IRC first, talking with devs a bit and trying to understand why I find a specific piece of code problematic.
I was trying to add support for i686 on an AUR package I maintain; quickly dismissed "we don't support i686 anymore anyway, just slap comments in your PKGBUILD and ship it".
I was working with the btrfs(8) util, which has the most horrific interface ever designed; "OK, we're not hostile to a new interface design, but you'll have to provide a comprehensive explanation of what you want and how it should behave".
And finally, documentation usually gets merged real fast (recently on cbsd(8) and nextcloud).[0][1]
I assure you I'm not naively just dumping code on random developers and telling them to merge it. I do talk to them first, that's exactly how I figure out they think their code is fine and my changes are unwelcome whenever that's the case. (Edit: Well, mostly. It's also happened that my changes were rejected after I made the patch, but that was nevertheless after discussions had already taken place. Like when I said they later decide the patch is too big.) And regarding the upstream project issue: in the case I had in mind, the upstream project had its own reasons for not doing things the way I mentioned. The changes really did belong in the downstream project, but the downstream guy just didn't care to have to maintain the changes. Although, I also have to point out that upstream projects tend to present even more obstacles for merging code -- not only when the entire reason there's a downstream fork is that upstream is not going to support the entire platform/architecture/whatever, but also when they're big projects with their own hoops I don't care to jump through on my end as I explained earlier.
I agree, that's why signed source code releases are the safest thing you can get.
Keepass has signed releases (including the source code archive) that can be checked with OpenPGP.
If you trust the signed source code there's no reason you shouldn't trust the signed binary - unless you have sufficient time and expertise to audit the source.
* Being open source protects against a malicious developer. Otherwise there is nothing preventing him to build the binary with a different source, and send the passwords to his own server.
* Signed code archive prevents against a compromised hosting site.
Are you imparting trust on checksums downloaded from the same source page?
Not implying you are but there is plenty of software where that is how they expect users to verify the integrity of the download. Useful for checking bit errors, but in the event that someone has replaced the binary then they could probably also replace the checksum...
I didnt think about that, but there's not always a reputable alternative checksum source.
I was thinking about all the times I had to download a windows ISO. And how microsoft had openly published what the checksum values were so I could verify this after downloading from a 3rd party
I would need to do more research here you make a good point
It doesn't have built-in syncing, unlike KeePass. So if you want cloud syncing you have to install an entire syncer on your file system just for the sake of that one program. The assumption that everyone has or wants an automatic behind-the-scenes file syncer installed on every system they use the program on is quite a big and incorrect one.
No, the question is what if you do want cloud syncing for your passwords (you need to sync with your phone somehow without manually uploading/downloading from a browser every time...), but unable or unwilling to install a background cloud syncer installed on every system you use KeePassXC on. People blindly suggest KeePassXC without realizing not everyone has or wants a cloud syncer installed on their entire system.
> You're not really going to get around having to install "something" to sync your passwords if you want to have your passwords synced
Huh? This is obviously wrong; I'm doing literally this with KeePass. I haven't installed anything, and it has a plugin to sync directly with Google Drive that doesn't mess with or care about anything in the rest of the system.
I don't follow you. I use Google Drive, and I don't install additional software on the OS. I just sync with it directly using KeePass. There is no "problem". It works just just fine.
My understanding of the problem under discussion here is that there are some people who will refuse to use a cloud syncing service, period. Syncing with Google Drive does not get around this constraint, regardless of whether it requires any locally installed software.
Additionally, I was not personally aware of any way to "sync directly" other than using the Google Drive desktop client (https://www.google.com/drive/download/) and storing the database file in the synced folder. It sounds like you're saying Keepass has some direct integration with Google Drive?
All of that said, I am really not invested in this issue - I use multiple cloud sync services and it doesn't bother me.
> I was not personally aware of any way to "sync directly" other than using the Google Drive desktop client. It sounds like you're saying Keepass has some direct integration with Google Drive?
Syncthing isn't very intrusive in my experience/opinion.
I created a keepass/syncthing directory somewhere inside my home directory, and I told Syncthing to sync only that directory. And the directory only contains the Keepass database plus a few Syncthing log files and such.
Pretty ironicly, Terms of use warn to be very careful when downloading files with an exe.,. Vbs,. Lnk,. Bat,. Sys, or a suffix com., Because these files may contain a virus or spyware !
It's a common technique used by hucksters, "here's some friendly advice ...", it's both an attempt to signal good intent and to load the mark with a subconscious sense of having been done a favour (and so needing to do a favour back to the huckster/salesman.
Not ironic: totally intentional marketing trick. It makes you more inclined to trust the provider of the warning. They seem knowledgable about something important, and they're sharing that information with you. More insidiously, it makes you less likely to apply the warning to them. Because (unconsciously you think this) why would someone warn you about a trick they themselves are trying to pull?
one of those "make money online"/"internet marketing" type people just wanting to get the affiliate commissions from a pay-per-install network of the PUP bundler type.
Unrelated to the topic, the article points out a lot of things about certificates in the URL bar. That got me to think about the URLs themselves, can I set my browser up so it displays the punycode representation of my url?
Examples? There's some subject and possession disagreement here and there ("Cette clé, que vous définissez ... accéder à tous ses autres mots de passe"), but otherwise looks pretty good.
