I’m inclined to agree. Like, I get it - the Debian maintainer used inflammatory language and the conversation devolved from there. I’d really love to see some real discussion about how the upstream devs can justify their claims that these features don’t increase the attack surface. I also understand that they don’t want their bug tracker filled with Debian specific issues because of this, but can we not also have a discussion about the desire for people to have a stripped down version?

I for one wasn’t even aware that my offline password manager has networking features at all.

Edit because I’m kind of hot on this right now:

In the HN and github discussions I’m seeing a lot of people asking if there are any known vulnerabilities in the removed code or demonstrated exploits, and the notion that you’d need these things to exist before reducing the attack surface is so off base IMO. The point of reducing the attack surface is to prevent unknown attacks. If there were known attacks they would simply be patched out. This is preventative not reactive, which is far better.

The upstream dev constantly bringing up how well reviewed the code is and how careful they are about adding new features doesn’t change the fact that not everyone will want the increased risk of having those features. Even if that risk is miniscule, it can never be 0. A truely offline password manager brings that risk much much closer to 0 though.