I guess you mean “trying to download,” right? If it’s an offline qube, it can’t download anything from the internet. I don’t see why that’s a security problem, as long as it isn’t trying to exfiltrate your data via a covert channel or anything. I suppose it would be slightly inefficient to have an offline qube vainly trying to check for updates when it has no network access, but it’s probably just a very minor waste of CPU activity at most, right?
(Also, regarding the portion of my post that you quoted, keep in mind that if you have a template, and you’re using a vault qube that’s based on that template, then you do have an actively-used qube based on that template.)
I am confused, as I already added the words before you posted this. Did you miss that, or is this a way of saying that what I added did not cover it?
I could be missing something, but I’m not sure why that would be a significant security risk by itself. If KeePassXC itself were compromised (e.g., package or source code), then it wouldn’t matter whether it’s up-to-date or not. (Updating to newer malicious code would probably just help the attacker.) And if Qubes VM separation as a security boundary were violated, then KeePassXC being patched would provide only minimal protection if KeePassXC were still being unlocked and used for stuff. You certainly wouldn’t want to rely on that, so this definitely doesn’t seem like something that’s important to “avoid at all costs.”
I don’t understand the suggestion, and this is too vague to be actionable for me. If something is unclear in the docs, please provide, at minimum:
- An exact quotation of the unclear passage currently in the docs
- Why you think it’s unclear
If you think something is missing, please provide, at minimum:
- Example text of what you think should be added (or at least the start of it)
- Why you think it should be added (e.g., the motivation for adding it, who it would help, or what problem it solves)
Alternatively, feel free to open a doc PR yourself.
Also, casual asides in forum posts are easily missed, so if there is actually something important that needs to be updated or fixed in the docs, the best way is to either open a doc PR or open an issue.