# Is lastpass-cli secure/safe?

## Budoka

I just saw that a cli interface to Lastpass was added to portage.

I've installed it but noticed that use is 

```
-libressl
```

```
# eix lastpass-cli

[I] app-admin/lastpass-cli

     Available versions:  1.0.0 {X libressl +pinentry}

     Installed versions:  1.0.0(10:51:59 AM 10/13/2016)(X pinentry -libressl)

     Homepage:            https://github.com/lastpass/lastpass-cli

     Description:         Interfaces with LastPass.com from the command line.

```

I am a big fan of CLI tools when available but for obvious reasons have some general security concerns/questions about using this.

I am not sure why it pulled in as -libressl as I don't have that flag set globally or specifically when I emerged it. When I specify that the package can have the use libressl in package.use it is not being picked up even after re-emerging with new use flag.

Of course with a tool like this, I want it to talk to Lastpass over an encrypted channel and I am assuming that I want communication to go over libressl right? Or does the package use the existing OpenSSL on my system?

Also any general feedback on the security of this tool? I would hate to expose myself to a potential security problem. As it is LastPass only has one point of failure in it and that is all it would take.

I wasn't sure whether this should go in the portage subforum or security. If the Admins think it she be moved please do so.

Thanks.

----------

## eccerr0r

Yes if you do not have USE=libressl explicitly, it will default to using openssl, which you likely have installed already.

However after a quick look at the ebuilds it looks like that it is possible to build lastpass-cli wrong.  I'm not sure what the behavior of lastpass-cli is if you somehow have both libressl and openssl installed (however, it does look like Portage will prevent LibreSSL from installing if you already have OpenSSL installed).  You could try forcing a rebuild instead of a conditional rebuild as since the SSLs are a runtime dependency (currently) it shouldn't force a rebuild...

IMHO without reading lastpass-cli code, it should be a regular dependency, not just runtime, but that's not up to me to decide (package maintainer decision.)  Don't know - I'm using OpenSSL at the moment.

If you don't care which ssl is used as long as one is, you're good to go - it will use one of them and can't be disabled.

----------

## Hu

As I read the ebuild, everything in $RDEPEND is included in $DEPEND, so it does have both a runtime and a build-time dependency on whichever TLS implementation the user picked.

----------

## eccerr0r

Ah... missed that clause, looks good then.

Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?)

----------

## Budoka

Thank you for the explanations everyone. I think I understand but just to be clear I can use it as it is without explicitly indicating anything right? It will pick up my OpenSSl config and use that?

----------

## Budoka

 *eccerr0r wrote:*   

> Ah... missed that clause, looks good then.
> 
> Still not sure why setting USE=libressl and emerge --newuse just ignored the new USE for lastpass-cli ... though I'd expect it to bomb horribly (will we expect someday that there will be a virtual/libssl that depends on libressl or openssl so people can bomb their system at will because of how much libressl stripped out?)

 

This is what confused/concerned me as well.

----------

## eccerr0r

Seems like portage is completely throwing away USE=libressl -- and I think I know why now.

USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable.  You'll have to explicitly unmask this use flag to use it...

So you're good to go, it will be using openssl without the libressl flag.

----------

## Budoka

 *eccerr0r wrote:*   

> Seems like portage is completely throwing away USE=libressl -- and I think I know why now.
> 
> USE=libressl is in the use.stable.mask for the base configuration because libressl itself is unstable.  You'll have to explicitly unmask this use flag to use it...
> 
> So you're good to go, it will be using openssl without the libressl flag.

 

Thanks. And thanks for the detailed explanation as well. I like to try to "understand" as much as I can when dealing with this stuff.

----------

