Thats not good :(
Concerns Raised Over Bitwarden Moving Further Away From Open-Source
Submitted 1 year ago by AsudoxDev@programming.dev to technology@lemmy.world
https://www.phoronix.com/news/Bitwarden-Open-Source-Concerns
Comments
No_Support_8363@lemm.ee 1 year ago
Snowpix@lemmy.ca 1 year ago
WhyJiffie@sh.itjust.works 1 year ago
The community’s reaction is a but funny if this was a honest mistake
john117@lemmy.jmsquared.net 1 year ago
oh thank god
ayyy@sh.itjust.works 1 year ago
600 upvotes and only 10 downvotes on literal fake news. This community is brain dead trash.
ammonium@lemmy.world 1 year ago
How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.
locuester@lemmy.zip 1 year ago
Community is fine, your comment is at the top, along with others pointing this out.
It’s the “non-community” if you will booting this. The passerby’s not reading comments.
octopus_ink@lemmy.ml 1 year ago
No one is listening I’m sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don’t think I’ve seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.
ealoe@ani.social 1 year ago
Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company’s statements indicates an actual move away from open source. Big nothingburger
486@lemmy.world 1 year ago
Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary “SDK” library.
gwen@lemmy.dbzer0.com 1 year ago
can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug
486@lemmy.world 1 year ago
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.
gwen@lemmy.dbzer0.com 1 year ago
oh shit i didnt know that, mb man
Highsight@lemmy.world 1 year ago
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.
cmrn@lemmy.world 1 year ago
…in the update that came out after this article was posted and the discussion took place.
gwen@lemmy.dbzer0.com 1 year ago
mb i didnt see the update part
sugar_in_your_tea@sh.itjust.works 1 year ago
In general, if it’s Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
Shape4985@lemmy.ml 1 year ago
I use to always recommend bitwarden to people. Now i feel like an idiot for doing so with them switching up. Ill be making the effort to move to keepassxc soon and host it myself.
octopus_ink@lemmy.ml 1 year ago
They literally posted that this is a packaging bug and will be resolved.
GhiLA@sh.itjust.works 1 year ago
…host it?
…is there something I’ve been missing out on? Can one host a KeePass vault online? We have web apps? I only know about the Nextcloud ones. I’ve just been using syncthing and merging the conflicts when they happen.
Shape4985@lemmy.ml 1 year ago
I mean sync it between my devices using something like sync thing
Liz@midwest.social 1 year ago
I used to keep a copy of my kepass file in a free Dropbox account.
mli@lemm.ee 1 year ago
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
According to Bitwardens post here, this is a “packaging bug” and will be resolved.
terminal@lemmy.ml 1 year ago
Keepass. Keep it simple.
WhyJiffie@sh.itjust.works 1 year ago
3rd party sync of the database can have a lot of problems
johannesvanderwhales@lemmy.world 1 year ago
If you want to roll your own with keepass that’s fine, but most people will want a more comprehensive solution.
Liz@midwest.social 1 year ago
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.
Routhinator@startrek.website 1 year ago
Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
sugar_in_your_tea@sh.itjust.works 1 year ago
Bitwarden has been a good app.
And it still is. There’s no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.
As @Krzd@lemmy.world said, it’s a packaging bug, not an actual change in license. If you read the article, it says as much in the update.
Krzd@lemmy.world 1 year ago
It’s a packaging bug, the headline is false.
GhiLA@sh.itjust.works 1 year ago
Nextcloud passwords is just a client for a KeePass vault.
I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.
Wispy2891@lemmy.world 1 year ago
Are you sure?
Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager
kenbw2@lemmy.world 1 year ago
Oh really? Where’s the keepass file stored? This would be very cool if so
Routhinator@startrek.website 1 year ago
TIL… Thanks.
ArkyonVeil@lemmy.dbzer0.com 1 year ago
fuckingkangaroos@lemm.ee 1 year ago
I don’t understand.
Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?
ArkyonVeil@lemmy.dbzer0.com 1 year ago
I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.
Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil’s bargain. Raising VC money is NEVER a good sign.
magnus@lemmy.ahall.se 1 year ago
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
sugar_in_your_tea@sh.itjust.works 1 year ago
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
magnus@lemmy.ahall.se 1 year ago
I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
NanoooK@sh.itjust.works 1 year ago
Great, I’ve just started to use it last week 🤡
octopus_ink@lemmy.ml 1 year ago
It’s just a packaging bug and they said they will fix it.
Scrollone@feddit.it 1 year ago
Just switch to KeePassXC
NanoooK@sh.itjust.works 1 year ago
That’s what I’m using mostly, but the convenience of having auto fill in firefox and being able to share some logins made me want to try bitwarden. Also, it’s not complicated to sync between several devices.
cmrn@lemmy.world 1 year ago
How many times do I need to pack up and move to the next “best option”
sugar_in_your_tea@sh.itjust.works 1 year ago
In this case, zero, because it’s a packaging bug, not an actual change in direction. Read the update on the article:
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Next time, before jumping to conclusions, wait a day or two and see if the project says something.
486@lemmy.world 1 year ago
I really hope that this is actually the case, but I am not very optimistic. This doesn’t seem to be a mistake. They intentionally move functionality of their clients to their proprietary SDK library. The Bitwarden person stated this in the Github issue and you can also check the commit history. Making that library a build-time dependency might actually have been a mistake. That does not change the fact, that the clients are no longer useful without that proprietary library going forward. Core functionality has been move to that lib. I really don’t care if they talk to that library via some protocol or have it linked at build time. I wouldn’t consider this open source, even if that client wrapper that talks to that library technically is still licensed under GPLv3.
Snowpix@lemmy.ca 1 year ago
Not sure who downvoted you, you literally quoted the article.
cy_narrator@discuss.tchncs.de 1 year ago
Just go to Keepass and its over
doktormerlin@feddit.org 1 year ago
That’s far from the best option. It’s working, but it’s super complicated compared to Bitwarden and other cloud password managers. Imagine telling your grandma “just use keepass”, she would never be able to make it work. But Bitwarden? Lastpass? That’s possible
JustARaccoon@lemmy.world 1 year ago
Sadly as many times as needed, complacency is how these companies get “loyal customers” who are willing to put up with bs
quissberry@lemmy.cafe 1 year ago
Well, I guess not having password manager yet did had some benefit because now I know not to use bitwarden
ShittyBeatlesFCPres@lemmy.world 1 year ago
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
octopus_ink@lemmy.ml 1 year ago
They have confirmed it was a packaging bug and will be resolved.
shortwavesurfer@lemmy.zip 1 year ago
Its called Keepass. You are welcome
asap@lemmy.world 1 year ago
Nothing in the article or in the Bitwarden repo is moving away from open source
This hysteria is stupid at this point.
coolmojo@lemmy.world 1 year ago
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
cy_narrator@discuss.tchncs.de 1 year ago
Notepad.exe
Telodzrum@lemmy.world 1 year ago
Keepass: Am I a joke to you?
sigmaklimgrindset@sopuli.xyz 1 year ago
Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.
01011@monero.town 1 year ago
Pass.
ocassionallyaduck@lemmy.world 1 year ago
Keepass vault synced over syncthing.
I keep not regretting it.
DudeImMacGyver@sh.itjust.works 1 year ago
sigh
Suavevillain@lemmy.world 1 year ago
Well this ain’t good. I don’t really feel like switching apps.
unskilled5117@feddit.org 1 year ago
This is an importang issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction of a Company that proudly uses the opensource slogan.
telescopius@lemm.ee 1 year ago
This is disheartening.
ghostface@lemmy.world 1 year ago
https://github.com/dani-garcia/vaultwarden Open source version of bitwarden written in rust.
Where is the foundation to support foss?!?
solsangraal@lemmy.zip 1 year ago
so what’s the best pw manager?
KingThrillgore@lemmy.ml 1 year ago
I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.
vrighter@discuss.tchncs.de 1 year ago
what sucks about keepassxc?
KingThrillgore@lemmy.ml 1 year ago
I never had any success getting it to work consistently with Firefox.