- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
oh thank god
The community’s reaction is a but funny if this was a honest mistake
600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.
Edit: made my statement a bit less toxic. I was mad.
How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.
No one is listening I’m sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don’t think I’ve seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.
Why would it be fake news? Because they called it a “packaging bug”?
Yes.
To me that just like an excuse for the current mess. Did you read the original GitHub issue? Their CTO also seems to have questionable ideas about the GPLv3.
Community is fine, your comment is at the top, along with others pointing this out.
It’s the “non-community” if you will boosting this. The passerby’s not reading comments.
can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.
The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
I don’t see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.
I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn’t have eroded the trust in them as much as it did for me.
oh shit i didnt know that, mb man
…in the update that came out after this article was posted and the discussion took place.
mb i didnt see the update part
In general, if it’s Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
According to Bitwardens post here, this is a “packaging bug” and will be resolved.
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
And I am an ardent optimist, hence why I see it as a good thing.
But yes, worst case someone will fork it, and I’ll probably use that fork.
Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).
In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)
Great, I’ve just started to use it last week 🤡
It’s just a packaging bug and they said they will fix it.
Just switch to KeePassXC
That’s what I’m using mostly, but the convenience of having auto fill in firefox and being able to share some logins made me want to try bitwarden. Also, it’s not complicated to sync between several devices.
KeepassXC supports auto fill in Firefox if you install their plugin!
I wonder~ I wonder~ I wonder whyyyy…
I don’t understand.
Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?
I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.
Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil’s bargain. Raising VC money is NEVER a good sign.
Yeah well said. Looking forward to the day they try to force an “updated” privacy policy on users, or start charging 69.99/year.
Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company’s statements indicates an actual move away from open source. Big nothingburger
Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary “SDK” library.
I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.
what sucks about keepassxc?
I never had any success getting it to work consistently with Firefox.
I daily drive Firefox as my browser, maybe it’s an issue with the branch? I’ve never had this issue myself. On the rare occasion that that it doesn’t properly detect password field I can just right click and shows as a menu option that I can fill password fill TOTP or email, I’ve never had it just not work at all. Excluding mobile, but that’s strictly an issue with how Android does Auto filling because they can’t have the service that fights to do both and since Firefox has its own autofill service it’s a coin flip of whether or not it uses keypass or Firefox built in password manager
on some sites the plugin fails to properly detect which fields correspond to which, true (usually when javascript fuckery is involved). But fixing that by manually pointing out the fields once on such sites is easy enough for me. I also switched firefox to use keepassxc for passkeys, which makes them actually portable and usable for me.
Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
It’s a packaging bug, the headline is false.
Bitwarden has been a good app.
And it still is. There’s no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.
As @Krzd@lemmy.world said, it’s a packaging bug, not an actual change in license. If you read the article, it says as much in the update.
Nextcloud passwords is just a client for a KeePass vault.
I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.
Are you sure?
Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager
You can encrypt the entire vault and all the contents,… but imo, that should be a default setting.
Seriously, as-is, you log into Nextcloud, click on passwords and every password is literally right there. I’m sure they’re encrypted in the database but fffff.
(I tried it out on my install just now)
(I use KeePassxc mostly)
Oh really? Where’s the keepass file stored? This would be very cool if so
TIL… Thanks.
EDIT: Been playing with it a bit now and if it uses keepass as the DB the advantage I see right now is that having it in Nextcloud means automatic sync, and there are several autofill and syncing apps for various OSes and password sharing and automated checks for breaches. It’s probably a better option for anyone with Nextcloud than going the Keepassxc/syncthing route.
Keepass. Keep it simple.
If you want to roll your own with keepass that’s fine, but most people will want a more comprehensive solution.
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.
Sound like something you did with replacing files. KeePass is dead simple, and that’s why it’s great.
Nah, the timeline looks like this:
- use account on main
- create backup
- use account on main
- account goes missing from main.
- check backup, account also missing from backup.
Like, it should be in the backup, I proved it was in the original before and after creating the backup. Heck if I know why they went missing.
3rd party sync of the database can have a lot of problems
Thats not good :(
I use to always recommend bitwarden to people. Now i feel like an idiot for doing so with them switching up. Ill be making the effort to move to keepassxc soon and host it myself.
They literally posted that this is a packaging bug and will be resolved.
That’s good news
Just because I didn’t see a response on this one, you might have read it already in other comments but the packaging bug is a cop out. They are still intending to migrate over to the proprietary SDK, and it will eventually become a requirement for the platform. The only difference was that at the state of the project it wasn’t supposed to be a requirement in order to compile, but they do still very intently have a restrictive license on the SDK and you aren’t allowed to use the sdk outside of the project. meaning that it has to be present for the program to work and that you’re not allowed to use it in other programs.
Why they call it a packaging bug I’m not sure because the end result is the same the package is required for the program to work and that package that is required is not GPL
That being said some other comments have gone a little bit more in detail on it and might be a little more descriptive than me
…host it?
…is there something I’ve been missing out on? Can one host a KeePass vault online? We have web apps? I only know about the Nextcloud ones. I’ve just been using syncthing and merging the conflicts when they happen.
I mean sync it between my devices using something like sync thing
I used to keep a copy of my kepass file in a free Dropbox account.
This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
They’re basically trying to get rid of vaultwarden and other open source forks. I expect they’ll get a cease and desist and be removed from github at some point in the not too distant future if they don’t make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I’ll need to look for alternatives in case Bitwarden decides to get aggressive.
nothing lasts forever without being enshittified
Except if it’s free software.
not in capitalism no
Welp, I guess another time to move here soon.
And I just fucking vouched for them to a friend recently 🤡
Didn’t know about VC funding these parasites using their funding to turn everything into shite.
What’s the current “best” alternative? Keepass?
It’s not open source, but I got a lifetime license for Enpass over a decade ago and it’s done everything I’ve ever needed it for. I think stacksocial occasionally has new lifetime codes for sale. I like the idea of Proton Pass as others have said, but it feels a bit like putting all my eggs in one basket, which is a mistake I already made with Google before (context: I use Proton for email). I think Keepass is the next best option if dedicated to staying FOSS.
I haven’t jumped yet, but the Proton suite is looking more and more appealing. I’ve been eyeing them as a Gmail replacement, but I’ve been happy with my VPN and password management providers. As this reduces the bundle makes more sense.
They have a solid value proposition but don’t like putting all my eggs all in one basket both for security and monopoly reasons.
They seem to be gunning for one stop shop and I think they are doing decent shop but I just don’t like the idea after what Google did to us.
Situation is a bit different but gonna need to tka the lessons and not let these corpos do this again.
That’s a good practice, and I think you’re right that is what they’re going for. I don’t think that means you shouldn’t consider them, but it does lower their value proposition as the bundle is the better deal.
this isnt a full solution obviously, but I figured it’d be nice to know: Proton lets you set different passwords for your email and password manager, so at least from a security standpoint its not all behind the same password, even if it is still from the same company
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
Its called Keepass. You are welcome
They have confirmed it was a packaging bug and will be resolved.
Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
From the article, it’s a packaging bug, not a change in direction.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
I was referring to this which started it all.
Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:
The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.
So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.
Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.
Notepad.exe
Its open source now right?
Keepass: Am I a joke to you?
Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.
Android syncthing announced they’re stopping development this year. Open source got fucked double today
terrible day. There is a fork called syncthing-fork that is under current development. I hope both projects merge.
Keepassxc? Vaultwarden?
Isn’t Vaultwarden used with non-free Bitwarden clients?
This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.
Keyguard isn’t open source. Have a look at their license. It just says “All rights reserved”.
True, but the firefox extension is nice.
The clients are free.
They now require a non-free Bitwarden SDK component. That’s what this whole conversation is about.
And the whole conversation is about a bug, not a change in direction…
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Could you ELI5 please?
“You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
This is a condition when using their SDK. This is not considered a free (as in freedom) component because it violates freedom 0: https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms
Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.
I still think this is bad directionally, but we need to see what happens.
Pass.