587
Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)
submitted 1 day ago by AsudoxDev@programming.dev to c/technology@lemmy.world
169 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] ShittyBeatlesFCPres@lemmy.world 123 points 23 hours ago

Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.

[-] octopus_ink@lemmy.ml 6 points 5 hours ago

They have confirmed it was a packaging bug and will be resolved.

[-] shortwavesurfer@lemmy.zip 10 points 11 hours ago

Its called Keepass. You are welcome

[-] asap@lemmy.world 8 points 15 hours ago* (last edited 15 hours ago)

Nothing in the article or in the Bitwarden repo suggests that it's moving away from open source

[-] coolmojo@lemmy.world 2 points 6 hours ago

It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.

[-] sugar_in_your_tea@sh.itjust.works 3 points 4 hours ago

From the article, it's a packaging bug, not a change in direction.

Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."

[-] coolmojo@lemmy.world 2 points 3 hours ago

I was referring to this which started it all.

[-] sugar_in_your_tea@sh.itjust.works 3 points 3 hours ago

Here is the code in question. Basically, it's a source-available, but not FOSS internal SDK, with the following language:

The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.

So I think the "bug" here is in not linking the original repo in the NPM package, and there's a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it's currently not FOSS, but it's too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they're just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.

Given their past, I'm willing to give them the benefit of the doubt, but I'll be making sure I have regular backups in case things change.

[-] Telodzrum@lemmy.world 63 points 22 hours ago

Keepass: Am I a joke to you?

[-] sigmaklimgrindset@sopuli.xyz 26 points 19 hours ago

Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.

[-] saddlebag@lemmy.world 26 points 16 hours ago

Android syncthing announced they’re stopping development this year. Open source got fucked double today

[-] prosp3kt@lemmy.dbzer0.com 12 points 16 hours ago

terrible day. There is a fork called syncthing-fork that is under current development. I hope both projects merge.

[-] wetsuiterest@lemmy.blahaj.zone 28 points 23 hours ago

Keepassxc? Vaultwarden?

[-] pmc@lemmy.blahaj.zone 17 points 22 hours ago

Isn't Vaultwarden used with non-free Bitwarden clients?

[-] bilb@lem.monster 2 points 15 hours ago

This need not be the case, though! There's an open source client on Android called Keyguard. I don't think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.

[-] SaharaMaleikuhm@feddit.org 2 points 7 hours ago

True, but the firefox extension is nice.

[-] fmstrat@lemmy.nowsci.com 2 points 19 hours ago

The clients are free.

[-] pmc@lemmy.blahaj.zone 16 points 18 hours ago

They now require a non-free Bitwarden SDK component. That's what this whole conversation is about.

[-] sugar_in_your_tea@sh.itjust.works 2 points 4 hours ago

And the whole conversation is about a bug, not a change in direction...

Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."

[-] fmstrat@lemmy.nowsci.com 1 points 10 hours ago

Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.

I still think this is bad directionally, but we need to see what happens.

[-] aisteru@lemmy.aisteru.ch 2 points 16 hours ago

Could you ELI5 please?

[-] AsudoxDev@programming.dev 4 points 15 hours ago

"You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."

This is a condition when using their SDK. This is not considered a free (as in freedom) component because it violates freedom 0: https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms

[-] cy_narrator@discuss.tchncs.de 2 points 16 hours ago* (last edited 16 hours ago)

Notepad.exe

Its open source now right?

[-] 01011@monero.town 4 points 22 hours ago

Pass.

this post was submitted on 20 Oct 2024
587 points (90.0% liked)

Technology

58795 readers
2849 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world