• unskilled5117@feddit.org
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    1 month ago

    This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.

    There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.

    It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.

    This is another step in the wrong direction for a company that proudly uses the opensource slogan.

    • sunzu2@thebrainbin.org
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      1 month ago

      Welp, I guess another time to move here soon.

      And I just fucking vouched for them to a friend recently 🤡

      Didn’t know about VC funding these parasites using their funding to turn everything into shite.

      What’s the current “best” alternative? Keepass?

      • foggenbooty@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        I haven’t jumped yet, but the Proton suite is looking more and more appealing. I’ve been eyeing them as a Gmail replacement, but I’ve been happy with my VPN and password management providers. As this reduces the bundle makes more sense.

        • sunzu2@thebrainbin.org
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          1 month ago

          They have a solid value proposition but don’t like putting all my eggs all in one basket both for security and monopoly reasons.

          They seem to be gunning for one stop shop and I think they are doing decent shop but I just don’t like the idea after what Google did to us.

          Situation is a bit different but gonna need to tka the lessons and not let these corpos do this again.

    • irotsoma@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      They’re basically trying to get rid of vaultwarden and other open source forks. I expect they’ll get a cease and desist and be removed from github at some point in the not too distant future if they don’t make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I’ll need to look for alternatives in case Bitwarden decides to get aggressive.

  • ayyy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    6
    ·
    edit-2
    1 month ago

    600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.

    Edit: made my statement a bit less toxic. I was mad.

    • ammonium@lemmy.world
      link
      fedilink
      English
      arrow-up
      9
      ·
      1 month ago

      How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.

        • qaz@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 month ago

          To me that just like an excuse for the current mess. Did you read the original GitHub issue? Their CTO also seems to have questionable ideas about the GPLv3.

    • locuester@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 month ago

      Community is fine, your comment is at the top, along with others pointing this out.

      It’s the “non-community” if you will boosting this. The passerby’s not reading comments.

    • octopus_ink@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      No one is listening I’m sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don’t think I’ve seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.

  • ShittyBeatlesFCPres@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.

      • sigmaklimgrindset@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.

        • saddlebag@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          Android syncthing announced they’re stopping development this year. Open source got fucked double today

          • prosp3kt@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 month ago

            terrible day. There is a fork called syncthing-fork that is under current development. I hope both projects merge.

    • asap@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 month ago

      Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source

      • coolmojo@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 month ago

        It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          From the article, it’s a packaging bug, not a change in direction.

          Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 month ago

              Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:

              The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.

              So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.

              Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.

  • gwen@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 month ago

    can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug

    • 486@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 month ago

      It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.

      • Highsight@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 month ago

        When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:

        3.3 You may not use this SDK to develop applications for use with software other
        than Bitwarden (including non-compatible implementations of Bitwarden) or to
        develop another SDK.
        

        This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

        From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.

        • 486@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 month ago

          The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

          I don’t see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.

          I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn’t have eroded the trust in them as much as it did for me.

    • cmrn@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 month ago

      …in the update that came out after this article was posted and the discussion took place.

  • mli@lemm.ee
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 month ago

    Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

    According to Bitwardens post here, this is a “packaging bug” and will be resolved.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.

      • Magnus Åhall@lemmy.ahall.se
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 month ago

        I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.

        The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 month ago

          And I am an ardent optimist, hence why I see it as a good thing.

          But yes, worst case someone will fork it, and I’ll probably use that fork.

        • Magnus Åhall@lemmy.ahall.se
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).

          In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)

  • Routhinator@startrek.website
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 month ago

    Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.

    I hate this. Bitwarden has been a good app.

    • GHiLA@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Nextcloud passwords is just a client for a KeePass vault.

      I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.

      • Wispy2891@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 month ago

        Are you sure?

        Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager

        • GHiLA@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          You can encrypt the entire vault and all the contents,… but imo, that should be a default setting.

          Seriously, as-is, you log into Nextcloud, click on passwords and every password is literally right there. I’m sure they’re encrypted in the database but fffff.

          (I tried it out on my install just now)

          (I use KeePassxc mostly)

  • cmrn@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 month ago

    EDIT: The article has been updated and it was described as a “packaging bug” and not an intended change.

    How many times do I need to pack up and move to the next “best option”

      • doktormerlin@feddit.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 month ago

        That’s far from the best option. It’s working, but it’s super complicated compared to Bitwarden and other cloud password managers. Imagine telling your grandma “just use keepass”, she would never be able to make it work. But Bitwarden? Lastpass? That’s possible

        • cy_narrator@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 month ago

          Is it so?

          I feel like anyone who can open up and edit ms word can do it, just double click on the keepass.kdbx file and it opens up prompting for a password.

          Syncing is a bit of a problem and I wrote an article on how I do it here in the easiest way I found. Though MEGA cloud does not have a good reputation among general public, their share link is something you can write in a piece of paper and keep in a safe.

          • doktormerlin@feddit.org
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 month ago

            “Just double click the keepass.kdbx” is not what it is. You need to go to your explorer, find the file in the folder structure and double click it. You then need to search for the website you are on and copy the password, then you need to go back to the website within 12 seconds and paste the password. That’s inconvenient for everyone, but for a tech-illiterate grandma it’s impossible.

            Compare that to Bitwarden: You go to the website, click on the bitwarden icon and then click on the login details. Or even better, you can enable auto-complete with a single click and it automatically fills the login details when on the website, without clicking anything. That’s far more convenient and easier.

            Just as a FYI: My grandma has a sticky note on her laptop that shows exactly which buttons to press to get to her emails, with things like “Click this twice within 2 second, be fast!!” for a double click. It doesn’t say “lef mouse button”, she draw her touchpad and an arrow. She is not able to find her mails when the website changes the layout.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      In this case, zero, because it’s a packaging bug, not an actual change in direction. Read the update on the article:

      Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”

      Next time, before jumping to conclusions, wait a day or two and see if the project says something.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      2
      ·
      1 month ago

      If they’re moving away from open source/more monetisation then they’re going to do one of two things.

      1: Make the client incompatible (e.g you’ll need to get hold of and prevent updating of a current client).
      2: DMCA the vaultwarden repo

      If they’re going all-in on a cash grab, they’re not going to make it easy for you to get a free version.

      • schizo@forum.uncomfortable.business
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 month ago

        Don’t forget option 3: someone writes a vaultwarden client independent of the closed-source crap.

        If you can write a server that fully supports the client via the documented API, then you know everything you’d need to do to make a client as well.

      • potustheplant@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        You can’t “dmca” the fork that was created while it was still open source. They could only prevent it from getting future updates (directly from them).

  • kingthrillgore@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    1 month ago

    I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.

        • Pika@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 month ago

          I daily drive Firefox as my browser, maybe it’s an issue with the branch? I’ve never had this issue myself. On the rare occasion that that it doesn’t properly detect password field I can just right click and shows as a menu option that I can fill password fill TOTP or email, I’ve never had it just not work at all. Excluding mobile, but that’s strictly an issue with how Android does Auto filling because they can’t have the service that fights to do both and since Firefox has its own autofill service it’s a coin flip of whether or not it uses keypass or Firefox built in password manager

        • vrighter@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          on some sites the plugin fails to properly detect which fields correspond to which, true (usually when javascript fuckery is involved). But fixing that by manually pointing out the fields once on such sites is easy enough for me. I also switched firefox to use keepassxc for passkeys, which makes them actually portable and usable for me.

      • ocassionallyaduck@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Syncthing is encrypted transfers.

        The database is encrypted.

        And you can set it to not use relays for data, only matchmaking between your own devices.

        So it’s an encrypted file, encrypted again, and sent directly from an IP you own to an IP you own.

    • Routhinator@startrek.website
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 month ago

      I’ve always loved Keepass, however I moved away from it in 2012 as it and any file based vault has brute forcing issues. You need to track every copy of it that has been made and if any copy falls out of your hands, like if you lose a device, you need to do a password rotation on 100% of your passwords. Since its a file, its not possible to prevent brute forcing.

      • ocassionallyaduck@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        An online database is still a file ultimately. A SQL or other DB file stored in a webserver, accessed through a web interface.

        Vaultwarden, etc, are the same, only the database file is less directly visible IMO. Keepass IMO is simple. The DB in a bespoke format, stored outside the application.

        You could put the vault in system32 and name it “trustedinstaller.log”, and if someone saw you had keepass they wouldn’t even know where your vault is.

        Given the number of well documented breaches of online password vaults, I would much rather do a private device to device sync via syncthing and keep it out of webservers.

    • asudox@programming.devOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 month ago

      The server is not open source and I wouldn’t trust a business that is not just working on password managers.

      • DarkThoughts@fedia.io
        link
        fedilink
        arrow-up
        1
        ·
        1 month ago

        and I wouldn’t trust a business that is not just working on password managers.

        Because…? They’re a privacy tool oriented company, no?

        • asudox@programming.devOP
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          1 month ago

          Because they aren’t focused on just one single service. Bitwarden is a single business only focusing on their password manager, whereas proton has a suite of tools. Passwords need to be stored absolutely in a robust and safe way. I don’t trust proton with anything at all, and the proton pass is no exception. The client might be open source, but the backend is not. It’s also not as mature as bitwarden.

      • solsangraal@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 month ago

        so the “no longer open source” means they’ll be moving to a saas model or something? i’m not super cybersecurity savvy but bitwarden is what i use

        • winterayars@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          No, technically they already are SaaS company. That’s mostly how they make their money.

          Also it should be noted “no longer open source” doesn’t mean they’ve done a “our code is now closed and all your passwords are ours” rug pull like some other corporations. This is a technical concern with the license and it no longer meets proper FOSS standards (in other words, it has a restriction on it now that you wouldn’t see in, for example, the GPL).

          So by and large the change is very minimal, the code is still available, it’s still the best option. However, this does matter. It may be a sign of the company changing directions. It’s something they should get pushback about.

          • dustyData@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            1 month ago

            The SDK was never FOSS, and was never under the GPL. Hence why they can add the text mentioned in the article. You don’t get to change the text of a FOSS license to begin with. It isn’t unheard of for text like this to be part of proprietary software that integrates with and uses FOSS that are under different licenses.

            That said, this is concerning, but whether it changes BW’s FOSS state is a matter of legal bickering that has been going on for decades.

            • KairuByte@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 month ago

              You can’t retroactively change FOSS licensing, but oft times you can alter the licensing moving forward. Not always the case, of course. But in no way are all FOSS licenses set in stone.

    • ChillPill@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 month ago

      Keepass? No cross device support, you need to manage that yourself through something like Google Drive…