- cross-posted to:
- linux@lemmy.ml
- cross-posted to:
- linux@lemmy.ml
Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:
You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This violates freedom 0.
It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.
i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.
ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.
KeePassXC is pretty amazing. :)
can u selfhost it?
It’s basically your encrypted file, you are to handle synchronisation yourself.
deleted by creator
I would assume so. According to the page Documentation and FAQ,
Why is there no cloud synchronization feature built into KeePassXC?
Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your synchronization service of choice do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative…
It definitely has a nicer design and blends in well with the rest of the system (at least on Android)
I just tried it out and I’m amazed. It looks and feels just like 1Password, my absolute favorite password manager (before I switched to Bitwarden, because 1Password is proprietary and pretty expensive)
I definitely recommend it
I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and… it works. So as long as their intentions are pure, you can use “bitwarden” without using any of their software or infrastructure.
Just tried it, and it seems you can’t edit or add items without a premium subscription??
Or am I missing something?
Edit: Apparently only when installing via the Play Store. Very weird decision.
Ah, yeah, I installed it from their github with obtainium. I think open source/libre app that charges people to install with the play store is a model a few others have tried as well.
I don’t think it’s unreasonable to want to be paid, but a mandatory subscription when using the most common install method does irk me the wrong way
I haven’t looked into it at all, but that just seems so strange. Who would pay that when the original Bitwarden app is still there for free? Most people who would even know about KeyGuard would know how to install it from somewhere else. Is it essentially a donation?
It would be if it’s a one-time payment, but it’s a yearly subscription, and not a cheap one!
License
The source code is available for personal use only.
That doesn’t really seem like an improvement, although do they say they’re planning on releasing it under the FSL.
Ah damn it -.-
Too bad, the app is really nice to use :/
How would the community’s reaction be if Bitwarden goes, “Look, we are moving more into the enterprise space, which means using proprietary software to service their needs. Our intention is to keep the enterprise and public versions sandboxed, but there is crossover, and we made a mistake.”? I really don’t care what they do in the enterprise space. Perhaps I’m an apologist, but seemingly more torn than most other posters.
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
I.e. “fuck you and your foss”
deleted by creator
Pretty much the opposite
I doubt it. What’ll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don’t violate no stupid licenses, we just completely go against their spirit.
go against their spirit
I think this is more of a failure of the license itself. It’s not a good look to allow something explicitly and then go “no not like that!”
I’m not sure you can classify this as a failure, as explicitly prohibiting interfacing with non-agpl stuff would greatly limit the amount of stuff you can license under it, perhaps up to the point of making it generally unusable. As for “not like that”… Well, yeah. But you can’t deny it’s misleading, right? Free software kinda implies you can modify it whatever you want, and if it’s a free ui relying on a source-available middleware… Turns out, not so much.
Although, a posdible solution would be require explicitly mentioning if you’re basically a front-end for something; but I’m not sure if it can be legally distinguished from the rest of use-cases.
Laughs in keepassxc
https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977
We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
https://github.com/bitwarden/sdk-internal/commit/db648d7ea85878e9cce03283694d01d878481f6b
Thank you to Bitwarden for relicensing a thing to GPLv3 License!
If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.
What does this change for you?
Seems to change nothing for all my devices which is a cheap offering at $10/year.
How will anyone know what they add to the code now? That’s the problem, and with our fucking passwords no less. They can fuck right off. In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.
What part changed the code to closed source?
In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.
And move to what?
Anything, even Proton. The point is making a statement. If you start as OSS, you can fuck right off when you decide to come back sideways locking code down.
The direction that the company is taking. Clearly that Bitwarden feels like other open source projects are diverting revenue from them.
That’s a small step towards enshittification. They close this part of the software, then another part until slowly it is closed source.
We’ve seen this move over and over.
Stopping your business with Bitwarden over that issue sends a message that many customers don’t find this acceptable. If enough people stop using their service, they have a chance to backtrack. But even then, if they’ve done it once, they’ll try it again.
Your current price is 10$/year now. But the moment a company tries to cull any open source of their project is the moment they try to cash it in.
That’s a small step towards enshittification
Going away from opensource model that you built your business over is a pretty big step.
And incredibly stupid as well.
I will change for sure, as well. Let’s see.
Ever since BitWarden got mired in capitalism, I’ve been dreading that something like this would happen.
Looks like I might be moving to Proton Pass after all! I’ll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.
I know little about Proton Pass, but how confident are you they don’t also use a proprietary SDK with their open source apps?
Proton pass client doesn’t currently use a proprietary SDK, but they also haven’t made the same blunder as Bitwarden, which they’ve since fixed, but still not a good look.
On another note - I did export/import all my passwords into proton pass and WOW the speed and UX feels so much better. I’m still sticking with Bitwarden as they’ve been really good so far, but there’s a real good alternative should they ever “turn evil”.
A few questions out of ignorance. How different is this to gitlab’s open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn’t meet our strict definition of foss?
How different is this to gitlab’s open core model?
That’s a really good question that I don’t immediately have a satisfying answer to.
There are some differences I can point out though:
- Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW’s clients cannot even be compiled without the proprietary SDK anymore.
- Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
- Gitlab-EE’s “closed” core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.
Is this a permanent change?
It’d be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.
I don’t see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.
The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat’s out of the bag and all the public goodwill and trust is gone.
It’s honestly a bafflingly bad decision from even just a business perspective. I predict they’ll lose at least 20% but likely 30-50% of their subscribers to this.Is the involvement of investors the root of this?
I find that likely. If it stinks, it’s usually something stinky’s fault.
Are we overreacting as it doesn’t meet our strict definition of foss?
They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.
An “honest” switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.
Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW’s clients cannot even be compiled without the proprietary SDK anymore.
None of that makes Bitwarden not open source. Not only that, they specifically state this is a bug which will be addressed.
I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s open source. They would be insane to stop that.
None of that makes Bitwarden not open source.
Yes, it does, because it violates its own license GPLv3 by having proprietary build-/runtime dependencies.
If it was under a different, maybe more permissive, open source license, then maybe it would still be open source, but as of right now i likely breaks its own license terms.
Not only that, they specifically state this is a bug which will be addressed.
From what they state, they think that because executables that share internal information via standard protocols does somehow not break GPL3 terms compared to two libraries that share internal state via the standardized C ABI which does. And they seem to not consider that a bug, just the build-time dependency.
Sorry that’s my mistake - I should have said “source available”, rather than “open source”. IMO, being source available is the critical component of a password manager like Bitwarden, and is what I meant when I referred to their main competitive advantage.
They might also choose to be open source and fix this specific issue and return to GPL-compatibility, but remaining source available would seem to be the more critical factor.
So you meant to say:
I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s source is available.
That is not true, there are a lot of other password management software out there where the client source code is either open source or source available. For instance keyguard: https://github.com/AChep/keyguard-app?tab=License-1-ov-file#readme which is an alternative proprietary bitwarden client, where the source is also available. Also the Proton Pass client is under GPLv3.
I would argue that the main advantage of bitwarden compared to others is that it is open source and has an open source server for self-hosting (vaultwarden). Which of course makes it difficult in terms of business strategy with their VC funding. But maybe becoming a non-profit org and getting money from donors, the strategic funds of EU and other governments, etc. might be an alternative way.
I’m not aware of any other enterprise password management where the server source is available and auditable. Proton certainly is not.
Damn, I just switched from Bitwarden to KeepPassXC.
Clearly just in time. Lol.
I’ll be there in a week or 2 bud. Fuck these companies baiting and then enshitifying it all.
What mobile solution are you using in this scenario?
I don’t understand the question. Could you elaborate please?
@bitwarden bitwarden locked and limited conversation to collaborators
They also locked the thread 16 hours ago (as of writing this comment), with no explanation.
The explanation is the second-to-last comment before it got locked. 🤦
This hysteria is really stupid.
That’s the technical explanation for the changes, no an explanation for closing the discussion all together.
That “explanation” is unsatisfactory and likely wrong: https://www.gnu.org/licenses/gpl-faq.html#MereAggregation
So they either have to license their SDK under a GPLv3 compatible license, or switch the license of their client to a non-GPL one.
Their “explaination” only mentions why they think can do it, but not why they are doing it.
That may or may not be the case, but the comment I replied to said they locked the thread with “no explanation”.
I would say a proper explanation includes the goal you want to achieve, not just the statement that you think that you are allowed to do something.
They banned me from reddit and then reported me with mods those fckers…
Fuck. Is it difficult to export my data to something like Keypass? Very disappointed to hear this.
Bitwarden has an export functionality. Export to JSON, import in Keepass, done.
There’s KeePassXC if you want Linux support (keepass2 file is compat with XC variant).
Thank you! It seems this whole thing was a misunderstanding however. It was an error on Bitwarden’s part that they intend to correct. I may still switch to kepassxc later on, mostly to save the money.
Okay, we’ll I’ve been using vaultwarden. When should I switch to something new, and what’s a good alternative?
I just exported my data from BitWarden and imported into ProtonPass. Was pretty easy. Hate the color palette of the app and browser extension though, lol.
I can’t imagine that’s any more free than bitwarden?
GPL’d clients. Everything is encrypted/decrypted on the client before sending/receiving to/from the server. I may later switch to a self-hosted solution, but don’t want to set one up right now (was using BitWarden’s cloud before).