this post was submitted on 25 Oct 2024
214 points (99.1% liked)

Open Source

30956 readers
490 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This appears at least okay on the surface. The clients' dependency on sdk-internal didn't change but that's okay now because they have licensed sdk-internal as GPL.

The sdk-secret will remain proprietary but that's a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn't promise that it will not be used in the future.

The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn't even attempt to apologise for that.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That's pretty sad.

top 35 comments
sorted by: hot top controversial new old
[–] [email protected] 62 points 6 days ago

This makes sense and is quite common for opensource businesses. They have the main product which is open then they have a business only element either a module or plugin part which is designed for businesses not gen pop and isnt open. They screwed up the delivery on here and badly communicated it but if they did it right nobody would have noticed the secrets managment part at all because they don't use bw business.

[–] [email protected] 29 points 6 days ago (1 children)

Who knows for how long though because, if you read carefully, they didn't promise that it will not be used in the future.

This is conspiratorial thinking, and it's a fallacy called the Argument from Silence (i.e. asserting intent based on what they didn't say). If I say I'm going to give you a handshake, but you say, "But you didn't promise you won't punch me in the face," most people would recognize that as a ridiculous line of reasoning.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That's pretty sad.

You do you. This doesn't seem all that problematic to me, as I don't need Secrets Manager, and I'll still recommend it to anyone looking for a password manager.

Seems to me that it makes more sense to vilify them when they become villains, not before based on paranoid reasoning that they might.

[–] [email protected] 8 points 6 days ago (1 children)

Not trusting a company that has been quietly undermining open source builds of their android client and being cagey + using guarded and laconic PR speak on this is not fallacious thinking, it is just recognizing behaviors and knowing why a company would be doing that. These companies hire people to craft responses and otherwise manage their "community", and providing no assurances of permanently open clients when they tried to pull this is an intentional omission.

[–] [email protected] 9 points 6 days ago (2 children)

I hate to say this, but there's no real assurances of permanently open clients from anyone. Also, their client is still open, and if they do drop the OSS model, people can just fork it and still have a working client (or fork an old version that meets whatever standards they have).

But unless we can prove that they have actually done something ethically wrong, I don't see why the internet feels the need to waste energy creating villains from conjecture.

[–] [email protected] 1 points 4 days ago (1 children)

Also, their client is still open

*is open again. The clients they distributed were not open source until they open sourced sdk-internal. The fact that you couldn't even build it with only open code even if you wanted to was a bug but that's a rather minor issue in comparison.

I also fully believe that they would not have GPL'd sdk-intenral without public pressure. Even when they were originally called out they were pretty clear that the integration of proprietary code was intentional and done with the knowledge that it would typically violate the GPL.

If you don't see what's ethically wrong with even attempting to subvert the GPL, I don't think you've understood open source.

[–] [email protected] 1 points 4 days ago

You might not have read the other comments, but I do QA for a living. Devs fucking up commits is why I continue to have a job. Also, companies/maintainers aren't required to capitulate to every bug report. It's possible that whoever made the original comments didn't understand why it was such a big deal and/or didn't know of an alternative way to structure their software; public pressure made them look a little harder.

Like I said in my first comment: you do you. Bring out the pitchforks. The fact that there's reasonable candidate explanations other than malicious intent says to me that the internet is overreacting—again.

Though, when has the internet ever done that, amirite? /s

[–] [email protected] -1 points 6 days ago (1 children)

Of course you inherently cannot trust a private company to keep their product open, including open core models. In that situation everyone using or contributing should be making a gamble: that if they go too far the project will be forked, the company will cut its community in two, and the fotk will go on to be decently successful as a community project.

Their inability to do the right PR things is just a signal that they can't be bothered with the facade that is useful for them to maintain community support and FOSS nerd marketing for their product.

Re: ethics, they are no longer on F-Droid because they tried to get this in under the radar and include non-free code in builds. Instead of fixing that problem they made their own repo.

Bitwarden will likely eventually destroy their FOSS model for profit-seeking, it is just a matter of when. This is how these things work.

[–] [email protected] 2 points 6 days ago (1 children)

Their inability to do the right PR things is just a signal that they can't be bothered with the facade...

...or they're just bad at PR. It's not a skill everyone has.

Re: ethics, they are no longer on F-Droid because they tried to get this in under the radar...

...or they made an honest mistake and don't care to put it back on F-droid for reasons to which we are not privy. I bring up these counter-examples not as a way to point out where I'm right and you're wrong, but to point out that there are other candidate explanations, and it's not justified to infer that malfeasance is the only likely possibility.

I also understand why you would cynically think that Bitwarden might succumb to Capitalism—I too live in a late-stage-capitalism country—but that's not a forgone conclusion, and I say again that we don't need to be imagining villains when there's plenty of objectively real ones at which to point a finger already.

[–] [email protected] 2 points 6 days ago

I think it is unlikely that they are simply bad at PR and not trying to do damage control for something they would like to push anyways eventually. Why are they creating a proprietary element in the first place? Is the selling point of their product not that it is open source? They are making some changes.

...or they made an honest mistake and don't care to put it back on F-droid for reasons to which we are not privy.

An honest mistake of hosting their entire own repo and writing up documents for it? It isn't just off F-Droid, they are doing their own thing.

I bring up these counter-examples not as a way to point out where I'm right and you're wrong, but to point out that there are other candidate explanations, and it's not justified to infer that malfeasance is the only likely possibility.

Yes you are suggesting that people give them the benefit of the doubt. And I am saying that would be unreasonable given the facts.

I also understand why you would cynically think that Bitwarden might succumb to Capitalism—I too live in a late-stage-capitalism country—but that's not a forgone conclusion, and I say again that we don't need to be imagining villains when there's plenty of objectively real ones at which to point a finger alreadIy

Bitwarden has already succumbed to capitalism, it is a product by and for a for-profit company. It is, with few exceptions, just a question of when they will have a profitability crisis and need to find avenues by which to increase revenues or decrease costs. Sometimes that takes 15-20 years, sometimes it takes 3.

I have not followed their finances but I would be curious to know what they are doing at the moment. Could be seeking to get bought out, could be looking for new funding, could be working around the needs of a major client, could be something else.

As always, when a project is backed by a company we should approach it tentatively because while they will provide support for it for some time they will eventually be tempted to do something shady to increase profit. Or to just be profitable at all, which investors always want ASAP when interest rates are high. And then we will need to fork it and see if it is feasible without VC backing. To my knowledge the only other viable path for an open source company is to become an industry standard where the major monopolies decide to not fight about it and instead say, "it is fine as it is and won't be profitable but it is a useful thing to share costs on". Docker, Inc. is somewhere along that path, scraping together products at the periphery of the software while the industry monopolies more or less share the core project in its various compatible forms. And Docker similarly tried to ham-fistedly seek profit sources like when it tried a silly fee scheme for Dockerhub and created a small exodus that the monopolies ate up (e.g. GitHub).

[–] [email protected] 29 points 6 days ago (2 children)

The way the founder replied coldly and closed the GitHub issue is pretty telling. Now they're doing damage control.

It's usually better to stay away from VC funded software. They exist for the sole purpose of turning a rich guy's million dollars into 100.

[–] [email protected] 37 points 6 days ago (2 children)

They literally said the issue was an unintentional bug and then fixed it. How is that damage control?

[–] [email protected] 22 points 6 days ago* (last edited 6 days ago) (1 children)

They were doing the same on other repos for months.
Both their npm module and android client.
On android they tried to get people to add their own fdroid repo because the official fdroid has not had updates for 3 months due to the license changes.

Edit: Looking at it now compared to 4 days ago, they apparently got frdoid to remove bitwarden entirely from the repo. To me this looks like they are sweeping it under the rug, hiding the change pretending it has always been on their own repo they control.

Next time they try this the mobile app won't run into issues, the exact issues that this time raised awareness and caused the outcry on the desktop app, which similarly is present in repos with license requirements.

If they were giving up on their plan, wouldn't they "fix" the android license issue and resume updating fdroid, instead of burning all bridges and dropping it from the repo entirely, still pushing their own ustom repo? Where is the npm license revert?

[–] [email protected] 8 points 6 days ago

Thanks for the input and research.

[–] [email protected] 2 points 4 days ago

One does not "accidentally" build a proprietary SDK for months and make the clients depend on it, intentionally violating the GPL.

They even publicly admitted to doing precisely that, defending their GPL violation with dubious claims how the GPL supposedly works.

[–] [email protected] 16 points 6 days ago (2 children)

Open source community getting too reactionary ngl

[–] [email protected] 22 points 6 days ago (1 children)

Did you know that Mozilla is literally worse than Google and Meta? It's true! Line 4,362 of the old "Firefox Send" source code contains a unicode character that in a very specific part of papua new guinea is used as a mark of shame against trans people. Also I am not paid by Google!

[–] [email protected] 7 points 6 days ago (1 children)

Also, Mozilla never said they don't use actual fox skins to warm their devs during development, so one can only wonder why they've been so silent on that glaring issue...

/s

[–] [email protected] 3 points 6 days ago

Concerning 🤔

[–] [email protected] 6 points 6 days ago

Gotta let companies know you're watching

[–] [email protected] 14 points 6 days ago (1 children)

Nah, I've switched to KeePassXC already. I've never been happier.

[–] [email protected] 2 points 6 days ago (3 children)

Does it work well from a user experience standpoint? I am considering switching from my current provider to KeePass XC. Usability is important, I also need to share some passwords with my SO. She is good with technology and computers, but not a dev.

[–] [email protected] 1 points 3 days ago

It absolutely rules for all kinds of info you don't want laying around loose on a device. The sync issues others have mentioned are just a result of it giving you more control over file management. I don't even sync I just use an SD card

[–] [email protected] 3 points 5 days ago

Check out Proton Pass. I migrated my Bitwarden to it and its not just fast compared to Bitwarden but the UX is really nice. That said, I'm still sticking with Bitwarden, but will happily move away and give my money to Proton if they ever actually stop making their client open source.

[–] [email protected] 2 points 5 days ago

Yes, it does works well, but has its caveats. You have to set up your own sync, either using a Syncthing or any other 3rd party app as KeePassXC does not have any sync option built in. KeePassDX has a good article about syncing a database.

[–] [email protected] 10 points 6 days ago (2 children)

Too bad because there are no other Bitwarden cons for me. Any recommendations?

Tried Proton Pass yesterday, and while it looks nice, browser extension not having a password lock is a deal breaker for me.

Also, I found out in the evening that after trying out Pass during the day and quitting on it, all my aliases in the SimpleLogin are gone. I know Proton owns it, but I wasn't expecting that by deleting data on Proton (not the account itself), aliases could get deleted...

Still, not sure if it's connected. I use SimpleLogin independently of other Proton services, but same primary email. Waiting for support.

[–] [email protected] 10 points 6 days ago (1 children)

I've switched to KeePassXC on pc + KeePassDX on mobile after that whole drama. Proton Pass is also interesting, but there's no way I'm gonna use cloud-based password managers anymore.

[–] [email protected] 4 points 6 days ago (2 children)

Keepass2Android Offline also works very well. It has a somewhat different feature set compared to DX.
I found it to be more stable at remaining permanentl unlocked, and DX dropped the 3rd domain level for password matching on either websites or apps, I don't remember.
On the other hand DX works better for adding new credentials or making changes. Since I usually do that on desktop it doesn't matter much for me.

[–] [email protected] 2 points 6 days ago (1 children)

Keepass2Android is not on f-droid, unfortunately. Also, KeePassDX has a much nicer interface.

[–] [email protected] 3 points 6 days ago

The offline version is on izzyondroid.
The design is worse, yes.

I don't think it matters much because most of the time you only see the autofill thing, not the app.
When you do go to the app, it is to select between multiple credentials, which is still a split second action.

On mobile I have my 2fa in a different more convenient app (aegis), though k2a does allow to copy 2fa codes

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago) (1 children)

Thanks for the info. How does it sync?

Never mind. Now I see it's with SyncThing.

[–] [email protected] 3 points 6 days ago (2 children)

It doesn't.
Both DX and K2A-O open a local keepass file.
They are capable of reloading the file when it is changed, and can be set to immediately write out changes to the file.
Then you take whichever file sync tool you like and sync it with all other devices using it. As long as the sync tool can sync files in your internal storage, it will work.

I use syncthing, with a dedicated keepass folder containing only the database file. Then I simply add all my devices to the share and it'll sync any changes to all other devices. I also have version history enabled for the share.

[–] [email protected] 1 points 5 days ago* (last edited 5 days ago)

Sorted. Had a bit of trouble debugging issue with Librewolf and the extension, but got it working.

While I was at it, converted my notes from Anytype to Joplin, and set up sync as well. Wanted to try out Joplin for quite some time now.

Weekend started nicely. ☕

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago)

Nice. Thanks for details! 🍻

I'll try it out over the weekend.

[–] [email protected] 6 points 6 days ago

The browser extension has a pin lock feature.

[–] [email protected] 1 points 5 days ago

@Atemu While I don't necessarily think all of this stuff makes #bitwarden #evil, I do think it would be smart to remain #wary and #vigilant.

There have been a spate of #opensource #projects run by #commercial #companies lately that have done / tried to do nasty #license changes.

#redis #vault #terraform