- cross-posted to:
- opensource@programming.dev
- privacy@programming.dev
Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:
You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This violates freedom 0.
It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.
- Andrew ( @andrew_s@piefed.social ) English76•1 month ago
There’s a lot of drama in that Issue, and then, at the very end:
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
- umami_wasabi ( @umami_wasbi@lemmy.ml ) 16•1 month ago
plan to resolve
timeline unknown, maybe 2124
- SteleTrovilo ( @SteleTrovilo@beehaw.org ) 50•1 month ago
Ever since BitWarden got mired in capitalism, I’ve been dreading that something like this would happen.
- fl42v ( @fl42v@lemmy.ml ) 45•1 month ago
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
I.e. “fuck you and your foss”
- zante ( @zante@lemmy.wtf ) English19•1 month ago
Pretty much the opposite
- fl42v ( @fl42v@lemmy.ml ) 23•1 month ago
I doubt it. What’ll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don’t violate no stupid licenses, we just completely go against their spirit.
- rozlav ( @rozlav@lemmy.blahaj.zone ) 31•1 month ago
Nobody here talks about keepassxc ? I’ve been using it for almost a decade, it can be used with sync tools to be shared, I’ve managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/
- Atemu ( @Atemu@lemmy.ml ) 15•1 month ago
Keepass isn’t really in the same category of product as Bitwarden. The interesting part of bitwarden is that it’s ran as a service.
- unrushed233 ( @unrushed233@lemmings.world ) 13•1 month ago
Bitwarden can’t be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.
- Hexarei ( @Hexarei@programming.dev ) 1•1 month ago
Store your database in a nextcloud instance and it’s that too
- unrushed233 ( @unrushed233@lemmings.world ) 3•1 month ago
Nope. Since the entire database is contained in a single file, it can’t sync multiple edits properly, leading to sync conflicts. Because KeePass was built around local database files, whereas Bitwarden uses actual synced databases, where individual updates can be uploaded, instead of causing conflicts or overwriting the entire db.
- Hexarei ( @Hexarei@programming.dev ) 1•1 month ago
Conflicts haven’t been an issue for years, all modern iterations of KeePass (XC, kp2a, DX) support automatically merging in the latest before saving.
I’ve been using it for years this way across several devices, it’s incredibly solid
- Dymonika ( @Dymonika@beehaw.org ) 2•18 days ago
Do you sync it across your devices using Syncthing? That’s what I’m thinking of doing.
- Hexarei ( @Hexarei@programming.dev ) 1•18 days ago
I keep mine in a self hosted Nextcloud instance, DAV sync is built into the app
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English5•1 month ago
I just switched over. Honestly, I like it even more than Bitwarden. Then again, I don’t sync my stuff between devices because I’m old I guess. Lol. It makes it easier to switch because I don’t have to deal with stuff like Syncthing.
- mli ( @mli@lemm.ee ) 31•1 month ago
Apparently and according to Bitwardens post here, this is a “packaging bug” and will be resolved.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Let’s hope this is not just the PR compartment trying to make this look good.
- ipkpjersi ( @ipkpjersi@lemmy.ml ) 6•1 month ago
I think even if they do reverse course or it was a genuine mistake, it’s easy to lose people’s trust forever, ESPECIALLY when it comes to something sensitive like storing ALL of your passwords.
- Lemmchen ( @Lemmchen@feddit.org ) English22•1 month ago
ITT: A lot of conspiracy theories without much (any?) evidence. Let’s see if they resolve the dependency issue before wet get our pitchforks, shall we?
- Atemu ( @Atemu@lemmy.ml ) 15•1 month ago
I don’t know what the heck you’re talking about.
I see overwhelming evidence that they have intentionally made parts of the clients’ code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients’ code base.
This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE
You can read that license text to convince yourself of the fact that it is absolutely proprietary.
Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:
https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225
Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
(Emphasis mine.)
The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.
- youmaynotknow ( @jjlinux@lemmy.ml ) 4•1 month ago
Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English16•1 month ago
Damn, I just switched from Bitwarden to KeepPassXC.
Clearly just in time. Lol.
- youmaynotknow ( @jjlinux@lemmy.ml ) 5•1 month ago
I’ll be there in a week or 2 bud. Fuck these companies baiting and then enshitifying it all.
- zanyllama52 ( @zanyllama52@infosec.pub ) English14•1 month ago
Laughs in keepassxc
- Nicht BurningTurtle ( @nichtburningturtle@feddit.org ) 11•1 month ago
Does this affect valtwarden?
- TheOubliette ( @TheOubliette@lemmy.ml ) 31•1 month ago
Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.
A likely outcome if they don’t reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That’s the outcome Bitwarden wants. This reeks of a bazinga, “how dare they benefit from our work and take our users”, which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.
- smiletolerantly ( @smiletolerantly@awful.systems ) 11•1 month ago
Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative…
- Bilb! ( @bilb@lem.monster ) English5•1 month ago
I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and… it works. So as long as their intentions are pure, you can use “bitwarden” without using any of their software or infrastructure.
- smiletolerantly ( @smiletolerantly@awful.systems ) 4•1 month ago
Just tried it, and it seems you can’t edit or add items without a premium subscription??
Or am I missing something?
Edit: Apparently only when installing via the Play Store. Very weird decision.
- Bilb! ( @bilb@lem.monster ) English5•1 month ago
Ah, yeah, I installed it from their github with obtainium. I think open source/libre app that charges people to install with the play store is a model a few others have tried as well.
- smiletolerantly ( @smiletolerantly@awful.systems ) 4•1 month ago
I don’t think it’s unreasonable to want to be paid, but a mandatory subscription when using the most common install method does irk me the wrong way
- Bilb! ( @bilb@lem.monster ) English4•1 month ago
I haven’t looked into it at all, but that just seems so strange. Who would pay that when the original Bitwarden app is still there for free? Most people who would even know about KeyGuard would know how to install it from somewhere else. Is it essentially a donation?
- smiletolerantly ( @smiletolerantly@awful.systems ) 3•1 month ago
It would be if it’s a one-time payment, but it’s a yearly subscription, and not a cheap one!
- midnightblue ( @midnightblue@lemmy.ca ) English2•1 month ago
I just tried it out and I’m amazed. It looks and feels just like 1Password, my absolute favorite password manager (before I switched to Bitwarden, because 1Password is proprietary and pretty expensive)
I definitely recommend it
- unrushed233 ( @unrushed233@lemmings.world ) 1•1 month ago
It definitely has a nicer design and blends in well with the rest of the system (at least on Android)
- wuphysics87 ( @wuphysics87@lemmy.ml ) 11•1 month ago
A few questions out of ignorance. How different is this to gitlab’s open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn’t meet our strict definition of foss?
- Atemu ( @Atemu@lemmy.ml ) 11•1 month ago
How different is this to gitlab’s open core model?
That’s a really good question that I don’t immediately have a satisfying answer to.
There are some differences I can point out though:
- Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW’s clients cannot even be compiled without the proprietary SDK anymore.
- Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
- Gitlab-EE’s “closed” core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.
Is this a permanent change?
It’d be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.
I don’t see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.
The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat’s out of the bag and all the public goodwill and trust is gone.
It’s honestly a bafflingly bad decision from even just a business perspective. I predict they’ll lose at least 20% but likely 30-50% of their subscribers to this.Is the involvement of investors the root of this?
I find that likely. If it stinks, it’s usually something stinky’s fault.
Are we overreacting as it doesn’t meet our strict definition of foss?
They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.
An “honest” switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.
- wuphysics87 ( @wuphysics87@lemmy.ml ) 9•1 month ago
How would the community’s reaction be if Bitwarden goes, “Look, we are moving more into the enterprise space, which means using proprietary software to service their needs. Our intention is to keep the enterprise and public versions sandboxed, but there is crossover, and we made a mistake.”? I really don’t care what they do in the enterprise space. Perhaps I’m an apologist, but seemingly more torn than most other posters.
- vordalack ( @vordalack@lemm.ee ) English7•20 days ago
Dump it.
Move to something else.
This is how fuckery starts.
- umbrella ( @umbrella@lemmy.ml ) 7•1 month ago
i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.
ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English5•1 month ago
KeePassXC is pretty amazing. :)
- umbrella ( @umbrella@lemmy.ml ) 1•1 month ago
can u selfhost it?
- EveryMuffinIsNowEncrypted ( @EveryMuffinIsNowEncrypted@lemmy.blahaj.zone ) English8•1 month ago
I would assume so. According to the page Documentation and FAQ,
Why is there no cloud synchronization feature built into KeePassXC?
Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your synchronization service of choice do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
- ᗪᗩᗰᑎ ( @KLISHDFSDF@lemmy.ml ) 6•1 month ago
Looks like I might be moving to Proton Pass after all! I’ll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.