- cross-posted to:
- selfhosted@lemmy.world
- cross-posted to:
- selfhosted@lemmy.world
You must log in or register to comment.
oh thank god
The community’s reaction is a but funny if this was a honest mistake
Alright does anyone have opinions on Nextcloud Passwords? There’s apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
It’s a packaging bug, the headline is false.
Nextcloud passwords is just a client for a KeePass vault.
I guess it’s as good or bad as that can be, but I’m sure it’s limited in functionality to KeePassxc with plugins.
Are you sure?
Because last time I tried that it was THE worst password manager that i ever tried in my life. I’d feel safer with the ie6 password manager
Bitwarden has been a good app.
And it still is. There’s no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.
As @Krzd@lemmy.world said, it’s a packaging bug, not an actual change in license. If you read the article, it says as much in the update.
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
I’m running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
Phew, looks good on the news with the packaging bug (if they didn’t just got cold feet for worse PR/backlash than they expected and this is a backtracking).
In this case, hopefully Garcia is employed for his expertise and can be deployed to further open source relations :)
And I am an ardent optimist, hence why I see it as a good thing.
But yes, worst case someone will fork it, and I’ll probably use that fork.
This is disheartening.
I wonder~ I wonder~ I wonder whyyyy…
I don’t understand.
Are you saying it’s a bait and switch like Google, where they suck people in with a good product then enshittify it once they’re hooked?
I’m not thoroughly aware of their dealings, but these amounts of private investment aren’t going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might’ve tried to go with the Open Source model to get free development resources, trust (because it’s an open source PASSWORD manager), and general goodwill. But now that they’ve deemed that got enough of a market share (or investors are starting to breathe down their necks), it’s time to start raising the walled garden.
Even if they claim after the fact that it was a “Bug” that the client couldn’t be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil’s bargain. Raising VC money is NEVER a good sign.
Keepass. Keep it simple.
If you want to roll your own with keepass that’s fine, but most people will want a more comprehensive solution.
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I’m still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn’t touched since before the entry disappeared.
Sound like something you did with replacing files. Bitwarden is dead simple, and that’s why it’s great.
3rd party sync of the database can have a lot of problems
can we start reading the articles and not just the headlines??? it literally says it’s a packaging bug
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you’ll notice that he’s talking about that proprietary “SDK” library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn’t make the situation any better. The client won’t work without their proprietary “SDK”, no matter if they remove the build-time dependency or not.
oh shit i didnt know that, mb man
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I’m fine with this.
The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
I don’t see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.
I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn’t have eroded the trust in them as much as it did for me.
…in the update that came out after this article was posted and the discussion took place.
mb i didnt see the update part
In general, if it’s Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
Goddammit. It’s getting to the point I’m going to have to figure out how to write my own app for this.
Thank you for the update! I would like to keep using it. I’ve been very happy with Bitwarden both as a password manager and a TOTP authenticator. I have even recommended it to my boss as an enterprise solution for us to use at work, and so far we are planning on replacing our current password database solution with Bitwarden.
Unfortunately, with “enshittification” being so common these days, it was very easy to believe they were also going to the dark side. I will remain cautiously optimistic after learning it was a packaging bug.
Here’s a link to the post on X (yes, I hate X, too) in case anyone else is doubtful:
Yeah, I was worried about it too. I’ve become pretty cynical when it comes to everything becoming enshittified, but I’m hoping they stick to their word.
It shouldn’t even be that complex…
I might be mistaken, but ultimately a password manager is basically nothing more than a database of passwords in an encrypted zip file. That could entirely be self-hosted with off the shelf open source applications stringed together.
All you’d need is a nice UI stringing it all together.It’s the “stringing it all together” that could be problematic.
If you have multiple clients (desktop/cellphone) modifying the same entry (or even different entries in the same “database” ). You need something smart enough to gracefully handle this or atleast tell you about it.
I did the whole “syncing” KeePass and it was functional, but it also meant I needed to handle conflicts - which was annoying. I switched and really appreciate the whole “it just works” with self-hosted bitwarden.
Yup, thanks. Was thinking along these same lines.
I’ve done basically this in the past by encrypting a text file with GPG. But a real password manager will integrate with your browser and helps prevent getting phished by verifying the domain before entering a password. It also syncs across all my devices, which my GPG file only worked well on my desktop.
That is the bare minimum of a password manager like Bitwarden.
Keepass is exactly that. Basically all the client side parts, and the database is a single encrypted file that you can sync however you want.
I see it as it’s easy to self host. But I’m not skilled nor rich enough to guarantee the availability of it. I don’t want to be stuck on a holiday without my passwords because my server back home died from black out or what have you.
I pay for bitwarden and the proton mail package to keep the password management market a bit more competitive and it actually works out cheaper. It would be nice to have protons anonymous emails built in, but I can live with it.
But I might have to reconsider if Bitwarden is going a different direction that what I’m paying for.
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
They have confirmed it was a packaging bug and will be resolved.
Its called Keepass. You are welcome
Keepassxc? Vaultwarden?
Isn’t Vaultwarden used with non-free Bitwarden clients?
This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.
True, but the firefox extension is nice.
Keyguard isn’t open source. Have a look at their license. It just says “All rights reserved”.
The clients are free.
They now require a non-free Bitwarden SDK component. That’s what this whole conversation is about.
Only the desktop client. And the response is that not being able to compile sans SDK is an issue they will resolve.
I still think this is bad directionally, but we need to see what happens.
And the whole conversation is about a bug, not a change in direction…
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Could you ELI5 please?
“You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
This is a condition when using their SDK. This is not considered a free (as in freedom) component because it violates freedom 0: https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms
Pass.
Notepad.exe
Its open source now right?
Keepass: Am I a joke to you?
Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.
Android syncthing announced they’re stopping development this year. Open source got fucked double today
terrible day. There is a fork called syncthing-fork that is under current development. I hope both projects merge.
Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
From the article, it’s a packaging bug, not a change in direction.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
I was referring to this which started it all.
Here is the code in question. Basically, it’s a source-available, but not FOSS internal SDK, with the following language:
The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.
So I think the “bug” here is in not linking the original repo in the NPM package, and there’s a decent chance that this internal SDK will become FOSS in the future once it stabilizes. That said, it’s currently not FOSS, but it’s too early IMO to determine whether Bitwarden is moving in a non-FOSS direction, or if they’re just trying to keep things simple while they do some heavy refactoring to remove redundancy across apps.
Given their past, I’m willing to give them the benefit of the doubt, but I’ll be making sure I have regular backups in case things change.
Well this ain’t good. I don’t really feel like switching apps.
That’s how they get you. Jump ship now
Anyone looking at this…what alternatives are out there?
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
I’m not going to jump ship just yet, though I may get around to updating my backup.
There are plenty of alternatives, so feel free to shop around. But don’t jump the gun just because of a random Phoronix article with an update that says basically the opposite of what the article claims. Wait some time to see if there are actual changes coming.
Yeah no. This is clearly backpedaling and you should look to get away
Maybe. Here’s what they say in the readme of the project people are complaining about:
The password manager SDK is not intended for public use and is not supported by Bitwarden at this stage. It is solely intended to centralize the business logic and to provide a single source of truth for the internal applications. As the SDK evolves into a more stable and feature complete state we will re-evaluate the possibility of publishing stable bindings for the public. The password manager interface is unstable and will change without warning.
There are two ways to take this:
- this is temporary as they’re refactoring code to reduce duplication across clients
- refactoring is an excuse to create fully proprietary clients going forward
Until I see evidence of the latter, I’ll stick with the project, but I’ll be more consistent about creating backups so I can switch easily if I need to.
KeePassxc with syncthing
Nextcloud with their password solutions
A notebook
Sooo, where’s ProtonPass at? They’re open source and non-profit, right?
The server is not open source and I wouldn’t trust a business that is not just working on password managers.
Its worth noting I don’t think they’re actually a company anymore, I think they’re now a non-profit (I may be mistaken, but that’s my present understanding)
and I wouldn’t trust a business that is not just working on password managers.
Because…? They’re a privacy tool oriented company, no?
Because they aren’t focused on just one single service. Bitwarden is a single business only focusing on their password manager, whereas proton has a suite of tools. Passwords need to be stored absolutely in a robust and safe way. I don’t trust proton with anything at all, and the proton pass is no exception. The client might be open source, but the backend is not. It’s also not as mature as bitwarden.
These are valid points. There are many password managers, most of which it wouldn’t take much to poke holes in, especially if open source is a main criteria.
What are some that you would consider with Bitwarden now being off the table?
Keepass vault synced over syncthing.
I keep not regretting it.
I’ve always loved Keepass, however I moved away from it in 2012 as it and any file based vault has brute forcing issues. You need to track every copy of it that has been made and if any copy falls out of your hands, like if you lose a device, you need to do a password rotation on 100% of your passwords. Since its a file, its not possible to prevent brute forcing.
everything’s a file
Was going to be my solution as well, bjt Syncthing-Android just got discontinued.
F-Droid syncthing-fork is still actively developed and had a patch in the last few weeks.
So hopefully this isn’t the end.
What? I need syncthing-android, where is it going?
F-Droid syncthing-fork is still actively developed and had a patch in the last few weeks.
Good to know
I was thinking the same. But, it is safe to share the password database like this?
This is incredible
Right next to each other lol
Syncthing fork seems to still be under active development
sigh
I’m going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i’ll pay again.
what sucks about keepassxc?
I never had any success getting it to work consistently with Firefox.
Thats not good :(
