this post was submitted on 20 Oct 2024
625 points (87.3% liked)

Technology

58833 readers
7072 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
625
Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)
submitted 3 days ago by AsudoxDev@programming.dev to c/technology@lemmy.world
198 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] Snowpix@lemmy.ca 91 points 2 days ago (2 children)

[–] john117@lemmy.jmsquared.net 22 points 2 days ago

oh thank god

[–] WhyJiffie@sh.itjust.works 5 points 1 day ago

The community's reaction is a but funny if this was a honest mistake

[–] ayyy@sh.itjust.works 68 points 2 days ago* (last edited 2 days ago) (4 children)

600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.

Edit: made my statement a bit less toxic. I was mad.

[–] qaz@lemmy.world 2 points 1 day ago (1 children)

Why would it be fake news? Because they called it a "packaging bug"?

[–] ayyy@sh.itjust.works 1 points 1 day ago (1 children)

Yes.

[–] qaz@lemmy.world 1 points 1 day ago* (last edited 1 day ago)

To me that just like an excuse for the current mess. Did you read the original GitHub issue? Their CTO also seems to have questionable ideas about the GPLv3.

[–] ammonium@lemmy.world 13 points 2 days ago

How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.

[–] octopus_ink@lemmy.ml 8 points 2 days ago

No one is listening I'm sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don't think I've seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.

load more comments (1 replies)
[–] gwen@lemmy.dbzer0.com 42 points 2 days ago (3 children)

can we start reading the articles and not just the headlines??? it literally says it's a packaging bug

[–] 486@lemmy.world 11 points 2 days ago (2 children)

It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you'll notice that he's talking about that proprietary "SDK" library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn't make the situation any better. The client won't work without their proprietary "SDK", no matter if they remove the build-time dependency or not.

[–] Highsight@lemmy.world 9 points 1 day ago (1 children)

When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:

3.3 You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.

This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I'm fine with this.

[–] 486@lemmy.world 4 points 1 day ago

The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

I don't see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.

I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn't have eroded the trust in them as much as it did for me.

[–] gwen@lemmy.dbzer0.com 3 points 1 day ago

oh shit i didnt know that, mb man

[–] cmrn@lemmy.world 11 points 2 days ago (1 children)

…in the update that came out after this article was posted and the discussion took place.

[–] gwen@lemmy.dbzer0.com 2 points 1 day ago

mb i didnt see the update part

load more comments (1 replies)
[–] mli@lemm.ee 39 points 2 days ago

Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."

According to Bitwardens post here, this is a "packaging bug" and will be resolved.

[–] cmrn@lemmy.world 111 points 2 days ago* (last edited 2 days ago) (8 children)

EDIT: The article has been updated and it was described as a “packaging bug” and not an intended change.

How many times do I need to pack up and move to the next “best option”

[–] JustARaccoon@lemmy.world 49 points 2 days ago

Sadly as many times as needed, complacency is how these companies get "loyal customers" who are willing to put up with bs

[–] cy_narrator@discuss.tchncs.de 24 points 2 days ago (1 children)

Just go to Keepass and its over

load more comments (1 replies)
load more comments (6 replies)
[–] magnus@lemmy.ahall.se 37 points 2 days ago (4 children)

Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.

The plot thickens.

load more comments (4 replies)
[–] unskilled5117@feddit.org 214 points 3 days ago* (last edited 3 days ago) (3 children)

This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.

There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.

It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.

This is another step in the wrong direction for a company that proudly uses the opensource slogan.

[–] solsangraal@lemmy.zip 101 points 3 days ago (2 children)

nothing lasts forever without being enshittified

load more comments (2 replies)
[–] sunzu2@thebrainbin.org 64 points 3 days ago (5 children)

Welp, I guess another time to move here soon.

And I just fucking vouched for them to a friend recently 🤡

Didn't know about VC funding these parasites using their funding to turn everything into shite.

What's the current "best" alternative? Keepass?

load more comments (5 replies)
load more comments (1 replies)
[–] ShittyBeatlesFCPres@lemmy.world 129 points 3 days ago (22 children)

Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.

[–] Telodzrum@lemmy.world 68 points 2 days ago (1 children)

Keepass: Am I a joke to you?

[–] sigmaklimgrindset@sopuli.xyz 28 points 2 days ago (1 children)

Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.

[–] saddlebag@lemmy.world 29 points 2 days ago (1 children)

Android syncthing announced they’re stopping development this year. Open source got fucked double today

load more comments (1 replies)
load more comments (21 replies)
[–] ArkyonVeil@lemmy.dbzer0.com 17 points 2 days ago (3 children)

I wonder~ I wonder~ I wonder whyyyy...

load more comments (3 replies)
[–] ealoe@ani.social 12 points 2 days ago (1 children)

Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company's statements indicates an actual move away from open source. Big nothingburger

[–] 486@lemmy.world 9 points 2 days ago

Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary "SDK" library.

[–] NanoooK@sh.itjust.works 43 points 2 days ago (4 children)

Great, I've just started to use it last week 🤡

load more comments (4 replies)
[–] ghostface@lemmy.world 86 points 3 days ago* (last edited 3 days ago) (3 children)

Vaultwarden updated link

Open source version of bitwarden written in rust.

Where is the foundation to support foss?!?

[–] r00ty@kbin.life 53 points 3 days ago (5 children)

If they're moving away from open source/more monetisation then they're going to do one of two things.

1: Make the client incompatible (e.g you'll need to get hold of and prevent updating of a current client).
2: DMCA the vaultwarden repo

If they're going all-in on a cash grab, they're not going to make it easy for you to get a free version.

load more comments (5 replies)
load more comments (2 replies)
[–] KingThrillgore@lemmy.ml 5 points 2 days ago (1 children)

I'm going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i'll pay again.

[–] vrighter@discuss.tchncs.de 3 points 1 day ago (1 children)

what sucks about keepassxc?

[–] KingThrillgore@lemmy.ml 1 points 1 day ago (1 children)

I never had any success getting it to work consistently with Firefox.

[–] vrighter@discuss.tchncs.de 1 points 1 day ago

on some sites the plugin fails to properly detect which fields correspond to which, true (usually when javascript fuckery is involved). But fixing that by manually pointing out the fields once on such sites is easy enough for me. I also switched firefox to use keepassxc for passkeys, which makes them actually portable and usable for me.

[–] Boozilla@lemmy.world 61 points 3 days ago (10 children)

Goddammit. It's getting to the point I'm going to have to figure out how to write my own app for this.

load more comments (10 replies)
load more comments
view more: next ›