This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
Welp, I guess another time to move here soon.
And I just fucking vouched for them to a friend recently 🤡
Didn’t know about VC funding these parasites using their funding to turn everything into shite.
What’s the current “best” alternative? Keepass?
I haven’t jumped yet, but the Proton suite is looking more and more appealing. I’ve been eyeing them as a Gmail replacement, but I’ve been happy with my VPN and password management providers. As this reduces the bundle makes more sense.
They have a solid value proposition but don’t like putting all my eggs all in one basket both for security and monopoly reasons.
They seem to be gunning for one stop shop and I think they are doing decent shop but I just don’t like the idea after what Google did to us.
Situation is a bit different but gonna need to tka the lessons and not let these corpos do this again.
It’s not open source, but I got a lifetime license for Enpass over a decade ago and it’s done everything I’ve ever needed it for. I think stacksocial occasionally has new lifetime codes for sale. I like the idea of Proton Pass as others have said, but it feels a bit like putting all my eggs in one basket, which is a mistake I already made with Google before (context: I use Proton for email). I think Keepass is the next best option if dedicated to staying FOSS.
They’re basically trying to get rid of vaultwarden and other open source forks. I expect they’ll get a cease and desist and be removed from github at some point in the not too distant future if they don’t make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I’ll need to look for alternatives in case Bitwarden decides to get aggressive.
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
Love Keepass. Love that I can sync it however I want. Love that there are multiple open source client options across several operating systems.
Android syncthing announced they’re stopping development this year. Open source got fucked double today
This need not be the case, though! There’s an open source client on Android called Keyguard. I don’t think the desktop app was at all useful anyway. You can just log into your Vaultwarden through any browser. The desktop app is pointless.
Nothing in the article or in the Bitwarden repo suggests that it’s moving away from open source
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
From the article, it’s a packaging bug, not a change in direction.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
EDIT: The article has been updated and it was described as a “packaging bug” and not an intended change.
How many times do I need to pack up and move to the next “best option”
That’s far from the best option. It’s working, but it’s super complicated compared to Bitwarden and other cloud password managers. Imagine telling your grandma “just use keepass”, she would never be able to make it work. But Bitwarden? Lastpass? That’s possible
Is it so?
I feel like anyone who can open up and edit ms word can do it, just double click on the keepass.kdbx file and it opens up prompting for a password.
Syncing is a bit of a problem and I wrote an article on how I do it here in the easiest way I found. Though MEGA cloud does not have a good reputation among general public, their share link is something you can write in a piece of paper and keep in a safe.
In this case, zero, because it’s a packaging bug, not an actual change in direction. Read the update on the article:
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Next time, before jumping to conclusions, wait a day or two and see if the project says something.
I really hope that this is actually the case, but I am not very optimistic. This doesn’t seem to be a mistake. They intentionally move functionality of their clients to their proprietary SDK library. The Bitwarden person stated this in the Github issue and you can also check the commit history. Making that library a build-time dependency might actually have been a mistake. That does not change the fact, that the clients are no longer useful without that proprietary library going forward. Core functionality has been move to that lib. I really don’t care if they talk to that library via some protocol or have it linked at build time. I wouldn’t consider this open source, even if that client wrapper that talks to that library technically is still licensed under GPLv3.
They intentionally move functionality of their clients to their proprietary SDK library.
Proprietary is a strong word IMO. Here’s the repo, it’s not FOSS, but it is source available. It’s entirely possible they make it more open once it stabilizes, but it’s also possible they make it less open as well. It’s still early, so we don’t know what the longer term plans look like.
I don’t think we should be panicking just yet, but I’ll certainly be checking back to see what happens once this internal refactor is finished, and I’ll be making some more regular backups just in case they are, in fact, trying to take it proprietary. I don’t think that’s the case (why would they? I don’t see the benefit here…), but I guess we’ll see.
Vaultwarden updated link
Open source version of bitwarden written in rust.
Where is the foundation to support foss?!?
If they’re moving away from open source/more monetisation then they’re going to do one of two things.
1: Make the client incompatible (e.g you’ll need to get hold of and prevent updating of a current client).
2: DMCA the vaultwarden repo
If they’re going all-in on a cash grab, they’re not going to make it easy for you to get a free version.
Don’t forget option 3: someone writes a vaultwarden client independent of the closed-source crap.
If you can write a server that fully supports the client via the documented API, then you know everything you’d need to do to make a client as well.
You can’t “dmca” the fork that was created while it was still open source. They could only prevent it from getting future updates (directly from them).
If you mean they shouldn’t. I’d agree. But, as has been seen a lot on youtube. “They” can DMCA anything they want, and the only route out is usually to take them to court.
I mean I’d hope if they’re going in this direction they will be decent about it. But, it’s not the way things seem to be lately.
DMCA is a tool for suppression of free information. It doesn’t require evidence that you’ve made a good faith effort to consider fair use or other legal complexity as it’s meant to take down the information before that is settled in court, but most commonly used to suppress information from a person or group who can’t afford to fight it in court. Microsoft’s Github has a history of delete first without risking their own necks to stand up for obviously fraudulent takedowns much less ones with unsettled law like APIs/SDKs.
You have your link formatted backwards. It should be Vaultwarden, with the link in the parentheses.
