Concerns Raised Over Bitwarden Moving Further Away From Open-Source
Concerns Raised Over Bitwarden Moving Further Away From Open-Source
This is an important issue IMO that needs to be addressed and the official response by Bitwardens CTO fails to do so.
There is not even a reason provided why such a proprietary license is deemed necessary for the SDK. Furthermore this wasn’t proactively communicated but noticed by users. The locking of the Github Issue indicates that discussion isn’t desired and further communication is not to be expected.
It is a step in the wrong direction after having accepted Venture Capital funding, which already put Bitwardens opensource future in doubt for many users.
This is another step in the wrong direction for a company that proudly uses the opensource slogan.
nothing lasts forever without being enshittified
not in capitalism no
Except if it's free software.
Welp, I guess another time to move here soon.
And I just fucking vouched for them to a friend recently 🤡
Didn't know about VC funding these parasites using their funding to turn everything into shite.
What's the current "best" alternative? Keepass?
It's not open source, but I got a lifetime license for Enpass over a decade ago and it's done everything I've ever needed it for. I think stacksocial occasionally has new lifetime codes for sale. I like the idea of Proton Pass as others have said, but it feels a bit like putting all my eggs in one basket, which is a mistake I already made with Google before (context: I use Proton for email). I think Keepass is the next best option if dedicated to staying FOSS.
They're basically trying to get rid of vaultwarden and other open source forks. I expect they'll get a cease and desist and be removed from github at some point in the not too distant future if they don't make some changes. I have a vaultwarden instance and use the bit warden clients. Guess I'll need to look for alternatives in case Bitwarden decides to get aggressive.
Oh, for fuck’s sake. Can we have a decent password manager that isn’t tied to a browser or company? I pay for Bitwarden. I’m not being cheap. But open source is more secure. We can look at the code ourselves if there’s a concern.
Its called Keepass. You are welcome
Nothing in the article or in the Bitwarden repo suggests that it's moving away from open source
It is a license problem. The license condition of the SDK which is required to build the client app change to limit the usage of it. The new license states that you can only use the Bitwarden SDK for Bitwarden. It is against the Freedoom-0 of the Free Software Foundation. The limitation of English language is that it is hard to differentiate between Free (as in Free bear) and Free (as in Freedoom). Also open source which could mean complaining with FOSS and that source is available. This been unfortunately have been abused before.
They have confirmed it was a packaging bug and will be resolved.
Pass.
Notepad.exe
Its open source now right?
EDIT: The article has been updated and it was described as a “packaging bug” and not an intended change.
How many times do I need to pack up and move to the next “best option”
Sadly as many times as needed, complacency is how these companies get "loyal customers" who are willing to put up with bs
In this case, zero, because it's a packaging bug, not an actual change in direction. Read the update on the article:
Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."
Next time, before jumping to conclusions, wait a day or two and see if the project says something.
Not sure who downvoted you, you literally quoted the article.
I really hope that this is actually the case, but I am not very optimistic. This doesn't seem to be a mistake. They intentionally move functionality of their clients to their proprietary SDK library. The Bitwarden person stated this in the Github issue and you can also check the commit history. Making that library a build-time dependency might actually have been a mistake. That does not change the fact, that the clients are no longer useful without that proprietary library going forward. Core functionality has been move to that lib. I really don't care if they talk to that library via some protocol or have it linked at build time. I wouldn't consider this open source, even if that client wrapper that talks to that library technically is still licensed under GPLv3.
oh thank god
The community's reaction is a but funny if this was a honest mistake
Vaultwarden updated link
Open source version of bitwarden written in rust.
Where is the foundation to support foss?!?
If they're moving away from open source/more monetisation then they're going to do one of two things.
1: Make the client incompatible (e.g you'll need to get hold of and prevent updating of a current client).
2: DMCA the vaultwarden repoIf they're going all-in on a cash grab, they're not going to make it easy for you to get a free version.
You have your link formatted backwards. It should be Vaultwarden, with the link in the parentheses.
This is by no means to a slight towards bitwarden. Solid product and community
600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.
Edit: made my statement a bit less toxic. I was mad.
How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.
No one is listening I'm sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don't think I've seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.
Community is fine, your comment is at the top, along with others pointing this out.
It’s the “non-community” if you will boosting this. The passerby’s not reading comments.
Goddammit. It's getting to the point I'm going to have to figure out how to write my own app for this.
It shouldn't even be that complex...
I might be mistaken, but ultimately a password manager is basically nothing more than a database of passwords in an encrypted zip file, right? That could entirely be self-hosted with off the shelf open source applications stringed together.
All you'd need is a nice UI stringing it all together.Edit: I'm not sure why people are downvoting me. Is that not what a password manager essentially is?
Keepass is exactly that. Basically all the client side parts, and the database is a single encrypted file that you can sync however you want.
I've done basically this in the past by encrypting a text file with GPG. But a real password manager will integrate with your browser and helps prevent getting phished by verifying the domain before entering a password. It also syncs across all my devices, which my GPG file only worked well on my desktop.
It's the "stringing it all together" that could be problematic.
If you have multiple clients (desktop/cellphone) modifying the same entry (or even different entries in the same "database" ). You need something smart enough to gracefully handle this or atleast tell you about it.
I did the whole "syncing" KeePass and it was functional, but it also meant I needed to handle conflicts - which was annoying. I switched and really appreciate the whole "it just works" with self-hosted bitwarden.
That is the bare minimum of a password manager like Bitwarden.
I see it as it's easy to self host. But I'm not skilled nor rich enough to guarantee the availability of it. I don't want to be stuck on a holiday without my passwords because my server back home died from black out or what have you.
I pay for bitwarden and the proton mail package to keep the password management market a bit more competitive and it actually works out cheaper. It would be nice to have protons anonymous emails built in, but I can live with it.
But I might have to reconsider if Bitwarden is going a different direction that what I'm paying for.
Yup, thanks. Was thinking along these same lines.
Thank you for the update! I would like to keep using it. I've been very happy with Bitwarden both as a password manager and a TOTP authenticator. I have even recommended it to my boss as an enterprise solution for us to use at work, and so far we are planning on replacing our current password database solution with Bitwarden.
Unfortunately, with "enshittification" being so common these days, it was very easy to believe they were also going to the dark side. I will remain cautiously optimistic after learning it was a packaging bug.
Here's a link to the post on X (yes, I hate X, too) in case anyone else is doubtful:
Great, I've just started to use it last week 🤡
can we start reading the articles and not just the headlines??? it literally says it's a packaging bug
…in the update that came out after this article was posted and the discussion took place.
mb i didnt see the update part
It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you'll notice that he's talking about that proprietary "SDK" library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn't make the situation any better. The client won't work without their proprietary "SDK", no matter if they remove the build-time dependency or not.
When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.
From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I'm fine with this.
oh shit i didnt know that, mb man
In general, if it's Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.
Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."
According to Bitwardens post here, this is a "packaging bug" and will be resolved.
Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.
The plot thickens.
Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.
I'm running a couple of Vaultwarden instances, and it would be really nice if Bitwarden employed Garcia to improve the Rust backend. But as the bitter cynic I am, I guess it is an effort to shut down and control as much of the open source use of Bitwarden as possible.
The worst case, someone will most likely fork Vaultwarden and we can still access it with Keyguard on mobile and the excellent Vaultwarden web interface :)
Keepass vault synced over syncthing.
I keep not regretting it.
This is incredible
Right next to each other lol
Syncthing fork seems to still be under active development
I was thinking the same. But, it is safe to share the password database like this?
Consider the possibility that someone could get your database.
It isn't a safe. You can't weld through the side of it and get in. You either make it ridiculous or impossible to get in.
Use something memorable, but insane.
My password is a three-line film quote with numbers in some of the places for letters.
Haikus work great. Memorable, complex. Wrote it yourself? Even better.
Syncthing is encrypted transfers.
The database is encrypted.
And you can set it to not use relays for data, only matchmaking between your own devices.
So it's an encrypted file, encrypted again, and sent directly from an IP you own to an IP you own.
I've always loved Keepass, however I moved away from it in 2012 as it and any file based vault has brute forcing issues. You need to track every copy of it that has been made and if any copy falls out of your hands, like if you lose a device, you need to do a password rotation on 100% of your passwords. Since its a file, its not possible to prevent brute forcing.
everything's a file
An online database is still a file ultimately. A SQL or other DB file stored in a webserver, accessed through a web interface.
Vaultwarden, etc, are the same, only the database file is less directly visible IMO. Keepass IMO is simple. The DB in a bespoke format, stored outside the application.
You could put the vault in system32 and name it "trustedinstaller.log", and if someone saw you had keepass they wouldn't even know where your vault is.
Given the number of well documented breaches of online password vaults, I would much rather do a private device to device sync via syncthing and keep it out of webservers.
This is disheartening.
Well this ain't good. I don't really feel like switching apps.
That's how they get you. Jump ship now
Anyone looking at this...what alternatives are out there?
KeePassxc with syncthing
Nextcloud with their password solutions
A notebook
Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."
I'm not going to jump ship just yet, though I may get around to updating my backup.
There are plenty of alternatives, so feel free to shop around. But don't jump the gun just because of a random Phoronix article with an update that says basically the opposite of what the article claims. Wait some time to see if there are actual changes coming.
I wonder~ I wonder~ I wonder whyyyy...
I don't understand.
Are you saying it's a bait and switch like Google, where they suck people in with a good product then enshittify it once they're hooked?
I'm not thoroughly aware of their dealings, but these amounts of private investment aren't going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.
From the looks of it, Bitwarden might've tried to go with the Open Source model to get free development resources, trust (because it's an open source PASSWORD manager), and general goodwill. But now that they've deemed that got enough of a market share (or investors are starting to breathe down their necks), it's time to start raising the walled garden.
Even if they claim after the fact that it was a "Bug" that the client couldn't be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.
VC is a devil's bargain. Raising VC money is NEVER a good sign.
so what's the best pw manager?
Vaultwarden is a nice self hosted bitwarden alternative
https://github.com/dani-garcia/vaultwardenSome prefer using KeepassXC and sync the database between devices
https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html+1 For KeePassXC and the KeePass ecosystem. Yes, you need to sync the database yourself, but you can use any file sharing service you like, e.g. google drive, dropbox... or selfhost something like nextcloud (like I do), which for me is actually a point in its favor.
Based on this news, I think I made the right choice back then when I decided to go with KeePass.
Vaultwarden is Bitwarden--at least for now, this change may push them apart.
Proton Pass is open source and the company that runs it recently reincorporated as a Swiss non-profit to ensure their privacy mission can't be bought out by venture capitalists etc.
Keepass? No cross device support, you need to manage that yourself through something like Google Drive...
lol that's what i used before i switched to bitwarden-- didn't have any complaints, but the database key file thing was kind of a pain
Agh, gross.
Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company's statements indicates an actual move away from open source. Big nothingburger
Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary "SDK" library.
sigh
Sooo, where's ProtonPass at? They're open source and non-profit, right?
The server is not open source and I wouldn't trust a business that is not just working on password managers.
Alright does anyone have opinions on Nextcloud Passwords? There's apps for it and it would sync to my Nextcloud.
I hate this. Bitwarden has been a good app.
It's a packaging bug, the headline is false.
Bitwarden has been a good app.
And it still is. There's no reason to stop using Bitwarden, and I will continue my plans to switch to Vaultwarden.
As @[email protected] said, it's a packaging bug, not an actual change in license. If you read the article, it says as much in the update.
Nextcloud passwords is just a client for a KeePass vault.
I guess it's as good or bad as that can be, but I'm sure it's limited in functionality to KeePassxc with plugins.
TIL... Thanks.
EDIT: Been playing with it a bit now and if it uses keepass as the DB the advantage I see right now is that having it in Nextcloud means automatic sync, and there are several autofill and syncing apps for various OSes and password sharing and automated checks for breaches. It's probably a better option for anyone with Nextcloud than going the Keepassxc/syncthing route.
Oh really? Where's the keepass file stored? This would be very cool if so
Keepass. Keep it simple.
If you want to roll your own with keepass that's fine, but most people will want a more comprehensive solution.
I switched from keepass to Bitwarden because individual entries started randomly disappearing. I'm still discovering missing accounts after switching a couple of weeks ago. Sometime to do with how keepass was opening the files, because when an entry went missing it was gone even from backup files I hadn't touched since before the entry disappeared.
3rd party sync of the database can have a lot of problems
Thats not good :(
By trying to make things simple, this ends up making it more complicated and convoluted than anything
I like pass and used it for a while, but sharing passwords with it wasn't nearly as straightforward as it is with bitwarden.
I use to always recommend bitwarden to people. Now i feel like an idiot for doing so with them switching up. Ill be making the effort to move to keepassxc soon and host it myself.
...host it?
...is there something I've been missing out on? Can one host a KeePass vault online? We have web apps? I only know about the Nextcloud ones. I've just been using syncthing and merging the conflicts when they happen.
I mean sync it between my devices using something like sync thing
I used to keep a copy of my kepass file in a free Dropbox account.
Well, I guess not having password manager yet did had some benefit because now I know not to use bitwarden