359
Bitwarden Desktop version 2024.10.0 is no longer free software (github.com)
submitted 16 hours ago by pnutzh4x0r@lemmy.ndlug.org to c/opensource@lemmy.ml
70 comments fedilink hide all child comments

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

top 50 comments
sorted by: hot top controversial new old
[-] smiletolerantly@awful.systems 8 points 1 hour ago

Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative...

[-] qaz@lemmy.world 1 points 17 minutes ago* (last edited 9 minutes ago)

License

The source code is available for personal use only.

That doesn't really seem like an improvement, although do they say they're planning on releasing it under the FSL.

[-] bilb@lem.monster 4 points 1 hour ago

I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and... it works. So as long as their intentions are pure, you can use "bitwarden" without using any of their software or infrastructure.

[-] smiletolerantly@awful.systems 2 points 1 hour ago* (last edited 1 hour ago)

Just tried it, and it seems you can't edit or add items without a premium subscription??

Or am I missing something?

Edit: Apparently only when installing via the Play Store. Very weird decision.

[-] bilb@lem.monster 4 points 1 hour ago* (last edited 1 hour ago)

Ah, yeah, I installed it from their github with obtainium. I think open source/libre app that charges people to install with the play store is a model a few others have tried as well.

[-] smiletolerantly@awful.systems 2 points 1 hour ago

I don't think it's unreasonable to want to be paid, but a mandatory subscription when using the most common install method does irk me the wrong way

[-] bilb@lem.monster 1 points 54 minutes ago

I haven't looked into it at all, but that just seems so strange. Who would pay that when the original Bitwarden app is still there for free? Most people who would even know about KeyGuard would know how to install it from somewhere else. Is it essentially a donation?

[-] fireshell@lemmy.ml 1 points 39 minutes ago* (last edited 37 minutes ago)

pass is enough (+ xdotool + rofi + pass-menu). Synchronization via git or Syncthing.

[-] Danitos@reddthat.com 2 points 1 hour ago

@bitwarden bitwarden locked and limited conversation to collaborators

They also locked the thread 16 hours ago (as of writing this comment), with no explanation.

[-] asap@lemmy.world 1 points 1 hour ago

The explanation is the second-to-last comment before it got locked. 🤦

This hysteria is really stupid.

[-] prosp3kt@lemmy.dbzer0.com 1 points 1 hour ago

They banned me from reddit and then reported me with mods those fckers...

[-] Lemmchen@feddit.org 11 points 6 hours ago* (last edited 6 hours ago)

ITT: A lot of conspiracy theories without much (any?) evidence. Let's see if they resolve the dependency issue before wet get our pitchforks, shall we?

[-] Atemu@lemmy.ml 4 points 2 hours ago* (last edited 2 hours ago)

I don't know what the heck you're talking about.

I see overwhelming evidence that they have intentionally made parts of the clients' code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients' code base.

This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE

You can read that license text to convince yourself of the fact that it is absolutely proprietary.

Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:

https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

  • the SDK and the client are two separate programs
  • code for each program is in separate repositories
  • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

(Emphasis mine.)

The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.

[-] asap@lemmy.world 3 points 1 hour ago* (last edited 43 minutes ago)

That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.

Open source !== Non-proprietary

I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to change that.

[-] jjlinux@lemmy.ml 5 points 5 hours ago

Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.

[-] rozlav@lemmy.blahaj.zone 27 points 9 hours ago

Nobody here talks about keepassxc ? I've been using it for almost a decade, it can be used with sync tools to be shared, I've managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/

[-] Atemu@lemmy.ml 9 points 5 hours ago

Keepass isn't really in the same category of product as Bitwarden. The interesting part of bitwarden is that it's ran as a service.

[-] unrushed233@lemmings.world 5 points 5 hours ago

Bitwarden can't be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

load more comments (5 replies)
[-] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 15 points 9 hours ago

Damn, I just switched from Bitwarden to KeepPassXC.

Clearly just in time. Lol.

load more comments (1 replies)
[-] wuphysics87@lemmy.ml 10 points 9 hours ago

A few questions out of ignorance. How different is this to gitlab's open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn't meet our strict definition of foss?

[-] Atemu@lemmy.ml 7 points 4 hours ago

How different is this to gitlab’s open core model?

That's a really good question that I don't immediately have a satisfying answer to.

There are some differences I can point out though:

  • Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.
  • Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
  • Gitlab-EE's "closed" core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.

Is this a permanent change?

It'd be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.

I don't see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.

The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat's out of the bag and all the public goodwill and trust is gone.
It's honestly a bafflingly bad decision from even just a business perspective. I predict they'll lose at least 20% but likely 30-50% of their subscribers to this.

Is the involvement of investors the root of this?

I find that likely. If it stinks, it's usually something stinky's fault.

Are we overreacting as it doesn’t meet our strict definition of foss?

They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.

An "honest" switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.

[-] asap@lemmy.world 1 points 1 hour ago* (last edited 46 minutes ago)

Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.

None of that makes Bitwarden not open source. Not only that, they specifically state this is a bug which will be addressed.

I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to stop that.

[-] twirl7303@lemmy.world 33 points 11 hours ago

If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.

load more comments (6 replies)
[-] KLISHDFSDF@lemmy.ml 9 points 10 hours ago

Looks like I might be moving to Proton Pass after all! I'll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.

[-] RvTV95XBeo@sh.itjust.works 1 points 55 minutes ago

I know little about Proton Pass, but how confident are you they don't also used a proprietary SDK with their open source apps?

[-] umbrella@lemmy.ml 7 points 10 hours ago* (last edited 10 hours ago)

i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.

ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.

[-] andrew_s@piefed.social 103 points 16 hours ago* (last edited 16 hours ago)

There's a lot of drama in that Issue, and then, at the very end:

Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

load more comments (14 replies)
load more comments
view more: next ›
this post was submitted on 20 Oct 2024
359 points (96.1% liked)

Open Source

30787 readers
903 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml