- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:
You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This violates freedom 0.
It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.
You must log in or # to comment.
Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative…
I just tried it out and I’m amazed. It looks and feels just like 1Password, my absolute favorite password manager (before I switched to Bitwarden, because 1Password is proprietary and pretty expensive)
I definitely recommend it
I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and… it works. So as long as their intentions are pure, you can use “bitwarden” without using any of their software or infrastructure.
Just tried it, and it seems you can’t edit or add items without a premium subscription??
Or am I missing something?
Edit: Apparently only when installing via the Play Store. Very weird decision.
Ah, yeah, I installed it from their github with obtainium. I think open source/libre app that charges people to install with the play store is a model a few others have tried as well.
I don’t think it’s unreasonable to want to be paid, but a mandatory subscription when using the most common install method does irk me the wrong way
I haven’t looked into it at all, but that just seems so strange. Who would pay that when the original Bitwarden app is still there for free? Most people who would even know about KeyGuard would know how to install it from somewhere else. Is it essentially a donation?
It would be if it’s a one-time payment, but it’s a yearly subscription, and not a cheap one!
License
The source code is available for personal use only.
That doesn’t really seem like an improvement, although do they say they’re planning on releasing it under the FSL.
Ah damn it -.-
Too bad, the app is really nice to use :/
Uh oh. Android user here. Time to jump ship? If so…proton??
As with all of their services, the back-end is closed-source.
For the purposes of user freedom, it’s not that critical as the back-end merely facilitates the storage and synchronisation of encrypted data. This is different from the bitwarden case where they’re now including freedom disrespecting code into the most critical part of their software: the clients which handle the unencrypted data.
Fact of the matter remains however that Proton Pass restricts your freedom by not allowing you to self-host it.If you are fine with not being able to self-host, I’d say it’s a good option though. Doubly so if you are already a customer of their other services.
Proton has demonstrated time and time again to act for the benefit of its users in the past decade and I see no incentive for them to stop doing so. I’d estimate a low risk of enshittification for Proton which is high praise for a company of their size.
@bitwarden bitwarden locked and limited conversation to collaborators
They also locked the thread 16 hours ago (as of writing this comment), with no explanation.
The explanation is the second-to-last comment before it got locked. 🤦
This hysteria is really stupid.
That “explanation” is unsatisfactory and likely wrong: https://www.gnu.org/licenses/gpl-faq.html#MereAggregation
So they either have to license their SDK under a GPLv3 compatible license, or switch the license of their client to a non-GPL one.
That may or may not be the case, but the comment I replied to said they locked the thread with “no explanation”.
I would say a proper explanation includes the goal you want to achieve, not just the statement that you think that you are allowed to do something.
That’s the technical explanation for the changes, no an explanation for closing the discussion all together.
They banned me from reddit and then reported me with mods those fckers…
https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977
We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
https://github.com/bitwarden/sdk-internal/commit/db648d7ea85878e9cce03283694d01d878481f6b
Thank you to Bitwarden for relicensing a thing to GPLv3 License!
Fuck. Is it difficult to export my data to something like Keypass? Very disappointed to hear this.
Bitwarden has an export functionality. Export to JSON, import in Keepass, done.
There’s KeePassXC if you want Linux support (keepass2 file is compat with XC variant).
pass is enough (+ xdotool + rofi + pass-menu). Synchronization via git or Syncthing.
How does this play with mobile?
There’s an Android app, but it’s not being developed any more https://github.com/android-password-store/Android-Password-Store
There’s an iOS app as well https://mssun.github.io/passforios/
They have a list with all the clients and other tools on their website
https://www.passwordstore.org/#otherbesides everything else, the end of support for syncthing-android, yes, that’s a real blow to the gut.
as another option this KeePassXC(PC)+radicale+DavX5 The same for KeepassDX
Radicale+DavX5 is for calendars and contacts, no? How does this work for passwords
for passwords no way, as you noted it is for calendars and contacts
Integration with Android
The GnuPG implementation for Android is called OpenKeychain. To configure it, just go to the “key management” menu and import the previously created secret key. The only drawback of OpenKeychain for me personally is that there is no fingerprint unlocking.
The pass implementation for Android is called android-password-store, or simply APS.
Install and launch APS. Before synchronizing the password store, go to the “Settings” menu. There we will need the following items:
-
Git server settings. The resulting URL should be the same as that specified on the repository page on github. Authorization type -OpenKeychain. -
Git utils. In this section, specify the username and email from the gpg key. -
OpenPGP provider. SelectOpenKeychain. -
Autofill.
Now you can clone. Select “clone from server” on the main screen, specify the desired location of the repository, check the git settings.
Of course, pass is not that easy to set up. However, this price buys confidence that the tools we use will not one day be declared obsolete, will not change their data format, and will not be left without support.
-
I’m familiar with pass and familiar-ish with rofi. What do the other two do?
A small script for entering passwords into various windows via rofi, I take passwords from pass.
Example script:
#!/bin/bash # Sample file rofi_pass.sh passwords=$(find /home/fireshell/.password-store/ -type f -name *.gpg) selected_pass=$(echo -e "$passwords" | awk -F "/" '{printf "%s > %s\n", $5, $6}' | rofi -dmenu -p Pass) item=$(echo "$selected_pass" | awk '{printf "%s/%s", $1, $3}' | sed 's/\.gpg//g') data=$(pass show $item) pass=$(echo -e "$data" | head -n1) login=$(echo -e "$data" | grep -e "^login: " | sed 's/^login: //g') xdotool type "$login" xdotool key Tab xdotool type "$pass"In
awesome wmI bound a key that calls it like this:awful.key({ modkey}, "p", function () awful.spawn.with_shell("/home/fireshell/Scripts/rofi_pass.sh") end , {description = "rofi pass", group = "launcher"}),I turn on the computer, press the key combination and the script works, or I run this script from the terminal (
~/Scripts/rofi_pass.sh), select the password - it works (if necessary, pinentry is called to enter the main password), after that I press the key combination, select the desired entrypassmenu: extremely useful and wonderful dmenu script.
I was copying and pasteing from pass but that looks much cooler, thanks!
Nobody here talks about keepassxc ? I’ve been using it for almost a decade, it can be used with sync tools to be shared, I’ve managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/
I just switched over. Honestly, I like it even more than Bitwarden. Then again, I don’t sync my stuff between devices because I’m old I guess. Lol. It makes it easier to switch because I don’t have to deal with stuff like Syncthing.
No Android app though?
Ty, exploring alternative tools. I really don’t like last pass due to their lax data security and 1 Password for the same reason.
Bitwarden still earns my $10/year.
No excuse to not look into it now. Hopefully it uses Android autofill.
It does support autofill
Keepass isn’t really in the same category of product as Bitwarden. The interesting part of bitwarden is that it’s ran as a service.
Bitwarden can’t be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.
Store your database in a nextcloud instance and it’s that too
Nope. Since the entire database is contained in a single file, it can’t sync multiple edits properly, leading to sync conflicts. Because KeePass was built around local database files, whereas Bitwarden uses actual synced databases, where individual updates can be uploaded, instead of causing conflicts or overwriting the entire db.
Conflicts haven’t been an issue for years, all modern iterations of KeePass (XC, kp2a, DX) support automatically merging in the latest before saving.
I’ve been using it for years this way across several devices, it’s incredibly solid
Do you sync it across your devices using Syncthing? That’s what I’m thinking of doing.
There’s a lot of drama in that Issue, and then, at the very end:
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
Um can someone translate what this means?
They’re trying to argue legal technicalities because acknowledging that they’re trying to reduce compatibility with servers like vaultwarden would be bad PR.
Per their new license, anyone that uses their SDK to build a client cannot say, “this is for Bitwarden and compatible servers like vaultwarden”. They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.
The main program is open, but the development tools are not
They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.
The fact that the current version of Bitwarden doesn’t work at all without the SDK is just a bug, which will be fixed Soon™
Also important to note is that they are creating the same license problems in other places.
They broke f-droid builds 3 months ago and try to navigate users to their own repo now. Their own repo ofc not applying foss requirements, because the android app is no longer foss as of 3 months ago. Now the f-droid version is slowly going out of date, which creates a nice security risk for no reason other than their greed.
Apparently they also closed-sourced their “convenient” npm Bitwarden module 2 months ago, using some hard to follow reference to a license file. Previously it was marked GPL3.
Iirc, once reported, the project has 30 days to remedy or they are in violation of the license. They can’t even release a new version with a different license since this version is out under the GPL.
Given that they own all of the source code (CLA is required to contribute), they can just stop offering the code under GPL, unless they happen to have any GPL dependencies not under their control, in which case this would not be viable.
Switching licenses to future versions doesn’t invalidate previous versions released under GPL.
I’m not a lawyer but I deal with OSS licenses for work and I don’t know if there’s ever been a case like this, that I can think of anyway.
Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops. Again, I’m not a lawyer here but there is a lot of case law behind the GPL and I think the user who made the issue could take them to court to force them to make the change if they don’t respond in 30 days.
It means previous versions remain open, but ownership trumps any license restrictions.
They don’t license the code to themselves, they just have it. And if they want to close source it they can.GPLv3 and copyleft only work to protect against non-owners doing that. CLA means a project is not strongly open source, the company doing that CLA can rugpull at any time.
The fact a project even has a CLA should be extremely suspect, because this is exactly what you would use that for. To ensure you can harvest contributions and none of those contributers will stand in your way when you later burn the bridges and enshittify.
What is CLA in this context?
Licensing the source as GPL doesn’t really force the copyright holder (which is 100% BitWarden due to their Contributors Agreement^*, no matter who contributed the code) to do anything - they are absolutely free to release binaries built on the same codebase as proprietary software without any mention of the GPL.
For example if I write a hello world terminal program, release its source code under GPLv3 and then build it and give the built binary to you (and a permission to use it), you cannot force me to give you the source code for that build because I never gave you a GPL licensed binary.
If you were to take my GPLv3 source code and distribute a build of it however, you would have to license your binaries under GPLv3, because that’s the terms of the license I provided the source code to you under. Your users would then have the right to request the source code of those binaries from you. And if you released the build under an incompatible license, I (but not the users) could sue you for violating my license.
Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops.
License violations are usually not resolved by making the violator comply retroactively, just going forward. And it’s the copyright holder (so BitWarden themselves) who needs to force the violator to comply.
^* this is the relevant part of the CA:
By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.
It is followed by a workaround license for parts of the world where copyright cannot be given up.
further translating it: they are closing it down but trying to make it look like they arent
plan to resolve
timeline unknown, maybe 2124
There is always a very vocal minority itching to cause as much drama as possible. It’s very discouraging to see in general. I agree with and want more FOSS, but I’m not sure I’d ever consider making it myself; it’s not worth extra stress personally.
ITT: A lot of conspiracy theories without much (any?) evidence. Let’s see if they resolve the dependency issue before wet get our pitchforks, shall we?
Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.
I don’t know what the heck you’re talking about.
I see overwhelming evidence that they have intentionally made parts of the clients’ code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients’ code base.
This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE
You can read that license text to convince yourself of the fact that it is absolutely proprietary.
Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:
https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225
Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
(Emphasis mine.)
The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.
That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.
Open source !== Non-proprietary
Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3 on their client, by coupling it with proprietary code in a way that disallows building and/or usage without that proprietary component.
They would be insane to change that.
Yes. And i hope that they recover from it soon.
Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3
Lucky for you, they provided that explanation:
- This is a bug/mistake.
- Our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- We will fix this.
Ok, lets take it step by step:
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
I think they meant executable here, but that also doesn’t matter. If both programs can only be used together and not separate, and one is under GPLv3, then the other needs to be under GPLv3 too.
- code for each program is in separate repositories
How the code is structured doesn’t matter, it is about how it is consumed by the end-user, there both programs are delivered together and work together.
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
The way those two programs communicate together, doesn’t matter, they only work together and not separate from each other. Both need to be under GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
Not being able to build a GPLv3 licenses program without a proprietary one, is a build dependency. GPLv3 enforces you to be able to reproduce the code and I am pretty sure that the build tools and dependencies need to be under a GPLv3 compatible license as well.
But all of that still doesn’t explain what their goal of introducing the proprietary SDK is. What function will it have in the future? Will open source part be completely independent or not? What features will depend on the close-source part, and which do not? Have they thought about any ethical concerns, that many contributors contributed to their software because it under a GPL license? How are they planning on dealing with the loss of trust, in a project where trust is very important? etc.
What features will depend on the close-source part, and which do not?
There are definitely some terminology issues here.
The SDK is not closed source, you can find the source here: https://github.com/bitwarden/sdk
It might not be GPL open-source, but it is not closed either.
Other than that, I agree with your points. I don’t agree with the kneejerk hysteria from many of the comments - it’s one of the worst things about FOSS is how quick people are to anger (I am not referring to you here).
But all of that still doesn’t explain what their goal of introducing the proprietary SDK is.
Let’s wait and see before we get out the pitchforks.
The SDK is not closed source, you can find the source here: https://github.com/bitwarden/sdk
It might not be GPL open-source, but it is not closed either.
Sure. To me “source available” is still closed-source, since looking might give companies an attack surface for you to have violated their copyright in the future. Happened with IBM in the past: https://books.google.de/books?id=gy4EAAAAMBAJ&lpg=PA15&pg=PA15&redir_esc=y#v=onepage&q&f=false
Let’s wait and see before we get out the pitchforks.
Sure. Bitwarden doesn’t owe us anything, but it is still sad to see this decision and better clarification and explanation could have alleviated the breaking of the trust here.
We need a fully community run password manager with row-level server synchronisation between devices and shared vaults. Maybe a new client for the Bitwarden protocol with Vaultwarden or something new. E.g. 1password’s secret key as a second factor is, imho, their best feature. It pretty much eliminates the possibility of the vault being decrypted due to a weak master password.
How would the community’s reaction be if Bitwarden goes, “Look, we are moving more into the enterprise space, which means using proprietary software to service their needs. Our intention is to keep the enterprise and public versions sandboxed, but there is crossover, and we made a mistake.”? I really don’t care what they do in the enterprise space. Perhaps I’m an apologist, but seemingly more torn than most other posters.
Laughs in keepassxc
Does this affect valtwarden?
Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.
A likely outcome if they don’t reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That’s the outcome Bitwarden wants. This reeks of a bazinga, “how dare they benefit from our work and take our users”, which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.
Vaultwarden is only the server, no? So any clients that you use to access Vaultwarden are built and maintained by 8bit solutions a.k.a. Bitwarden, including the desktop client that is the subject of this post.
Ever since BitWarden got mired in capitalism, I’ve been dreading that something like this would happen.
Apparently and according to Bitwardens post here, this is a “packaging bug” and will be resolved.
Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
Let’s hope this is not just the PR compartment trying to make this look good.
I think even if they do reverse course or it was a genuine mistake, it’s easy to lose people’s trust forever, ESPECIALLY when it comes to something sensitive like storing ALL of your passwords.
