Bitwarden going proprietary?

They locked the GitHub discussion too. This is not a good sign

1 Like

A post was merged into an existing topic: Financial side of privacy-focused FOSS software and projects

See their answer

Hi @brjsp,
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

  1. the SDK and the client are two separate programs
  2. code for each program is in separate repositories
  3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

but that just shows their true intent.

1 Like

Well, the sdk can be used for Bitwarden or any other implementation of it. I donā€™t see where is the problem.

1 Like

It canā€™t, though.

You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.

1 Like

But what non-compatible mean ? In my view, any client that can connect with their server is compatible, but I could be wrong.

Exactly, itā€™s quite vague. Itā€™s not clear whether Vaultwarden would be counted as a ā€œnon-compatibleā€ implementation. So it wouldnā€™t be safe to use it. Not to mention, itā€™s not a FOSS license anyway

See License is not FOSS-compatible. Ā· Issue #898 Ā· bitwarden/sdk Ā· GitHub

BW is strong, battle tested and in the industry for long. Apart from the outdated UI, BW did not integrate the password management and data breach alerts to their apps. It canā€™t find its place among other apps.

Proton has a bunch of products, its users will try it for sure, some proton unlimited would also consider switching.

1password has ample customization so users who prefer ease of use would surely go for it.
Then thereā€™s Keepass and its family for offline usage.

Maybe. I like lot of features in proton pass but I donā€™t like its webapp showing passwords in very large font. I use custom fields in BW extensively which doesnā€™t get perfectly imported in other password managers. Lets wait and see where this path goes.

Thatā€™s sad, but also understandable as a business strategy.
Bitwarden is fully self-hostable, and so maybe Bitwarden has seen that third party client were gaining too much popularity.

I know we all like to say how companies are evil, etc. ā€“ but at the end of the day they need to make money to keep the lights on.

Proton Pass has done this with a freemium model, a proprietary backend, integration with their own allias, etc.
1 Password has done this through a paid-only service.

2 Likes

The sudden change without discussion, and similar bad faith actions in the past are the problem. For the license, Iā€™m sure there are users who would have continued regardless. Trust is at the core of this for me.

2 Likes

Well, they have a public Github repo and anyone can track Pull Requests. of course, they arenā€™t to actively promote this change, But if they ask, wouldnā€™t everyone say itā€™s a bad idea without proposing alternatives?

such as ?

2 Likes

Yeah, lemme just follow the development cycle of all the services I use to ensure they donā€™t sneak in shit.

And calling a bad decision a bad decision is not a problem tbh, and itā€™s usually not my job to propose alternative unless I am getting a consulting fee. See this is the issue, are we defending clearly anti user actions just because itā€™s from a project thatā€™s FOSS? If Google suddenly made AOSP proprietary (they canā€™t) everyone would be crucifying them.

Read the GitHub issue, and the link I posted above.

Anyway, BW was one of the few non-Proton apps I was using, guess Iā€™m switching to them or Keepass now.

2 Likes

You donā€™t have to, but some people will and thatā€™s the original goal of journalists.

sorry but what ? You say they didnā€™t seek user feedback, but you wouldnā€™t propose alternatives if they didnā€™t pay youā€¦

Well, having one source-available dependency is really not the end of the world. After all, Android has Google services.

And yes, I do make a difference between a small company and one of the largest company in the world.

3 Likes

You are fundamentally misunderstanding what a userā€™s relationship with a service they use is.

They sold the service by saying itā€™s fully open source. I paid on that premise. Then they made a change to that condition on which I paid them, without informing me. Thatā€™s deception. Is that clear?

As the end user who is paying for a service, I am NOT supposed to solve a business problem. If a company is on the brink of being bankrupt, they donā€™t rush to their users for ideas, they hire firms that help them get out of financial crisis. Itā€™s a business problem, I am not supposed to solve it.

This is ridiculous. If my bank introduced a fee to use their debit card, I file a complaint. I donā€™t send them alternate ways to raise the money they wanted to raise with that fee. I am the service user, not the company. Bitwarden is not some mom and pop project run by a single maintainer. They are a service provider with end users, contracts, and companies they support.

Android has no google dependency. You might be confusing it with Googleā€™s flavor of android that is stock on Pixels. Common misconception. AOSP has no google services attached to it.

What? I donā€™t think auditing pull request on GitHub repos is the original goal of journalists. And again, there is a reason you receive ā€œWe have changed the terms of serviceā€ emails, because a company is supposed to be answerable to itā€™s users, not playing a game of hide and seek with them. Especially in a high trust piece of software like password manager.

5 Likes

Are you sure ?

I understand, but Iā€™m not sure whether including a dependency that isnā€™t open-source but only source-available is a violation of open-source principles. For example, Mozilla includes DRM Google plugin

But I understand you are angry, especially if you are a paid customer,

My point was that Tech journalists should (and some are doing a good job) check PRs for open-source projects as it would allow to talk about upcoming features, or possible bad changes like this one. The original goal of journalists is to dig into documents so people donā€™t have to.

Maybe I underestimated their size.

Also, and I am bit contracdicting myself here, but we might see here a race for profits as they have to make money for the 100 millions dollars they raised, How Does Bitwarden Make Money? Analyzing Its Business Model (2024)

You must enable it manually within the browser, and only after you enable it the required binaries are downloaded and run. Itā€™s not included out of the box and isnā€™t a dependency required for the browser to work.

Ah crud, this makes me concerned. I just was recommending bitwarden to a friend yesterday tooā€¦

@jonah what is PGā€™s take on all this?

1 Like

Maybe I am misunderstanding something but I donā€™t understand why this is such a big deal from a security perspective. If the code remains source available, and therefore auditable, nothing stops anyone from finding and reporting issues.

If the complaints are that a company is spending money developing code and others cannot use it for free anymore thanā€¦well I donā€™t really care. Bitwarden has to make money and if they paid for the code development I donā€™t see any issue with them not giving it away for free.

For what itā€™s worth, they still have this section on their website with a link to GitHub:

4 Likes

As an end user, I also bad not understand why this is a big deal, even as a FOSS enthusiast. Are people afraid of rug pulling of the license? Why does this negatively affect you today?

2 Likes