Hi @brjsp,
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.
Exactly, itās quite vague. Itās not clear whether Vaultwarden would be counted as a ānon-compatibleā implementation. So it wouldnāt be safe to use it. Not to mention, itās not a FOSS license anyway
BW is strong, battle tested and in the industry for long. Apart from the outdated UI, BW did not integrate the password management and data breach alerts to their apps. It canāt find its place among other apps.
Proton has a bunch of products, its users will try it for sure, some proton unlimited would also consider switching.
1password has ample customization so users who prefer ease of use would surely go for it.
Then thereās Keepass and its family for offline usage.
Maybe. I like lot of features in proton pass but I donāt like its webapp showing passwords in very large font. I use custom fields in BW extensively which doesnāt get perfectly imported in other password managers. Lets wait and see where this path goes.
Thatās sad, but also understandable as a business strategy.
Bitwarden is fully self-hostable, and so maybe Bitwarden has seen that third party client were gaining too much popularity.
I know we all like to say how companies are evil, etc. ā but at the end of the day they need to make money to keep the lights on.
Proton Pass has done this with a freemium model, a proprietary backend, integration with their own allias, etc.
1 Password has done this through a paid-only service.
Well, they have a public Github repo and anyone can track Pull Requests. of course, they arenāt to actively promote this change, But if they ask, wouldnāt everyone say itās a bad idea without proposing alternatives?
I understand, but Iām not sure whether including a dependency that isnāt open-source but only source-available is a violation of open-source principles. For example, Mozilla includes DRM Google plugin
But I understand you are angry, especially if you are a paid customer,
My point was that Tech journalists should (and some are doing a good job) check PRs for open-source projects as it would allow to talk about upcoming features, or possible bad changes like this one. The original goal of journalists is to dig into documents so people donāt have to.
You must enable it manually within the browser, and only after you enable it the required binaries are downloaded and run. Itās not included out of the box and isnāt a dependency required for the browser to work.
Maybe I am misunderstanding something but I donāt understand why this is such a big deal from a security perspective. If the code remains source available, and therefore auditable, nothing stops anyone from finding and reporting issues.
If the complaints are that a company is spending money developing code and others cannot use it for free anymore thanā¦well I donāt really care. Bitwarden has to make money and if they paid for the code development I donāt see any issue with them not giving it away for free.
For what itās worth, they still have this section on their website with a link to GitHub:
As an end user, I also bad not understand why this is a big deal, even as a FOSS enthusiast. Are people afraid of rug pulling of the license? Why does this negatively affect you today?
Hi, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
As a suggestion, next time spell out SDK at least once. Some people are thinking it has something to do with the desktop app, instead of Software Development Kit. And maybe write a clearer statement for the Reddit community, which isnāt that technical. I saw a lot of panicked users here who clearly have no idea what this issue is all about.
Thanks for the links @xe3
At first I was starting to search for an alternativ (1Password / Keypass2 maby), but I figure Iāll just keep using good old trusty Bitwarden after reading this.
Iāll keep an eye on it for a few days, to make sure I did not missunderstand.
So far Iām understanding as @Quantum and agree
The SDK in this context is clearly just a library for doing the real stuff and they deliberately made it proprietary.
This isnāt some extra bonus fun for other people to use like an SDK would usually be.
This has been known for months, again I posted above this is why F-Droid.org wonāt include Bitwarden because to reiterate again it is a proprietary dependency.
This seems perfectly valid to me. They still ensure they section out their source available code and still publish a significant portion as FOSS as you get.
But why tolerate it? It wasnāt like this before.
This is a blatant rug pull, especially for customers who paid for a FOSS solution.
Yāall gotta resist more and stop tolerating this bullshit.