They locked the GitHub discussion too. This is not a good sign
A post was merged into an existing topic: Financial side of privacy-focused FOSS software and projects
See their answer
Hi @brjsp,
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
but that just shows their true intent.
Well, the sdk can be used for Bitwarden or any other implementation of it. I donāt see where is the problem.
It canāt, though.
You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.
But what non-compatible mean ? In my view, any client that can connect with their server is compatible, but I could be wrong.
Exactly, itās quite vague. Itās not clear whether Vaultwarden would be counted as a ānon-compatibleā implementation. So it wouldnāt be safe to use it. Not to mention, itās not a FOSS license anyway
See License is not FOSS-compatible. Ā· Issue #898 Ā· bitwarden/sdk Ā· GitHub
BW is strong, battle tested and in the industry for long. Apart from the outdated UI, BW did not integrate the password management and data breach alerts to their apps. It canāt find its place among other apps.
Proton has a bunch of products, its users will try it for sure, some proton unlimited would also consider switching.
1password has ample customization so users who prefer ease of use would surely go for it.
Then thereās Keepass and its family for offline usage.
Maybe. I like lot of features in proton pass but I donāt like its webapp showing passwords in very large font. I use custom fields in BW extensively which doesnāt get perfectly imported in other password managers. Lets wait and see where this path goes.
Thatās sad, but also understandable as a business strategy.
Bitwarden is fully self-hostable, and so maybe Bitwarden has seen that third party client were gaining too much popularity.
I know we all like to say how companies are evil, etc. ā but at the end of the day they need to make money to keep the lights on.
Proton Pass has done this with a freemium model, a proprietary backend, integration with their own allias, etc.
1 Password has done this through a paid-only service.
The sudden change without discussion, and similar bad faith actions in the past are the problem. For the license, Iām sure there are users who would have continued regardless. Trust is at the core of this for me.
Well, they have a public Github repo and anyone can track Pull Requests. of course, they arenāt to actively promote this change, But if they ask, wouldnāt everyone say itās a bad idea without proposing alternatives?
such as ?
Yeah, lemme just follow the development cycle of all the services I use to ensure they donāt sneak in shit.
And calling a bad decision a bad decision is not a problem tbh, and itās usually not my job to propose alternative unless I am getting a consulting fee. See this is the issue, are we defending clearly anti user actions just because itās from a project thatās FOSS? If Google suddenly made AOSP proprietary (they canāt) everyone would be crucifying them.
Read the GitHub issue, and the link I posted above.
Anyway, BW was one of the few non-Proton apps I was using, guess Iām switching to them or Keepass now.
You donāt have to, but some people will and thatās the original goal of journalists.
sorry but what ? You say they didnāt seek user feedback, but you wouldnāt propose alternatives if they didnāt pay youā¦
Well, having one source-available dependency is really not the end of the world. After all, Android has Google services.
And yes, I do make a difference between a small company and one of the largest company in the world.
You are fundamentally misunderstanding what a userās relationship with a service they use is.
They sold the service by saying itās fully open source. I paid on that premise. Then they made a change to that condition on which I paid them, without informing me. Thatās deception. Is that clear?
As the end user who is paying for a service, I am NOT supposed to solve a business problem. If a company is on the brink of being bankrupt, they donāt rush to their users for ideas, they hire firms that help them get out of financial crisis. Itās a business problem, I am not supposed to solve it.
This is ridiculous. If my bank introduced a fee to use their debit card, I file a complaint. I donāt send them alternate ways to raise the money they wanted to raise with that fee. I am the service user, not the company. Bitwarden is not some mom and pop project run by a single maintainer. They are a service provider with end users, contracts, and companies they support.
Android has no google dependency. You might be confusing it with Googleās flavor of android that is stock on Pixels. Common misconception. AOSP has no google services attached to it.
What? I donāt think auditing pull request on GitHub repos is the original goal of journalists. And again, there is a reason you receive āWe have changed the terms of serviceā emails, because a company is supposed to be answerable to itās users, not playing a game of hide and seek with them. Especially in a high trust piece of software like password manager.
Are you sure ?
I understand, but Iām not sure whether including a dependency that isnāt open-source but only source-available is a violation of open-source principles. For example, Mozilla includes DRM Google plugin
But I understand you are angry, especially if you are a paid customer,
My point was that Tech journalists should (and some are doing a good job) check PRs for open-source projects as it would allow to talk about upcoming features, or possible bad changes like this one. The original goal of journalists is to dig into documents so people donāt have to.
Maybe I underestimated their size.
Also, and I am bit contracdicting myself here, but we might see here a race for profits as they have to make money for the 100 millions dollars they raised, How Does Bitwarden Make Money? Analyzing Its Business Model (2024)
You must enable it manually within the browser, and only after you enable it the required binaries are downloaded and run. Itās not included out of the box and isnāt a dependency required for the browser to work.
Ah crud, this makes me concerned. I just was recommending bitwarden to a friend yesterday tooā¦
@jonah what is PGās take on all this?
Maybe I am misunderstanding something but I donāt understand why this is such a big deal from a security perspective. If the code remains source available, and therefore auditable, nothing stops anyone from finding and reporting issues.
If the complaints are that a company is spending money developing code and others cannot use it for free anymore thanā¦well I donāt really care. Bitwarden has to make money and if they paid for the code development I donāt see any issue with them not giving it away for free.
For what itās worth, they still have this section on their website with a link to GitHub:
As an end user, I also bad not understand why this is a big deal, even as a FOSS enthusiast. Are people afraid of rug pulling of the license? Why does this negatively affect you today?