Bitwarden going proprietary?

Makes no sense. If I dont care about proprietary backend, why would I not just use Bitwarden.

They built themselves up as the open-source password manager. Its what people know them as. Even after this change people will still believe that. Worse of all, it seems they would have stayed quite if it wasn’t brought up, thats a problem.

You can’t just build up a reputation, then discard it once you’ve grown big enough and expect people to not get upset with you.

Nope, SDK has been proprietary for a while now.

If you want FOSS, use Keepass or one of the forks. If you dont mind proprietary stuff, Bitwarden is still pretty good.

Finally. Exactly the core issue. You can’t have your cake and eat it too. If you sell yourself as FOSS and fully selfhostable, you can’t sneak in proprietary bits without informing users lol.

So yeah, for anyone reading: Bitwarden should not be used because they broke user trust by not following due process. Unless of course, you like supporting companies fucking their users over.

The reason for not using them is not because they are any less secure, or any worse off for most users, but lack of user buy-in. If they can sneak in this, what else can they push once the VC hands start squeezing their necks. (And again, having VC backing or restrictive licenses is not inherently bad. But shitting the bed when it comes to user buy in and awareness is the issue).

I guess Bitwarden would have more money if it wasn’t sponsoring podcasts left and right like Nord VPN and Raid Shadow Legends do.

I feel torn about this. On one hand, I want BW to have a successful business model and on the other hand this seems like fuck*ng the self-hosting crowd. And a lot of Linux people are into self-hosting.

I got tired of managing my KeePass *.kdbx backups and want to have a cloud based password manager for my sanity. I hesitate to go to Proton Pass to avoid the all eggs in one basket kind of situation but it seems like there is no avoiding it as BW seems to operate in a bad faith sort of way, betraying its FOSS spirit.

By many people? Selfhosting a password manager is wild, you really need to know how to do it properly, how to keep it secure, and then maintain it instead of leaving it to dedicated professionals.

Selfhosting Bitwarden is niche and kind of advanced, not many people are doing it, and not many people should.

Proton has stated from the start that they will not open source their backend code for any of its services because their services aren’t selfhostable and there is a lot of anti-abuse logic that would get exposed.

Meanwhile, Bitwarden was always open source, and now they’re just doing a rug pull, and it makes me sad to see people defending this move. Sigh.

Both 1Password and Bitwarden are running on massive amounts of VC funding, one is proprietary, and the other is going in that direction.

Meanwhile, Proton has zero VC money, has a sustainable business model, and turned itself into a non-profit to keep users trust, which Bitwarden just threw away by doing this rugpull.

I will let you choose which company has your best interests in mind.

Notesnook made this blog post a while ago: It's time to leave Bitwarden

A lot of people called it FUD, but now we can all see the consequences of VC funding.

Living the good life in keepass land

Is sad bitwarden was a easy recommendation to non-tech people.

Have you seen Tresorit’s vulnerability?

• Tresorit’s public key authentication relies on server-controlled certificates, which attackers can replace to access shared files. Metadata is also vulnerable to tampering, allowing attackers to alter file creation details and mislead users.
  From [BleepingComputer] (Severe flaws in E2EE cloud storage platforms used by millions )?

E2EE doesn’t really suffice if you’re sharing passwords. Then, you’re relying also on the server’s security.

The original goal of journalists was to report on things that were happening publicly. Digging into documents was a great way to get thrown in jail/die back when people ruled by divine right.

E2EE doesn’t rely on server security. It’s about client side encryption. Even if the server is malicious, proper E2EE won’t be affected

Proton had 2 rounds of VC money. What I have not heard about and did not find in searching is either how did they remove the VC investment, or how did they get them to go along with the non-profit idea?

The whole USP of Bitwarden is that it has foss client and server and self hostable

Depends on one’s priorities. As someone who wants to use software that is public and available on request, it checks that box. Can’t do that with Proton Pass.

However, I am under no false pretense they are providing source code because of the community and they love FOSS. Rather it’s a selling point to security critical software. I will never expect a company to maintain FOSS standards, as they will utilize it insofar it gives them profits. FOSS and capitalism pretty much grind gears. Given this, Bitwarden has at least sectioned off their poisoned code from proper GPL / AGPL code, instead of doing an entire bait/switch via SSPL like ElasticSearch or Redis. If that happens, I’ll probably consider switching then and sending them many colorful emails (I’ve already send them an email on this situation). Currently, they’ve done a partial rug pull, where we have less, but not nothing.

My options are stick with Bitwarden, or jump to a proprietary Proton Pass. I have no intention on using a local only password manager either. This news has not changed my initial position.

3+ years since they bought back + transferred the shares to the Swiss Innovation non-profit: Proton news and updates | Proton

There is no VC money in Proton as of 2021. The only other major stakeholder in Proton AG (other than Proton Foundation) is the Swiss Innovation Non-profit (which provides funding for innovative ideas headquartered in Switzerland). This is similar to funding model for Tor (US govt funded), Tuta (German Govt. Funded), Linux (US Govt. Funded), etc.

It is the same situation. Frontend clients are open source with MIT for redis too, with backend being source available. There is literally no difference. Look here: Redis · GitHub

From my point of view, I agree that it doesn’t alter the features offered, but it opens a door that was previously closed. This precedent creates uncertainty, suggesting that at any given point, things can take a turn for the worse and become unbearable. Right now, it’s a warning, but the question remains: are you willing to take that risk?

Bitwarden did respond to this on X/Twitter as well.

It seems like a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users

disregarding others and only caring about your own needs is the literal definition of selfish lol.

You are thinking of the wrong type of “free”.

Perfect timing, I just expressed opinions on this. If confirmed that they are not changing their license model we should in the future be more cautions about assuming positions. I’m not sure if they stepback after getting caught. Not sure why they didn’t responded in Github.

Not really, read what I write and dont
interpret, so again:
It means I take responsibility for my, and only my, actions (and no actions).
So in this case, if you (and others) dont want to use BW because of this, go ahead.
So far I dont see a problem, so I’ll keep using it. Clearer now?