Off Topic
Let me guess, your solution is to go deep into Apple’s ecosystem? 
@Lukas not this time… my solution is to … go with KeePass(X). Excellent product.
Then ask their support and tell us. If you have doubts clarify it. Not use it as banner.
That person never called you or the community stupid. You chose to put that word in their mouth.
Not sure how this is this a rude thing to say. Especially when you immediately go on to characterize “BW community members” in a similarly unfashionable light.
There’s no need to get so defensive. Just discuss the facts of the matter, no need to cry name-calling or rudeness where it didn’t happen.
3 Likes
I’d argue this thread should be closed. No new discussion points are coming out of this thread, just seems to be bickering. I think it’s safe to say that Bitwarden remedied the immediate issue. Whether or not you wish to stick with them really seems to be a matter of personal opinions about FOSS.
10 Likes
In my opinion Bitwarden has expressly decided to
- Write a non open source license (in the OSI sense) for their SDK
- Make “open source” software that depends on this non-open SDK (see F-droid conversation, and recently the desktop client)
- Claim they are aware of this and that in their opinion, they are two separate programs, so it’s ok.
- After the backlash, relicense parts of the SDK to allow some apps to be purely GPL / open source.
From this I think it’s reasonable to lose trust in Bitwarden and their relationship with open source. I think it’s also reasonable to be satisfied with their corrective steps and remain a customer / user while observing how they act moving forward.
4 Likes
None of this currently comprises the security of the software, in my opinion, at this time. So users can still safely use Bitwarden. It’s not proprietary, and currently not limited source available (for the most part) - and it seems their current communication says they will try to maintain a GPL compatible build always and will fix it if the build fails. But if strict FOSS matters and you are feeling nervous as a Bitwarden user, others have mentioned some FOSS community driven alternatives like KeePass which might be good to look into.
Yes, except that you are making assumptions, officially it is a bug and a misinterpretation of the community, there is no loss of confidence to have, nothing changes, they have clarified very quickly the situation, without tongue in cheek.
This a helpful narrative here …
Perhaps it is wishful thinking that the whole Open Source model can sustain itself and progress as is pointed out here …
Agree.
I was just thinking the same thing, just stick with Bitwarden or choose something different.
Yes, life can be that simple, in a broader perspective.
I mean its not like there is one Password manager, one woman, one job etc 
2 Likes
A post was split to a new topic: Password manager (aside from Bitwarden) compatible with SimpleLogin API?
sorry, may i ask what do you mean “sharing passwords”?
im trying to understand this vulnerability and how it may affect proton drive and pass
KeepassX has been unmaintained for nearly three years, so you should move to KeepassXC if you’re considering proceeding with that route.
Except it’s not E2EE anymore if you’re sharing, genius.
If you have a file on Proton Drive, Tresorit, Mega, etc, and you create a sharing link without password, you’re basically sending the decrypted file to server. Forget E2E, it’s not even E anymore.
Well, password managers often allow you to share passwords, or even whole vaults, with family members. So you and your wife/husband/kids/etc don’t have to create multiple Netflix entries, one in each person’s password manager.
If you’re sharing a file with a password (from a file hosting cloud such as Proton Drive, Tresorit, Mega, etc) it may just reencrypt using a new private key, so I guess you can still keep it E2EE.
If you’re sharing between accounts, as password managers do, you need a way to communicate keys between accounts, which seemingly involves some server mediation (see the link I posted, that’s exactly the issue they found with Tresorit). That’s why having an open-source app only doesn’t suffice for when there’s sharing involved, ideally you’ll want the server code to be open source as well.
ah i see what you mean.
well from protons website:
If you’re the vault administrator, you can share your vault key and Proton Pass will encrypt it with your recipient’s address key, ensuring only they can access it.
After your intended recipient receives your encrypted vault key, they will validate its signature using your address key. This step verifies that the invitation legitimately came from you. Once the signature has been validated, Proton Pass will encrypt the vault key using your recipient’s user key and store it securely.
however i do understand what you mean, there is no way to actually verify its doing what it says cause backend is not open source
That’s interesting. It might be actually possible to be all done in the clients by that description. It would be cool if someone could go through the code and pay special attention to that part
I’m pretty sure that’s not how it works. The file is still encrypted on the server. But the sharing link you create contains a key to decrypt the file. As long as you share the link in a secure manner then nothing is exposed.
I believe that’s what security audits are for, which proton pass has had 
1 Like
Tell PG to drop all their “open source” requirement for recommendations, then, since audits are all we need.