Require Open Source for Password Managers

Feels like this discussion should be tabled until people can agree on what they even mean by open source, which should probably be its own thread.

I know PG has its own definition but I have seen others throw out their preferred definiton as well.

This whole things feels a bit ambigious, with no clear benefit other then people like open source stuff more then closed source.

2 Likes

PG already has an agreed-upon definition of open-source. Given that many other categories already require open-source (not source available and the like), I think it makes the most sense to stick with that definition throughout the site.

4 Likes

I understand that but it I have seen people mention this should be source first or source available instead. The thread was created over a year ago, its unclear to me if the intent was to even use open source as defined by PG when it was created. Considering that the definiton PG decided upon looks to have been finalized around Aug 2023 (based on the dates in the thread) and this thread was made in April 2023

EDIT: apparently PG has no agreed upon definiton of open source, which makes this criteria even more ambigious.

  1. Users should be able to see the code.
  2. Users should be able to build the app using the public source code.
  3. Users should be able to modify and distribute their forks for non-commercial purposes.

It should only apply to clients, but we could have a best-case criteria that also applies to servers.

I think from a pure privacy perspective source-availability should be sufficient.

Why YubiKeys arenā€™t open-source:

Why 1Password isnā€™t open-source:

Open source is better. With a source available model, people wonā€™t be as incentivized to look at the code since they canā€™t use it for their own purposes, while itā€™s the opposite with open source e.g. vaultwarden devs probably monitor a lot of changes in the bitwarden code. It will have more eyes looking at its changes this way.

1 Like

The thing is that we actually do not. We list open source as a requirement for a few things, but we have never exactly esthablished what that means.

This is because Open source means a lot of different things for a lot of different people, which is what that discussion is for.

In any case, it looks like we will be following the OSI model, but is has not been decided yet.

At the time your post here said ā€œOur definition of Open-source follows the OSI definitionā€ but I see that pull request was recently closed.

If the project wants to evaluate whether the open-source criterion should be changed to source-available, that is one thing, but it makes little sense to change the agreed-upon definition of open-source (not to mention the confusion it would cause). Even projects like FUTO accept the OSI definition of open-source and instead market themselves as source-available or source-first.

1 Like

Again, we never had defined definition, which is what that thread is for. It came to light because of running issues with existing youtube clients in comparison to GrayJay.

And as an added note, nothing is official until its live on the site. :slight_smile:

I was only referring to the same topic that you originally linked. While I admit I was incorrect in saying that PG already had an agreed-upon definition of open-source, in practice, the OSI definition has been the de facto definition.

Regardless, open-source is a word and PG is not a dictionary; the OSI definition is already widely recognised. If PG wants to abandon requiring open-source in favour of source-availability, that is a different question entirely.

2 Likes

I donā€™t think its a great precedent to just claim something is de facto to sidestep a conversation you rather not have in a rush to create a criteria with no clear benefit. If you want the OSI definition to be the definition PG uses as its standard, get it approved.

Otherwise, there should be a discussion and agreement of what is meant by open source (if thats the term people even want to use) in terms of this criteria before its even considered to move forward.

Well letā€™s just mini analyze the current case for the recommended password managers that are not open source and they are on the list.

1Password
The product even as an online closed source password manager has endured in time. But it is and will probably always be an online closed source password manager. Only by that definition nobody will be surprised if something like what happened to LastPass happen also to 1Password.
There are plenty online open source alternatives with good reputation already like Proton Pass and Bitwarden that keep listing 1Password makes no longer sense.

Strongbox
Thatā€™s an one-man freemium project which source isnā€™t available to build the app, even some parts are posted on their GitHub page.
Only because of that, should mark the project shady.
The only reason is it listed it is because of the iOS + macOS support, compared to the real open source iOS password manager KeePassium which is also lately got audited by Cure53 that doesnā€™t have macOS support.
Though, they both are using the KeePass protocol that it is cross-platform so it makes no sense to list an inferior password manager. (KeePassium with KeePassXC for iOS-macOS combo is more than enough for example)

Lastly about the talks to divert the topic of requiring also open source for hardware keys and what is the real meaning of open source is just whatever.
Hardware keys are already in another section of the guide, they can have their own criteria as long as there are not enough options at the moment.
And trying to solve in this thread the meaning of open source, just to keep a paid online closed source password manager and a shady freemium password manager on the recommendation list is just absurd.

4 Likes

People keep repeating this as if this is needed. PG has a definition, otherwise it wouldnā€™t be able to recommend ā€œopen sourceā€ as the minimum criteria for notebooks. You cannot have a requirement without knowing its definition. Feel free to start a new discussion if you feel PGā€™s implicit definition does not suit you. PG knows what Open Source means, but maybe folks donā€™t want to accept there is an implicit definition.

There are multiple benefits, least of all continuity for users if the company ever shuts down. It also prevents company from using shitty encryption code (Bitwarden had to raise their KDF rotations because someone saw the code and knew it was bad), it prevents company from adding malicious client code to releases, it allows people to understand the architecture and verify fundamental mistakes in DB orgs that can reveal users (as it did happen for firefox VPN), etc.

There may be no clear benefits apparent to folks mired in the ecosystem or who canā€™t see the benefits, but it does not imply there arenā€™t any.


There are too many suppositions and circular arguments in the thread. Either PG should know what the open source requirement is, or remove it from everything else and let people recommend their choices for everything, irrespective of the license.

I also donā€™t know what are the arguments against making it a requirement? Quantum computers arenā€™t here, yet we are moving everything to PQE. The idea is to cover your ass. It is to always have the best possible, practical requirements, and Password managers now have practical, possible, good quality options.

I honestly think people should be clarifying what their arguments against adding the open source requirement is. The benefits of the requirement are well documented, and endorsed by people far more credentialed providing very long writeups, seminars, etc. Anyone unaware should feel free to read them.

So the question is: Why not the open source requirement for password managers?

2 Likes

As i have repeated above PG, as in the Team, has not made a clear decision yet on what definition we will follow, this is why that thread is created, currently it is to vague, which is the problem we are now trying to fix.

1 Like

No, that would be a thread labelled ā€œExplicitly defining open source for PGā€ or ā€œChanging PGā€™s definition of open sourceā€ or similar.

This thread is just asking for extension of the current requirement for open source to password managers. That would mean only 2 logical ends:

  1. Password managers also have the current definition of open source as used with other tools extended to them or not as decided in this thread, or
  2. Open source as a requirement is removed everywhere till the definition is found. Then this thread is paused till open source is defined. But it would also mean people are free to push for closed source solutions while the definition is decided.
3 Likes

I know that this thread and that thread have different purposes. Its why that thread has to be complete before this one, in my opinion, as we already have an issue with requiring opensource when we have never defined what that means in the first place, which is problematic.

1 Like

I could find no such thread discussing PG definition of open source, could you please link it here. I might have missed it :frowning: But I am still not sure why if the definition is unclear, it is still a requirement in some sections. Logical consistency would say its not a requirement till PG defines it right? Then it would mean removing it everywhere.

1 Like

Interesting to censor the previous post. Anyway, thanks lukas for sharing the link. Iā€™ll move my other questions to that thread.