PG already has an agreed-upon definition of open-source. Given that many other categories already require open-source (not source available and the like), I think it makes the most sense to stick with that definition throughout the site.
I understand that but it I have seen people mention this should be source first or source available instead. The thread was created over a year ago, its unclear to me if the intent was to even use open source as defined by PG when it was created. Considering that the definiton PG decided upon looks to have been finalized around Aug 2023 (based on the dates in the thread) and this thread was made in April 2023
EDIT: apparently PG has no agreed upon definiton of open source, which makes this criteria even more ambigious.
Open source is better. With a source available model, people wonāt be as incentivized to look at the code since they canāt use it for their own purposes, while itās the opposite with open source e.g. vaultwarden devs probably monitor a lot of changes in the bitwarden code. It will have more eyes looking at its changes this way.
At the time your post here said āOur definition of Open-source follows the OSI definitionā but I see that pull request was recently closed.
If the project wants to evaluate whether the open-source criterion should be changed to source-available, that is one thing, but it makes little sense to change the agreed-upon definition of open-source (not to mention the confusion it would cause). Even projects like FUTO accept the OSI definition of open-source and instead market themselves as source-available or source-first.
Again, we never had defined definition, which is what that thread is for. It came to light because of running issues with existing youtube clients in comparison to GrayJay.
And as an added note, nothing is official until its live on the site.
I was only referring to the same topic that you originally linked. While I admit I was incorrect in saying that PG already had an agreed-upon definition of open-source, in practice, the OSI definition has been the de facto definition.
Regardless, open-source is a word and PG is not a dictionary; the OSI definition is already widely recognised. If PG wants to abandon requiring open-source in favour of source-availability, that is a different question entirely.
I donāt think its a great precedent to just claim something is de facto to sidestep a conversation you rather not have in a rush to create a criteria with no clear benefit. If you want the OSI definition to be the definition PG uses as its standard, get it approved.
Otherwise, there should be a discussion and agreement of what is meant by open source (if thats the term people even want to use) in terms of this criteria before its even considered to move forward.
Well letās just mini analyze the current case for the recommended password managers that are not open source and they are on the list.
1Password
The product even as an online closed source password manager has endured in time. But it is and will probably always be an online closed source password manager. Only by that definition nobody will be surprised if something like what happened to LastPass happen also to 1Password.
There are plenty online open source alternatives with good reputation already like Proton Pass and Bitwarden that keep listing 1Password makes no longer sense.
Strongbox
Thatās an one-man freemium project which source isnāt available to build the app, even some parts are posted on their GitHub page.
Only because of that, should mark the project shady.
The only reason is it listed it is because of the iOS + macOS support, compared to the real open source iOS password manager KeePassium which is also lately got audited by Cure53 that doesnāt have macOS support.
Though, they both are using the KeePass protocol that it is cross-platform so it makes no sense to list an inferior password manager. (KeePassium with KeePassXC for iOS-macOS combo is more than enough for example)
Lastly about the talks to divert the topic of requiring also open source for hardware keys and what is the real meaning of open source is just whatever.
Hardware keys are already in another section of the guide, they can have their own criteria as long as there are not enough options at the moment.
And trying to solve in this thread the meaning of open source, just to keep a paid online closed source password manager and a shady freemium password manager on the recommendation list is just absurd.
People keep repeating this as if this is needed. PG has a definition, otherwise it wouldnāt be able to recommend āopen sourceā as the minimum criteria for notebooks. You cannot have a requirement without knowing its definition. Feel free to start a new discussion if you feel PGās implicit definition does not suit you. PG knows what Open Source means, but maybe folks donāt want to accept there is an implicit definition.
There are multiple benefits, least of all continuity for users if the company ever shuts down. It also prevents company from using shitty encryption code (Bitwarden had to raise their KDF rotations because someone saw the code and knew it was bad), it prevents company from adding malicious client code to releases, it allows people to understand the architecture and verify fundamental mistakes in DB orgs that can reveal users (as it did happen for firefox VPN), etc.
There may be no clear benefits apparent to folks mired in the ecosystem or who canāt see the benefits, but it does not imply there arenāt any.
There are too many suppositions and circular arguments in the thread. Either PG should know what the open source requirement is, or remove it from everything else and let people recommend their choices for everything, irrespective of the license.
I also donāt know what are the arguments against making it a requirement? Quantum computers arenāt here, yet we are moving everything to PQE. The idea is to cover your ass. It is to always have the best possible, practical requirements, and Password managers now have practical, possible, good quality options.
I honestly think people should be clarifying what their arguments against adding the open source requirement is. The benefits of the requirement are well documented, and endorsed by people far more credentialed providing very long writeups, seminars, etc. Anyone unaware should feel free to read them.
So the question is: Why not the open source requirement for password managers?
As i have repeated above PG, as in the Team, has not made a clear decision yet on what definition we will follow, this is why that thread is created, currently it is to vague, which is the problem we are now trying to fix.
No, that would be a thread labelled āExplicitly defining open source for PGā or āChanging PGās definition of open sourceā or similar.
This thread is just asking for extension of the current requirement for open source to password managers. That would mean only 2 logical ends:
Password managers also have the current definition of open source as used with other tools extended to them or not as decided in this thread, or
Open source as a requirement is removed everywhere till the definition is found. Then this thread is paused till open source is defined. But it would also mean people are free to push for closed source solutions while the definition is decided.
I know that this thread and that thread have different purposes. Its why that thread has to be complete before this one, in my opinion, as we already have an issue with requiring opensource when we have never defined what that means in the first place, which is problematic.
I could find no such thread discussing PG definition of open source, could you please link it here. I might have missed it But I am still not sure why if the definition is unclear, it is still a requirement in some sections. Logical consistency would say its not a requirement till PG defines it right? Then it would mean removing it everywhere.