606

Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)

submitted 1 day ago by AsudoxDev@programming.dev to c/technology@lemmy.world

187 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[-] Snowpix@lemmy.ca 80 points 16 hours ago

[-] john117@lemmy.jmsquared.net 17 points 13 hours ago

oh thank god

[-] WhyJiffie@sh.itjust.works 2 points 9 hours ago

The community's reaction is a but funny if this was a honest mistake

[-] KingThrillgore@lemmy.ml 5 points 10 hours ago

I'm going to keep using Bitwarden because KeepassXC sucks, but not as a paying user. Once this package inclusion is removed, if it is removed, i'll pay again.

[-] vrighter@discuss.tchncs.de 1 points 5 hours ago

what sucks about keepassxc?

[-] ayyy@sh.itjust.works 65 points 17 hours ago* (last edited 15 hours ago)

600 upvotes and only 10 downvotes on literal fake news. I wish readers were less lazy, it’s very frustrating.

Edit: made my statement a bit less toxic. I was mad.

[-] ammonium@lemmy.world 5 points 10 hours ago

How is it fake news? They are moving functionality into a proprietary SDK and have a whole framework ready to get around the GPL.

[-] octopus_ink@lemmy.ml 8 points 16 hours ago

No one is listening I'm sorry to say. I corrected a couple people but then realized it was pointless. The discussions in the crossposted communities (which - holy shit I don't think I've seen something so thoroughly spammed across multiple tech communities before) are just as bad or worse.

load more comments (1 replies)

[-] gwen@lemmy.dbzer0.com 39 points 17 hours ago

can we start reading the articles and not just the headlines??? it literally says it's a packaging bug

[-] cmrn@lemmy.world 9 points 15 hours ago

…in the update that came out after this article was posted and the discussion took place.

[-] 486@lemmy.world 3 points 12 hours ago

It is really not just a packaging bug. If you read that comment of the Bitwarden person a little further, you'll notice that he's talking about that proprietary "SDK" library that they are integrating with their clients. Even if they manage to not actually link it directly with the client, but rather let the client talk to that library via some protocol - it doesn't make the situation any better. The client won't work without their proprietary "SDK", no matter if they remove the build-time dependency or not.

[-] Highsight@lemmy.world 2 points 5 hours ago

When I read this this morning, I had concerns, but then I did some research. The SDKs source is fully available for all to look at and compile. The main issue that people bring up is the license that states:

3.3 You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.

This part seems to be what most people take issue with, as it makes the sdk no longer modifiable, yet a requirement of the core source itself. The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

From a security standpoint, since the SDK is source available, it can be audited by anyone still (and compiled) so personally, I'm fine with this.

[-] 486@lemmy.world 1 points 1 hour ago

The head of BitWarden has come out and stated the SDK being required to compile BitWarden was a mistake, however, and if this proves to be true (which I have no reason to doubt) then I see no reason why any of this is an issue.

I don't see why this should make any difference at all. Sure, I get why he is are saying they are going to fix it - he thinks that this gets them in compliance with the GPLv3. But from a practical point of view there is no difference at all. The software is useless without that SDK part. Even if it does indeed get them in the clear from a legal point of view (which I am not convinced that it actually does), it is still a crappy situation.

I think, it would look way less shady, if they said they are going fully source-available and not pretend that they are keeping the client open source. I would still dislike that, of course. At least that wouldn't have eroded the trust in them as much as it did for me.

[-] sugar_in_your_tea@sh.itjust.works 5 points 16 hours ago

In general, if it's Phoronix, I assume the headline is a bit more exaggerated. They put out pretty good content, but they also put out a lot of content, so the editing can be a little lacking IMO.

[-] mli@lemm.ee 37 points 19 hours ago

Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."

According to Bitwardens post here, this is a "packaging bug" and will be resolved.

[-] ealoe@ani.social 13 points 17 hours ago

Some guy at bitwarden clicks a button wrong on a license drop-down option and all these people crawl out of the woodwork to declare the end of bitwarden being trustworthy. Nothing in the article or the company's statements indicates an actual move away from open source. Big nothingburger

[-] 486@lemmy.world 5 points 11 hours ago

Maybe you want to read the comment by kspearrin in that Github issue again. They are clearly moving away from open source. He explicitly states that they are in the process of moving more code to their proprietary "SDK" library.

[-] No_Support_8363@lemm.ee 1 points 11 hours ago

Thats not good :(

[-] magnus@lemmy.ahall.se 35 points 23 hours ago

Daniel García, owner of the Vaultwarden repo, has recently taken employment for Bitwarden.

The plot thickens.

[-] sugar_in_your_tea@sh.itjust.works 6 points 16 hours ago

Honestly, if he can replace the current Bitwarden BE w/ Vaultwarden, that would be awesome! The last time I looked at the Bitwarden self-hostable BE, it was super heavy, which is the entire reason I was interested in Vaultwarden.

load more comments (3 replies)

[-] ArkyonVeil@lemmy.dbzer0.com 15 points 20 hours ago

I wonder~ I wonder~ I wonder whyyyy...

[-] fuckingkangaroos@lemm.ee 1 points 10 hours ago

I don't understand.

Are you saying it's a bait and switch like Google, where they suck people in with a good product then enshittify it once they're hooked?

[-] ArkyonVeil@lemmy.dbzer0.com 2 points 10 hours ago

I'm not thoroughly aware of their dealings, but these amounts of private investment aren't going to pay for themselves. If you raise 100 million, investors typically want a billion back, or more.

From the looks of it, Bitwarden might've tried to go with the Open Source model to get free development resources, trust (because it's an open source PASSWORD manager), and general goodwill. But now that they've deemed that got enough of a market share (or investors are starting to breathe down their necks), it's time to start raising the walled garden.

Even if they claim after the fact that it was a "Bug" that the client couldn't be built without their proprietary sdk. The very fact one exists is a bad enough sign, specially when its influence is spreading.

VC is a devil's bargain. Raising VC money is NEVER a good sign.

load more comments

this post was submitted on 20 Oct 2024

606 points (87.7% liked)

Technology

58797 readers

4869 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS