2mo ago

Bitwarden Desktop version 2024.10.0 is no longer free software

github.com Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause: Y...

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

Opensource @programming.dev

Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients

github.com /bitwarden/clients/issues/11611

1 0

Linux @lemmy.ml

Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients · GitHub

github.com /bitwarden/clients/issues/11611

234 18

Privacy @programming.dev

Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients

github.com /bitwarden/clients/issues/11611

1 0

127 comments

There's a lot of drama in that Issue, and then, at the very end:
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
- Um can someone translate what this means?
  
  They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.
  The fact that the current version of Bitwarden doesn't work at all without the SDK is just a bug, which will be fixed Soon™
  
  They're trying to argue legal technicalities because acknowledging that they're trying to reduce compatibility with servers like vaultwarden would be bad PR.
  Per their new license, anyone that uses their SDK to build a client cannot say, "this is for Bitwarden and compatible servers like vaultwarden". They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.
  
  The main program is open, but the development tools are not
- plan to resolve
  timeline unknown, maybe 2124
- There is always a very vocal minority itching to cause as much drama as possible. It's very discouraging to see in general. I agree with and want more FOSS, but I'm not sure I'd ever consider making it myself; it's not worth extra stress personally.

If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.
- I will change for sure, as well. Let's see.
- What does this change for you?
  Seems to change nothing for all my devices which is a cheap offering at $10/year.
  
  The direction that the company is taking. Clearly that Bitwarden feels like other open source projects are diverting revenue from them.
  That's a small step towards enshittification. They close this part of the software, then another part until slowly it is closed source.
  We've seen this move over and over.
  Stopping your business with Bitwarden over that issue sends a message that many customers don't find this acceptable. If enough people stop using their service, they have a chance to backtrack. But even then, if they've done it once, they'll try it again.
  Your current price is 10$/year now. But the moment a company tries to cull any open source of their project is the moment they try to cash it in.
  
  How will anyone know what they add to the code now? That's the problem, and with our fucking passwords no less. They can fuck right off. In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.

Apparently and according to Bitwardens post here, this is a "packaging bug" and will be resolved.
Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."
Let's hope this is not just the PR compartment trying to make this look good.
- I think even if they do reverse course or it was a genuine mistake, it's easy to lose people's trust forever, ESPECIALLY when it comes to something sensitive like storing ALL of your passwords.

Ever since BitWarden got mired in capitalism, I've been dreading that something like this would happen.

Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
I.e. "fuck you and your foss"
- Pretty much the opposite
  
  I doubt it. What'll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don't violate no stupid licenses, we just completely go against their spirit.

Nobody here talks about keepassxc ? I've been using it for almost a decade, it can be used with sync tools to be shared, I've managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/
- Keepass isn't really in the same category of product as Bitwarden. The interesting part of bitwarden is that it's ran as a service.
- Bitwarden can't be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.
  
  Store your database in a nextcloud instance and it's that too
- I just switched over. Honestly, I like it even more than Bitwarden. Then again, I don't sync my stuff between devices because I'm old I guess. Lol. It makes it easier to switch because I don't have to deal with stuff like Syncthing.
- No Android app though?
  
  KeepassDX
  
  keepass2android

ITT: A lot of conspiracy theories without much (any?) evidence. Let's see if they resolve the dependency issue before wet get our pitchforks, shall we?
- I don't know what the heck you're talking about.
  I see overwhelming evidence that they have intentionally made parts of the clients' code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients' code base.
  This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE
  You can read that license text to convince yourself of the fact that it is absolutely proprietary.
  Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:
  https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225
  Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
  the SDK and the client are two separate programs
  code for each program is in separate repositories
  the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
  Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
  (Emphasis mine.)
  The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.
  
  That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.
  Open source !== Non-proprietary
  I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to change that.
- Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.

Damn, I just switched from Bitwarden to KeepPassXC.
Clearly just in time. Lol.
- I'll be there in a week or 2 bud. Fuck these companies baiting and then enshitifying it all.
- What mobile solution are you using in this scenario?
  
  I don't understand the question. Could you elaborate please?

A few questions out of ignorance. How different is this to gitlab's open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn't meet our strict definition of foss?
- How different is this to gitlab’s open core model?
  That's a really good question that I don't immediately have a satisfying answer to.
  There are some differences I can point out though:
  Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.
  Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
  Gitlab-EE's "closed" core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.
  Is this a permanent change?
  It'd be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.
  I don't see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.
  The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat's out of the bag and all the public goodwill and trust is gone.
  It's honestly a bafflingly bad decision from even just a business perspective. I predict they'll lose at least 20% but likely 30-50% of their subscribers to this.
  Is the involvement of investors the root of this?
  I find that likely. If it stinks, it's usually something stinky's fault.
  Are we overreacting as it doesn’t meet our strict definition of foss?
  They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.
  An "honest" switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.
  
  Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.
  None of that makes Bitwarden not open source. Not only that, they specifically state this is a bug which will be addressed.
  I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to stop that.

Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative...
- I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and... it works. So as long as their intentions are pure, you can use "bitwarden" without using any of their software or infrastructure.
  
  Just tried it, and it seems you can't edit or add items without a premium subscription??
  Or am I missing something?
  Edit: Apparently only when installing via the Play Store. Very weird decision.
- I just tried it out and I'm amazed. It looks and feels just like 1Password, my absolute favorite password manager (before I switched to Bitwarden, because 1Password is proprietary and pretty expensive)
  I definitely recommend it
- It definitely has a nicer design and blends in well with the rest of the system (at least on Android)
- License
  The source code is available for personal use only.
  That doesn't really seem like an improvement, although do they say they're planning on releasing it under the FSL.
  
  Ah damn it -.-
  Too bad, the app is really nice to use :/

Does this affect valtwarden?
- Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.
  A likely outcome if they don't reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That's the outcome Bitwarden wants. This reeks of a bazinga, "how dare they benefit from our work and take our users", which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.
- Vaultwarden is only the server, no? So any clients that you use to access Vaultwarden are built and maintained by 8bit solutions a.k.a. Bitwarden, including the desktop client that is the subject of this post.

How would the community's reaction be if Bitwarden goes, "Look, we are moving more into the enterprise space, which means using proprietary software to service their needs. Our intention is to keep the enterprise and public versions sandboxed, but there is crossover, and we made a mistake."? I really don't care what they do in the enterprise space. Perhaps I'm an apologist, but seemingly more torn than most other posters.

Laughs in keepassxc

Dump it.
Move to something else.
This is how fuckery starts.

Fuck. Is it difficult to export my data to something like Keypass? Very disappointed to hear this.
- Bitwarden has an export functionality. Export to JSON, import in Keepass, done.
  There's KeePassXC if you want Linux support (keepass2 file is compat with XC variant).
  
  Thank you! It seems this whole thing was a misunderstanding however. It was an error on Bitwarden's part that they intend to correct. I may still switch to kepassxc later on, mostly to save the money.

Looks like I might be moving to Proton Pass after all! I'll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.
- I know little about Proton Pass, but how confident are you they don't also use a proprietary SDK with their open source apps?
  
  Their Android client is licensed under GPLv3
  
  Proton pass client doesn't currently use a proprietary SDK, but they also haven't made the same blunder as Bitwarden, which they've since fixed, but still not a good look.
  On another note - I did export/import all my passwords into proton pass and WOW the speed and UX feels so much better. I'm still sticking with Bitwarden as they've been really good so far, but there's a real good alternative should they ever "turn evil".

i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.
ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.
- KeePassXC is pretty amazing. :)
  
  can u selfhost it?

Uh oh. Android user here. Time to jump ship? If so...proton??
- As with all of their services, the back-end is closed-source.
  For the purposes of user freedom, it's not that critical as the back-end merely facilitates the storage and synchronisation of encrypted data. This is different from the bitwarden case where they're now including freedom disrespecting code into the most critical part of their software: the clients which handle the unencrypted data.
  Fact of the matter remains however that Proton Pass restricts your freedom by not allowing you to self-host it.
  If you are fine with not being able to self-host, I'd say it's a good option though. Doubly so if you are already a customer of their other services.
  Proton has demonstrated time and time again to act for the benefit of its users in the past decade and I see no incentive for them to stop doing so. I'd estimate a low risk of enshittification for Proton which is high praise for a company of their size.

Okay, we'll I've been using vaultwarden. When should I switch to something new, and what's a good alternative?

@bitwarden bitwarden locked and limited conversation to collaborators
They also locked the thread 16 hours ago (as of writing this comment), with no explanation.
- The explanation is the second-to-last comment before it got locked. 🤦
  This hysteria is really stupid.
  
  That "explanation" is unsatisfactory and likely wrong: https://www.gnu.org/licenses/gpl-faq.html#MereAggregation
  So they either have to license their SDK under a GPLv3 compatible license, or switch the license of their client to a non-GPL one.
  Their "explaination" only mentions why they think can do it, but not why they are doing it.
  
  That's the technical explanation for the changes, no an explanation for closing the discussion all together.
- They banned me from reddit and then reported me with mods those fckers...

https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977
We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
https://github.com/bitwarden/sdk-internal/commit/db648d7ea85878e9cce03283694d01d878481f6b
Thank you to Bitwarden for relicensing a thing to GPLv3 License!

pass is enough (+ xdotool + rofi + pass-menu). Synchronization via git or Syncthing.
- How does this play with mobile?
  
  as another option this KeePassXC(PC)+radicale+DAVx5 The same for KeepassDX
  
  There's an Android app, but it's not being developed any more https://github.com/android-password-store/Android-Password-Store
  There's an iOS app as well https://mssun.github.io/passforios/
  They have a list with all the clients and other tools on their website
  https://www.passwordstore.org/#other
  
  Integration with Android
  The GnuPG implementation for Android is called OpenKeychain. To configure it, just go to the "key management" menu and import the previously created secret key. The only drawback of OpenKeychain for me personally is that there is no fingerprint unlocking.
  The pass implementation for Android is called android-password-store, or simply APS.
  Install and launch APS. Before synchronizing the password store, go to the "Settings" menu. There we will need the following items:
  Git server settings. The resulting URL should be the same as that specified on the repository page on github. Authorization type - OpenKeychain.
  Git utils. In this section, specify the username and email from the gpg key.
  OpenPGP provider. Select OpenKeychain.
  Autofill.
  Now you can clone. Select "clone from server" on the main screen, specify the desired location of the repository, check the git settings.
  Of course, pass is not that easy to set up. However, this price buys confidence that the tools we use will not one day be declared obsolete, will not change their data format, and will not be left without support.
- I'm familiar with pass and familiar-ish with rofi. What do the other two do?
  
  A small script for entering passwords into various windows via rofi, I take passwords from pass.
  Example script:
  sh
  
  #!/bin/bash # Sample file rofi_pass.sh passwords=$(find /home/fireshell/.password-store/ -type f -name *.gpg) selected_pass=$(echo -e "$passwords" | awk -F "/" '{printf "%s > %s\n", $5, $6}' | rofi -dmenu -p Pass) item=$(echo "$selected_pass" | awk '{printf "%s/%s", $1, $3}' | sed 's/\.gpg//g') data=$(pass show $item) pass=$(echo -e "$data" | head -n1) login=$(echo -e "$data" | grep -e "^login: " | sed 's/^login: //g') xdotool type "$login" xdotool key Tab xdotool type "$pass"
  In awesome wm I bound a key that calls it like this:
  undefined
  
  awful.key({ modkey}, "p", function () awful.spawn.with_shell("/home/fireshell/Scripts/rofi_pass.sh") end , {description = "rofi pass", group = "launcher"}),
  I turn on the computer, press the key combination and the script works, or I run this script from the terminal (~/Scripts/rofi_pass.sh), select the password - it works (if necessary, pinentry is called to enter the main password), after that I press the key combination, select the desired entry
  passmenu: extremely useful and wonderful dmenu script.

I just exported my data from BitWarden and imported into ProtonPass. Was pretty easy. Hate the color palette of the app and browser extension though, lol.
- I can't imagine that's any more free than bitwarden?
  
  GPL'd clients. Everything is encrypted/decrypted on the client before sending/receiving to/from the server. I may later switch to a self-hosted solution, but don't want to set one up right now (was using BitWarden's cloud before).

We need a fully community run password manager with row-level server synchronisation between devices and shared vaults. Maybe a new client for the Bitwarden protocol with Vaultwarden or something new. E.g. 1password's secret key as a second factor is, imho, their best feature. It pretty much eliminates the possibility of the vault being decrypted due to a weak master password.

127 comments

Integration with Android