Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

top 50 comments

sorted by: hot top controversial new old

[–] preasket@lemy.lol 1 points 4 hours ago

We need a fully community run password manager with row-level server synchronisation between devices and shared vaults. Maybe a new client for the Bitwarden protocol with Vaultwarden or something new. E.g. 1password's secret key as a second factor is, imho, their best feature. It pretty much eliminates the possibility of the vault being decrypted due to a weak master password.

[–] mli@lemm.ee 42 points 16 hours ago* (last edited 16 hours ago) (1 children)

Apparently and according to Bitwardens post here, this is a "packaging bug" and will be resolved.

Update: Bitwarden posted to X this evening to reaffirm that it's a "packaging bug" and that "Bitwarden remains committed to the open source licensing model."

Let's hope this is not just the PR compartment trying to make this look good.

[–] ipkpjersi@lemmy.ml 7 points 6 hours ago

I think even if they do reverse course or it was a genuine mistake, it's easy to lose people's trust forever, ESPECIALLY when it comes to something sensitive like storing ALL of your passwords.

[–] wuphysics87@lemmy.ml 13 points 15 hours ago

How would the community's reaction be if Bitwarden goes, "Look, we are moving more into the enterprise space, which means using proprietary software to service their needs. Our intention is to keep the enterprise and public versions sandboxed, but there is crossover, and we made a mistake."? I really don't care what they do in the enterprise space. Perhaps I'm an apologist, but seemingly more torn than most other posters.

[–] zanyllama52@infosec.pub 10 points 15 hours ago

Laughs in keepassxc

[–] vordalack@lemm.ee 9 points 18 hours ago

Dumb it.

Move to something else.

This is how fuckery starts.

[–] daggermoon@lemmy.world 10 points 22 hours ago (1 children)

Fuck. Is it difficult to export my data to something like Keypass? Very disappointed to hear this.

[–] NostraDavid@programming.dev 2 points 11 hours ago* (last edited 11 hours ago)

Bitwarden has an export functionality. Export to JSON, import in Keepass, done.

There's KeePassXC if you want Linux support (keepass2 file is compat with XC variant).

[–] smiletolerantly@awful.systems 15 points 1 day ago (5 children)

Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative...

[–] midnightblue@lemmy.ca 4 points 18 hours ago

I just tried it out and I'm amazed. It looks and feels just like 1Password, my absolute favorite password manager (before I switched to Bitwarden, because 1Password is proprietary and pretty expensive)

I definitely recommend it

[–] bilb@lem.monster 8 points 1 day ago (5 children)

I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and... it works. So as long as their intentions are pure, you can use "bitwarden" without using any of their software or infrastructure.

load more comments (5 replies)

load more comments (3 replies)

[–] Lemmchen@feddit.org 33 points 1 day ago* (last edited 19 hours ago) (2 children)

ITT: A lot of conspiracy theories without much (any?) evidence. Let's see if they resolve the dependency issue before wet get our pitchforks, shall we?

[–] Atemu@lemmy.ml 20 points 1 day ago* (last edited 1 day ago) (1 children)

I don't know what the heck you're talking about.

I see overwhelming evidence that they have intentionally made parts of the clients' code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients' code base.

This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE

You can read that license text to convince yourself of the fact that it is absolutely proprietary.

Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:

https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

the SDK and the client are two separate programs

code for each program is in separate repositories

the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

(Emphasis mine.)

The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.

[–] asap@lemmy.world 6 points 1 day ago* (last edited 23 hours ago) (1 children)

That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.

Open source !== Non-proprietary

I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to change that.

[–] cmhe@lemmy.world 7 points 21 hours ago (4 children)

Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3 on their client, by coupling it with proprietary code in a way that disallows building and/or usage without that proprietary component.

They would be insane to change that.

Yes. And i hope that they recover from it soon.

load more comments (4 replies)

load more comments (1 replies)

[–] 31337@sh.itjust.works 2 points 17 hours ago (1 children)

I just exported my data from BitWarden and imported into ProtonPass. Was pretty easy. Hate the color palette of the app and browser extension though, lol.

[–] samc@feddit.uk 12 points 17 hours ago (1 children)

I can't imagine that's any more free than bitwarden?

[–] 31337@sh.itjust.works 3 points 16 hours ago

GPL'd clients. Everything is encrypted/decrypted on the client before sending/receiving to/from the server. I may later switch to a self-hosted solution, but don't want to set one up right now (was using BitWarden's cloud before).

[–] rozlav@lemmy.blahaj.zone 39 points 1 day ago (10 children)

Nobody here talks about keepassxc ? I've been using it for almost a decade, it can be used with sync tools to be shared, I've managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/

[–] Atemu@lemmy.ml 18 points 1 day ago

Keepass isn't really in the same category of product as Bitwarden. The interesting part of bitwarden is that it's ran as a service.

[–] unrushed233@lemmings.world 15 points 1 day ago (1 children)

Bitwarden can't be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

[–] Hexarei@programming.dev 0 points 12 hours ago (1 children)

Store your database in a nextcloud instance and it's that too

[–] unrushed233@lemmings.world 1 points 6 hours ago (1 children)

Nope. Since the entire database is contained in a single file, it can't sync multiple edits properly, leading to sync conflicts. Because KeePass was built around local database files, whereas Bitwarden uses actual synced databases, where individual updates can be uploaded, instead of causing conflicts or overwriting the entire db.

[–] Hexarei@programming.dev 1 points 4 hours ago

Conflicts haven't been an issue for years, all modern iterations of KeePass (XC, kp2a, DX) support automatically merging in the latest before saving.

I've been using it for years this way across several devices, it's incredibly solid

load more comments (8 replies)

[–] twirl7303@lemmy.world 50 points 1 day ago (9 children)

If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.

load more comments (9 replies)

[–] andrew_s@piefed.social 127 points 1 day ago* (last edited 1 day ago) (16 children)

There's a lot of drama in that Issue, and then, at the very end:

Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

load more comments (16 replies)

load more comments