Bitwarden Desktop version 2024.10.0 is no longer free software
https://lemmy.ndlug.org/post/1268531
=> More informations about this toot | More toots from pnutzh4x0r@lemmy.ndlug.org
There's a lot of drama in that Issue, and then, at the very end:
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
=> More informations about this toot | More toots from andrew_s@piefed.social
Um can someone translate what this means?
=> More informations about this toot | More toots from someguy3@lemmy.world
They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.
The fact that the current version of Bitwarden doesn’t work at all without the SDK is just a bug, which will be fixed Soon™
=> More informations about this toot | More toots from superkret@feddit.org
Iirc, once reported, the project has 30 days to remedy or they are in violation of the license. They can’t even release a new version with a different license since this version is out under the GPL.
=> More informations about this toot | More toots from CosmicTurtle0@lemmy.dbzer0.com
Given that they own all of the source code (CLA is required to contribute), they can just stop offering the code under GPL, unless they happen to have any GPL dependencies not under their control, in which case this would not be viable.
=> More informations about this toot | More toots from GissaMittJobb@lemmy.ml
Switching licenses to future versions doesn’t invalidate previous versions released under GPL.
I’m not a lawyer but I deal with OSS licenses for work and I don’t know if there’s ever been a case like this, that I can think of anyway.
Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops. Again, I’m not a lawyer here but there is a lot of case law behind the GPL and I think the user who made the issue could take them to court to force them to make the change if they don’t respond in 30 days.
=> More informations about this toot | More toots from CosmicTurtle0@lemmy.dbzer0.com
It means previous versions remain open, but ownership trumps any license restrictions.
They don’t license the code to themselves, they just have it. And if they want to close source it they can.
GPLv3 and copyleft only work to protect against non-owners doing that. CLA means a project is not strongly open source, the company doing that CLA can rugpull at any time.
The fact a project even has a CLA should be extremely suspect, because this is exactly what you would use that for. To ensure you can harvest contributions and none of those contributers will stand in your way when you later burn the bridges and enshittify.
=> More informations about this toot | More toots from Redjard@lemmy.dbzer0.com
What is CLA in this context?
=> More informations about this toot | More toots from clay_pidgin@sh.itjust.works
I believe it’s a Contributor License Agreement
=> More informations about this toot | More toots from alkheemist@aussie.zone
Thank you.
=> More informations about this toot | More toots from clay_pidgin@sh.itjust.works
Licensing the source as GPL doesn’t really force the copyright holder (which is 100% BitWarden due to their Contributors Agreement^*, no matter who contributed the code) to do anything - they are absolutely free to release binaries built on the same codebase as proprietary software without any mention of the GPL.
For example if I write a hello world terminal program, release its source code under GPLv3 and then build it and give the built binary to you (and a permission to use it), you cannot force me to give you the source code for that build because I never gave you a GPL licensed binary.
If you were to take my GPLv3 source code and distribute a build of it however, you would have to license your binaries under GPLv3, because that’s the terms of the license I provided the source code to you under. Your users would then have the right to request the source code of those binaries from you. And if you released the build under an incompatible license, I (but not the users) could sue you for violating my license.
Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops.
License violations are usually not resolved by making the violator comply retroactively, just going forward. And it’s the copyright holder (so BitWarden themselves) who needs to force the violator to comply.
^* this is the relevant part of the CA:
By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.
It is followed by a workaround license for parts of the world where copyright cannot be given up.
=> More informations about this toot | More toots from Markaos@lemmy.one
further translating it: they are closing it down but trying to make it look like they arent
=> More informations about this toot | More toots from umbrella@lemmy.ml
Also important to note is that they are creating the same license problems in other places.
They broke f-droid builds 3 months ago and try to navigate users to their own repo now. Their own repo ofc not applying foss requirements, because the android app is no longer foss as of 3 months ago. Now the f-droid version is slowly going out of date, which creates a nice security risk for no reason other than their greed.
Apparently they also closed-sourced their “convenient” npm Bitwarden module 2 months ago, using some hard to follow reference to a license file. Previously it was marked GPL3.
=> More informations about this toot | More toots from Redjard@lemmy.dbzer0.com
The main program is open, but the development tools are not
=> More informations about this toot | More toots from Natanael@slrpnk.net
They’re trying to argue legal technicalities because acknowledging that they’re trying to reduce compatibility with servers like vaultwarden would be bad PR.
Per their new license, anyone that uses their SDK to build a client cannot say, “this is for Bitwarden and compatible servers like vaultwarden”. They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.
=> More informations about this toot | More toots from TheOubliette@lemmy.ml
plan to resolve
timeline unknown, maybe 2124
=> More informations about this toot | More toots from umami_wasbi@lemmy.ml
There is always a very vocal minority itching to cause as much drama as possible. It’s very discouraging to see in general. I agree with and want more FOSS, but I’m not sure I’d ever consider making it myself; it’s not worth extra stress personally.
=> More informations about this toot | More toots from unbroken2030@lemmy.world
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
I.e. “fuck you and your foss”
=> More informations about this toot | More toots from fl42v@lemmy.ml
plan to
timeline unknown, maybe 2124.
=> More informations about this toot | More toots from umami_wasbi@lemmy.ml
Pretty much the opposite
=> More informations about this toot | More toots from zante@lemmy.wtf
I doubt it. What’ll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don’t violate no stupid licenses, we just completely go against their spirit.
=> More informations about this toot | More toots from fl42v@lemmy.ml
go against their spirit
I think this is more of a failure of the license itself. It’s not a good look to allow something explicitly and then go “no not like that!”
=> More informations about this toot | More toots from refalo@programming.dev
I’m not sure you can classify this as a failure, as explicitly prohibiting interfacing with non-agpl stuff would greatly limit the amount of stuff you can license under it, perhaps up to the point of making it generally unusable. As for “not like that”… Well, yeah. But you can’t deny it’s misleading, right? Free software kinda implies you can modify it whatever you want, and if it’s a free ui relying on a source-available middleware… Turns out, not so much.
Although, a posdible solution would be require explicitly if you’re basically a front-end for something; but I’m not sure if it can be legally distinguished from the rest of use-cases.
=> More informations about this toot | More toots from fl42v@lemmy.ml
Ever since BitWarden got mired in capitalism, I’ve been dreading that something like this would happen.
=> More informations about this toot | More toots from SteleTrovilo@beehaw.org
Does this affect valtwarden?
=> More informations about this toot | More toots from nichtburningturtle@feddit.org
Vaultwarden is only the server, no? So any clients that you use to access Vaultwarden are built and maintained by 8bit solutions a.k.a. Bitwarden, including the desktop client that is the subject of this post.
=> More informations about this toot | More toots from subtext@lemmy.world
Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.
A likely outcome if they don’t reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That’s the outcome Bitwarden wants. This reeks of a bazinga, “how dare they benefit from our work and take our users”, which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.
=> More informations about this toot | More toots from TheOubliette@lemmy.ml
If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.
=> More informations about this toot | More toots from twirl7303@lemmy.world
I will change for sure, as well. Let’s see.
=> More informations about this toot | More toots from lemmeBe@sh.itjust.works
What does this change for you?
Seems to change nothing for all my devices which is a cheap offering at $10/year.
=> More informations about this toot | More toots from AustralianSimon@lemmy.world
The direction that the company is taking. Clearly that Bitwarden feels like other open source projects are diverting revenue from them.
That’s a small step towards enshittification. They close this part of the software, then another part until slowly it is closed source.
We’ve seen this move over and over.
Stopping your business with Bitwarden over that issue sends a message that many customers don’t find this acceptable. If enough people stop using their service, they have a chance to backtrack. But even then, if they’ve done it once, they’ll try it again.
Your current price is 10$/year now. But the moment a company tries to cull any open source of their project is the moment they try to cash it in.
=> More informations about this toot | More toots from Croquette@sh.itjust.works
That’s a small step towards enshittification
Going away from opensource model that you built your business over is a pretty big step.
=> More informations about this toot | More toots from pressanykeynow@lemmy.world
And incredibly stupid as well.
=> More informations about this toot | More toots from jjlinux@lemmy.ml
How will anyone know what they add to the code now? That’s the problem, and with our fucking passwords no less. They can fuck right off. In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.
=> More informations about this toot | More toots from jjlinux@lemmy.ml
What part changed the code to closed source?
=> More informations about this toot | More toots from asap@lemmy.world
In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.
And move to what?
=> More informations about this toot | More toots from kratoz29@lemm.ee
Anything, even Proton. The point is making a statement. If you start as OSS, you can fuck right off when you decide to come back sideways locking code down.
=> More informations about this toot | More toots from jjlinux@lemmy.ml
Okay, we’ll I’ve been using vaultwarden. When should I switch to something new, and what’s a good alternative?
=> More informations about this toot | More toots from nadiaraven@lemmy.world
Uh oh. Android user here. Time to jump ship? If so…proton??
=> More informations about this toot | More toots from DoucheBagMcSwag@lemmy.dbzer0.com
As with all of their services, the back-end is closed-source.
For the purposes of user freedom, it’s not that critical as the back-end merely facilitates the storage and synchronisation of encrypted data. This is different from the bitwarden case where they’re now including freedom disrespecting code into the most critical part of their software: the clients which handle the unencrypted data.
Fact of the matter remains however that Proton Pass restricts your freedom by not allowing you to self-host it.
If you are fine with not being able to self-host, I’d say it’s a good option though. Doubly so if you are already a customer of their other services.
Proton has demonstrated time and time again to act for the benefit of its users in the past decade and I see no incentive for them to stop doing so. I’d estimate a low risk of enshittification for Proton which is high praise for a company of their size.
=> More informations about this toot | More toots from Atemu@lemmy.ml
Looks like I might be moving to Proton Pass after all! I’ll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.
=> More informations about this toot | More toots from KLISHDFSDF@lemmy.ml
I know little about Proton Pass, but how confident are you they don’t also used a proprietary SDK with their open source apps?
=> More informations about this toot | More toots from RvTV95XBeo@sh.itjust.works
Their Android client is licensed under GPLv3
=> More informations about this toot | More toots from qaz@lemmy.world
Cool, so is Bitwarden, hence my concern
=> More informations about this toot | More toots from RvTV95XBeo@sh.itjust.works
Proton pass client doesn’t currently use a proprietary SDK, but they also haven’t made the same blunder as Bitwarden, which they’ve since fixed, but still not a good look.
On another note - I did export/import all my passwords into proton pass and WOW the speed and UX feels so much better. I’m still sticking with Bitwarden as they’ve been really good so far, but there’s a real good alternative should they ever “turn evil”.
=> More informations about this toot | More toots from KLISHDFSDF@lemmy.ml
i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.
ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone.
=> More informations about this toot | More toots from umbrella@lemmy.ml
KeePassXC is pretty amazing. :)
=> More informations about this toot | More toots from EveryMuffinIsNowEncrypted@lemmy.blahaj.zone
can u selfhost it?
=> More informations about this toot | More toots from umbrella@lemmy.ml
Yes. Look at the various Keepass apps out there. A lot of remote storage solutions are supported.
=> More informations about this toot | More toots from ByteWelder@feddit.nl
I would assume so. According to the page Documentation and FAQ,
Why is there no cloud synchronization feature built into KeePassXC?
Cloud synchronization with Dropbox, Google Drive, OneDrive, ownCloud, Nextcloud etc. can be easily accomplished by simply storing your KeePassXC database inside your shared cloud folder and letting your synchronization service of choice do the rest. We prefer this approach, because it is simple, not tied to a specific cloud provider and keeps the complexity of our code low.
=> More informations about this toot | More toots from EveryMuffinIsNowEncrypted@lemmy.blahaj.zone
It’s basically your encrypted file, you are to handle synchronisation yourself.
=> More informations about this toot | More toots from pressanykeynow@lemmy.world
Nobody here talks about keepassxc ? I’ve been using it for almost a decade, it can be used with sync tools to be shared, I’ve managed to have db keepass file opened on several computers and it did work well. Gplv3 here
keepassxc.org
=> More informations about this toot | More toots from rozlav@lemmy.blahaj.zone
I just switched over. Honestly, I like it even more than Bitwarden.
=> More informations about this toot | More toots from EveryMuffinIsNowEncrypted@lemmy.blahaj.zone
No Android app though?
=> More informations about this toot | More toots from AustralianSimon@lemmy.world
KeepassDX
=> More informations about this toot | More toots from piracysails@lemm.ee
Ty, exploring alternative tools. I really don’t like last pass due to their lax data security and 1 Password for the same reason.
Bitwarden still earns my $10/year.
=> More informations about this toot | More toots from AustralianSimon@lemmy.world
keepass2android
=> More informations about this toot | More toots from SquiffSquiff@lemmy.world
No excuse to not look into it now. Hopefully it uses Android autofill.
=> More informations about this toot | More toots from AustralianSimon@lemmy.world
It does support autofill
=> More informations about this toot | More toots from fossphi@lemm.ee
Testing it then will see if it passes the wife test for ease of use.
=> More informations about this toot | More toots from AustralianSimon@lemmy.world This content has been proxied by September (3851b).Proxy Information
text/gemini