Bitwarden SDK relicensed from proprietary to GPLv3
188 comments
·October 24, 2024blendergeek
Thank you to Bitwarden for relicensing a thing to Free/Open License! Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good. But for anyone with more advance needs (or who doesn't trust a password manager built into a web browser, I always recommend Bitwarden because KeepassXC + syncing is way too difficult for normal people.
danpalmer
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
simfree
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
danpalmer
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
mikae1
But does it work for non-website passwords like the PIN for the door at your workplace or the usernames and passwords for your computers?
nox101
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
ClassyJacket
Can Firefox password manager work in other apps on Android?
_fs
Does it have the ability to unlock with faceID on ios?
miki123211
Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.
This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.
Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.
mrwm
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
CJefferson
I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
floydnoel
> people generally understand installing an app on each device they own and that app doing it for them.
an app like Firefox or Chrome, perhaps?
danpalmer
This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
lrem
All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
usrusr
Multi device is all nice and well, but what if you use products from more than one browser vendor?
JoshTriplett
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
ahiknsr
> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good.
I use both Bitwarden and Firefox and I would strongly encourage everyone to not use the password manager in Firefox. Do you know the tab sync across devices is broken in firefox? It was broken since Aug 24 and it is still not fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1913795 . If they can't sync tabs across devices, i wouldn't trust them to sync my passwords.
techwizrd
I'm glad that Bitwarden moved quickly to resolve this. At least for me, Firefox's password manager isn't really a replacement. Bitwarden is approved by my employer, self-hostable, and supports logins for the litany of apps across my browsers and mobile devices. Whether it's the mobile app, mobile website, or site in my browser, Bitwarden just works for the most part. It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
ValentineC
> It's also quite nice that Bitwarden can store arbitrary information like CCs, secure notes, and how I capitalized the answers to security questions and other account recovery/login information.
+1. I use my password manager (currently 1Password, but I have been looking at self-hosting Bitwarden/Vaultwarden) more for storing credit card information and security questions.
Most built-in password managers don't cut it on that front.
sph
> the built-in password manager in Firefox is too good
Too good in what way that according to you "normal" people shouldn't be using Bitwarden? Or do you just like the Firefox one but are overselling it a bit too much?
I use Firefox, but I do not trust the Mozilla products. Bitwarden costs me $10/year so I wonder what is so amazing and groundbreaking about Firefox password sync, and does it work across browsers?
Ayesh
I used Firefox password manager for years, and moved to Bitwarden for: - Passkey syncing - Bitwarden on Android works properly, compared to Firefox's dedicated password app that's abandoned. - TOTP support (to use with some apps I don't want the strongest security)
But you are maybe right, if the only browsers you use are Firefox desktop/mobile.
Anunayj
Can someone also comment on how secure the built in password in manager in Firefox is to unsophisticated malware attacks that simply copy your browser extension data and such. Compared to bitwarden which requires a password to unlock it, and as I understand stores everything encrypted on disk.
bigfatfrock
> because KeepassXC + syncing is way too difficult for normal people
I've been debating for ages if this is a hurdle that can be overcome by packaging or even hand-holding support. When I show "normal people" my pass+sync setup they beg me to implement it for them. Once it's running it's near-zero maintenance.
dcow
Password management is like exercise. Even when people say they understand the value and want to do it, they don't. Even if you implement it for them, if it's not something that slots perfectly into their existing routine, they're not going to do it. Thankfully passkeys are here.
tjoff
It's fine, even bad password management is better than passkeys.
Thankfully the incredible hype for passkeys has been dead for years now and people are starting to question it.
przmk
Where did you manage to find "normal people" that begged you to install a password manager for them? I have yet to come across one person who wanted one.
archi42
There are normal people out there who have been hacked, or knew someone who was.
Also, some normal people are computer-smart enough to understand problems like credential-stuffing, if someone explains it to them.
peterpans01
can you share how do you set this up?
freeone3000
I store the password vault in dropbox. Done.
lie07
Would love to know how you have it setup.
elric
I recommend Bitwarden family plans to non-technical people. It's pretty user friendly, and you can give people emergency access. A couple of recent deaths in my life have made me painfully aware that this is something that many people really need.
petterroea
Thank you Bitwarden for listening. This kind of stuff gives me hope for the business model of Open Source.
chx
No, it wasn't listening, there was a simple bug which they fixed and would've fixed even if y'all didn't pigpile on the issue preaching them. Fucking disgusting.
jdlyga
Bitwarden is still excellent, but keep an eye on them over the next few years. Remember that Bitwarden was originally a LastPass alternative without the fuckery.
prophesi
The LastPass fuckery was long and frankly egregious.
Though I don't understand why this git commit is what's linked here. I'd rather hear the discussions on it. https://github.com/bitwarden/clients/issues/11611
hnbad
After reading through the issue thread and the final reply by Bitwarden, I think the only context this provides is that the headline should rather be something like "Bitwarden SDK fixes dependency licensing issue".
The opening comment and the final reply are the only valuable contributions in that issue. Everything in between is random people jumping in to feign outrage or telling people to use Vaultwarden (which btw recently was in the news for more significant negative reasons). If anything it's a perfect example of the sad state of online discourse.
ferbivore
This wasn't an "issue", it was working as intended. The GPLv3 client intentionally depended on proprietary code. The CTO's comments on bitwarden/clients#11611, bitwarden/sdk#898 and fdroid/fdroiddata!15353 make it clear this was deliberate. They've now changed their stance because of the backlash.
It looks to me like people expressed genuine concerns about being lied to by a company, one they'd trusted with their passwords no less. Calling it "feigned outrage" is a bit rude.
SirGiggles
> (which btw recently was in the news for more significant negative reasons)
Do you by chance mean CVE-2024-{39924, 39925, 39926}?
odo1242
I mean, it still is. It’s honestly gotten better too - for evidence, it’s the one password manager that never gets recommended by sponsored YouTubers but always gets recommended by non-sponsored YouTubers.
null
Scipio_Afri
Well that’s one way to handle that effectively and in what seems to be open source way without fuckery; glad to hear it cause that was going to be a bit annoying migrating away from them.
powersnail
It's a welcome change. It still feels like they are trying to be too smart on licensing, especially how to combine GPL and proprietary licensed code, which I think is the root cause of the whole drama. The open core model works better as a hosted service, where you are not distributing the amalgamation of GPL and proprietary. Open core in client code seems a bit too rife for potential misunderstandings and confusions.
Hope it works out for them, though. It's a good product.
weikju
Props for them to step in the right direction, it wasn’t obvious at all for a few days what they would do.
chx
Repeatedly: when people post shit like this they more or less guarantee the next company won't even try. People! this is one of the few companies which open sources their product. The time to doubt and preach is not here yet... by far.
mbix77
Such a pity they are starting to try to move to proprietary model. I have been using them for years. I thought they were different than other "open-source" companies (e.g. Redis).
What are the alternatives for an open-source cross-platform password manager? Anybody has used Vaultwarden already?
tmpfs
We have been working on a open-source, cross-platform alternative called SOS[1]. The source code is on github[2] and includes a self-hostable server for syncing. It is well documented[3] for those that want go build on top of it.
Would love your feedback if you can take it for a spin!
[1] https://saveoursecrets.com/ [2] https://github.com/saveoursecrets/sdk [3] https://docs.rs/sos-sdk/latest/sos_sdk/
chx
No, they are not. They have a separate product which is closed source and there was a accidental mixup between the dependencies of the two. They fixed it quick. As I posted repeatedly in this issue: we need to be much much more lenient and supportive of one of the very few companies which still try. If this is the support they get why would anyone else even bother?
ferbivore
This was not an accidental mixup. Have you actually read the previous issue threads? Their stance was that "there are no plans to adjust the SDK license" before the backlash.
amszmidt
Not entirely there yet ... Some parts of have been re-licensed, some have been licensed under the old non-free software SDK license. E.g,
https://github.com/bitwarden/sdk-internal/commit/db648d7ea85...
ferbivore
The non-GPLv3 bits are for their separate Secrets Manager product. It doesn't look like that's advertised as open-source. Bitwarden has always been open-core and not fully GPLv3, and that seems understandable; they need something to sell after all.
threatofrain
GPLv3 is interesting because it means to use their code in a commercial setting, then you must also have the guts to open source too.
odo1242
Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)
hk1337
I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?
nine_k
Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.
HeatrayEnjoyer
Yes, this is why AGPL is superior.
AzzyHN
I don't know why people are saying this is a bad thing.
crossroadsguy
Similarity to past experiences of start of the declines of service/apps.
Capricorn2481
What app got worse after going open source that you're thinking of?
crossroadsguy
> after going open source
I wasn't thinking that at all. BW started as open source afaik.
https://github.com/bitwarden/clients/issues/11611#issuecomme...
> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.