• 0 Posts
  • 88 Comments
Joined 1 year ago
cake
Cake day: July 10th, 2023

help-circle


  • One notable software business professional interviewed by RBC thought that the West’s decision would “adversely affect the life of the developer community, mutual trust within it, and therefore the quality of the product.”

    It was Russia and other autocracies etc. that diminished the trust by actually financing developers for multiple years to first earn trust and finally introduce backdoors into open source software, as demonstrated by the XZ utils backdoor.

    In open source projects, maintainers need to have some initial trust into each contributor, and let this trust naturally grow with time and contributions. They cannot perform intensive background checks on everyone before accepting a patch.

    While it is easier to uncover backdoors in open source software, there is no good way to defend and prevent against this kind of attack in this type of development process. All open source projects can do is trying to take away some trust from people within higher risk groups. This of course might lead to discrimination.





  • Which other trustworthy search engines are there? And I don’t mean some different frontend or a meta search engine like ddg, sp, kagi, searx(ng), etc… that mostly just use googles, bings or even yandex and beidu results?

    Ages ago I configured and hosted yacy for myself, but that was a different time… Are there any real alternatives? With mayor internet companies like cloudflare, social media sites and many others restricting the access to the net and information, searching becomes more and more impossible if you aren’t a huge corporation…





  • So you meant to say:

    I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s source is available.

    That is not true, there are a lot of other password management software out there where the client source code is either open source or source available. For instance keyguard: https://github.com/AChep/keyguard-app?tab=License-1-ov-file#readme which is an alternative proprietary bitwarden client, where the source is also available. Also the Proton Pass client is under GPLv3.

    I would argue that the main advantage of bitwarden compared to others is that it is open source and has an open source server for self-hosting (vaultwarden). Which of course makes it difficult in terms of business strategy with their VC funding. But maybe becoming a non-profit org and getting money from donors, the strategic funds of EU and other governments, etc. might be an alternative way.


  • Ok, lets take it step by step:

    Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

    • the SDK and the client are two separate programs

    I think they meant executable here, but that also doesn’t matter. If both programs can only be used together and not separate, and one is under GPLv3, then the other needs to be under GPLv3 too.

    • code for each program is in separate repositories

    How the code is structured doesn’t matter, it is about how it is consumed by the end-user, there both programs are delivered together and work together.

    • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

    The way those two programs communicate together, doesn’t matter, they only work together and not separate from each other. Both need to be under GPLv3

    Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

    Not being able to build a GPLv3 licenses program without a proprietary one, is a build dependency. GPLv3 enforces you to be able to reproduce the code and I am pretty sure that the build tools and dependencies need to be under a GPLv3 compatible license as well.

    But all of that still doesn’t explain what their goal of introducing the proprietary SDK is. What function will it have in the future? Will open source part be completely independent or not? What features will depend on the close-source part, and which do not? Have they thought about any ethical concerns, that many contributors contributed to their software because it under a GPL license? How are they planning on dealing with the loss of trust, in a project where trust is very important? etc.


  • None of that makes Bitwarden not open source.

    Yes, it does, because it violates its own license GPLv3 by having proprietary build-/runtime dependencies.

    If it was under a different, maybe more permissive, open source license, then maybe it would still be open source, but as of right now i likely breaks its own license terms.

    Not only that, they specifically state this is a bug which will be addressed.

    From what they state, they think that because executables that share internal information via standard protocols does somehow not break GPL3 terms compared to two libraries that share internal state via the standardized C ABI which does. And they seem to not consider that a bug, just the build-time dependency.






  • The only way I ever used passkeys is with bitwarden, and there you are sharing them between all bitwarden clients.

    From my very limited experience, pass key allows to login faster and more reliable compared to letting bitwarden enter passwords and 2fa keys into the forms, but I still have the password and 2fa key stored in bitwarden as a backup in case passkey breaks.

    To me, hardware tokens or passkeys are not there to replace passwords, but to offer a faster and more convenient login alternative. I do not want to rely on specific hardware (hardware token, mobile phone, etc.), because those can get stolen or lost.