People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.
You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.
It seems though, that in the world of software, you can unfuck a sheep.
What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.
> almost as if they are testing the waters to see what they can get away with.
I think if it's a pattern then it's no accident. Of course people will test things. Kids, dogs, it's all the same: if you can get away with something, why not do it?
The idea that this is was "just a packaging bug" is damage control by Bitwarden. It was a deliberate change, per the CTO's comment on https://github.com/bitwarden/sdk/issues/898 and elsewhere. They slowly worked their way towards adding this SDK dependency to every client, and the SDK was intentionally not open-source. The public outrage is the only reason Bitwarden is GPLv3 again.
Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.
For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.
Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.
I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.
People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.
> When I reported it to them they got really hostile
You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?
To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.
They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.
But one bad release with a license screw up and nobody is willing to give them an inch?
I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.