this post was submitted on 20 Oct 2024
355 points (94.9% liked)

Selfhosted

39739 readers
1684 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]
355
Concerns Raised Over Bitwarden Moving Further Away From Open-Source (www.phoronix.com)
submitted 1 day ago by 486 to c/selfhosted
42 comments fedilink hide all child comments
 

Bitwarden introduced a non-free dependency to their clients. The Bitwarden CTO tried to frame this as a bug but his explanation does not really make it any less concerning.

Perhaps it is time for alternative Bitwarden-compatible clients. An open source client that's not based on Electron would be nice. Or move to something else entirely? Are there any other client-server open source password managers?

all 45 comments
sorted by: hot top controversial new old
[–] CommanderShepard 40 points 1 day ago* (last edited 1 day ago) (2 children)

Bitwarden is a very convenient password manager for an average computer user. It's very straightforward and easy to use.

I can see some bias here of the people who say "o, just use KeePass and sync the database over some cloud provider". What if there are conflicts? How do they deal with them? I can figure it our but most people I know, won't.

Even the password manager concept is a complicated concept to grasp for many people (that I know). And I can recommend them Bitwarden because it's relatively easy, but KeePass with sync? Maybe, if I commit to actively help them with it.

P.S. I've convinced several people to try out Linux, and they are willing to learn it, but even if they just need to use a browser, they struggle sometimes. I can't imagine them syncing the KeePass database.

[–] [email protected] 13 points 1 day ago (1 children)

This is a common problem with Free software, and honestly I think it's our biggest one: we build stuff for ourselves and stop there. If we want our stuff to be adopted (which, for things that rely on network effects, we do) then we need to pay more attention to usability.

Here's a suggestion for anyone starting a project they think they might share. Before you start writing any code, write the documentation. Then rewrite it from the perspective of the least tech-literate person you know who you'd still want to use the project. Only after you've worked out how easy it should be for this person to get started, then you can start writing the thing.

[–] CommanderShepard 5 points 1 day ago (3 children)

Ideally, the project should not require any documentation to read.

Yep, I know, I think everyone should read to learn, but I've seen so many times peoples' spark die once I tell them "I will send you the docs with clear instructions. If you have any questions, let me know :)". The reply is often " Oh, but it should tell me where to click".

Or maybe it's because the docs are too difficult, I don't know.

[–] [email protected] 5 points 23 hours ago

Generally, I agree. I think what I meant by the above is "how would you tell someone how to use the thing". My favourite example is email vs email-with-PGP.

How do you send an email?

  1. Open client
  2. Click "send new email"
  3. Type your email
  4. Click send

How do you send a PGP-encrypted email

Let's first talk about this thing called a "keyserver". Once you know what that is, you'll have to go out and find some keys to add to it. We're not going to talk about styling your message 'cause that's not something you should be able to do... etc. etc.

[–] EssentialNPC 4 points 22 hours ago* (last edited 22 hours ago)

Good documentation should, in part, tell people where to click. I have designed software documentation for high performing individuals at leading global companies, and I have designed software and hardware documentation for minimum wage fast food workers with limited English proficiency. In both extremes, I showed them exactly where to click on the screen at each step.

You might not need that level of help, but many people do. Others do not strictly need it, but they prefer the simple instruction set. "Click here then here," instructions ease the transition into a new system one needs to learn, or it removes the need entirely to learn a system one uses infrequently.

The problem is that making good documentation is difficult and time consuming. It relies on a fundamentally different skill set than coding or even UI design.

I agree that the ideal is for software to not need any documentation. In my experience, I have yet to see software that rises to that task and is used across a variety of experience levels and societal cross sections.

[–] [email protected] 2 points 19 hours ago* (last edited 19 hours ago)

The docs are not only often difficult for an inexperienced user, they commonly omit points of failure.

Various prerequisites, problematic settings, possibility of the user choosing the wrong menu etc. etc. should always be considered.

[–] [email protected] 8 points 1 day ago (1 children)

Have got two of my family members onto bitwarden and even that is a lot for the tech-illiterate. Couldn't imagine Keepass+syncthing.

Ultimately, bitwarden is better than using hunter12 for everything like how they were.

[–] [email protected] 3 points 19 hours ago

Better than using what? All I see is a bunch of stars.

[–] TrippyHippyDan 25 points 1 day ago (3 children)

This plus the syncthing announcement about the Android client ending support is a bad day indeed. I was just thinking about self hosting instead of KeePass + SyncThing now it's back to the drawing board once it stops working 😵‍💫

[–] [email protected] 7 points 1 day ago (1 children)

The syncthing fork on f-droid is still an option. An issue has been opened on the github repo. Lets see what will happen with the fork

[–] TrippyHippyDan 1 points 1 day ago (1 children)

I do have it installed through F-Droid. I thought I read that they weren't really going to be focusing on it at all, so updates may just die out.

Brings the little hope that my current situation won't die!

I don't know enough about Java directly to contribute anything useful, sadly.

[–] [email protected] 3 points 1 day ago

I am talking about the fork. It is operated by someone else.

[–] [email protected] 1 points 22 hours ago (1 children)

Keepass2Android supports many cloud options including Nextcloud and OwnCloud so it sync with storage directly. At least with Dropbox it works like a charm.

[–] TrippyHippyDan 1 points 11 hours ago

The whole point of self-hosting it is to not put the information on a public cloud. But, thankfully the F-Droid fork is still going on and I had misread it anyway.

[–] [email protected] 2 points 1 day ago

I literally just saw that as well, not really too sure what to do now lol.

Vaultwarden?

[–] [email protected] 103 points 1 day ago (3 children)

Can’t we ever have software that just keeps working? Password managers are like the new RSS readers.

  1. search around for a good one
  2. find a nice one and start using it
  3. they add stuff you didn’t want and slowly make it worse
  4. they’re bought up/ abandoned/ otherwise become unviable

Back to 1)

[–] [email protected] 37 points 1 day ago (1 children)

Well KeePass

[–] jasep 65 points 1 day ago (2 children)

The downside to Keepass is it is not self hosted, as in it's designed to run locally per device. Yes, you can put the database file on a network and have multiple clients from different operating systems access the database, but you will end up with collisions and database issues. Ask me how I know.

Running cross platform Keepass (and it's various forks) is absolutely doable, but it is not as seemless as BitWarden. I'm running self hosted VaultWarden and I'm hoping to run it for a long time as it's much easier than Keepass.

[–] [email protected] 20 points 1 day ago* (last edited 1 day ago) (2 children)

For what it's worth, I only ever had sync issues when sharing a database between devices with transient connectivity. Once I added an always-on instance of Syncthing into the mix, collisions were a thing of the past.

We've been using KeePass trouble-free for many years now, sharing a single database across more than 6 devices, with frequent use and modification.

[–] [email protected] 41 points 1 day ago (2 children)

Syncthing just announced they won't develop their Android app anymore. 🫤

[–] [email protected] 20 points 1 day ago

Noooo! Ugh, that's so disheartening to hear but I can't fault imsodin for his reasons. I sincerely hope that someone steps up to the plate, even if only for the F-Droid releases.

For anyone else interested, the discussion is taking place here:

https://forum.syncthing.net/t/discontinuing-syncthing-android/23002/7

[–] [email protected] 12 points 1 day ago* (last edited 1 day ago)

Ah shit, I hadn't heard that. Another one bites the dust because of Google's Play Store insanity. Maybe SyncThing-Fork will continue? 🤞

Source: https://forum.syncthing.net/t/discontinuing-syncthing-android/23002

Edit: Aaand like 10 posts down in my feed https://lemmy.world/post/21070831 lol 😭

[–] [email protected] 6 points 1 day ago

KeePassXC here, ÷1 for the exact same issue with the exact same solution (ST with an always-on "server") 👍

[–] [email protected] 14 points 1 day ago (1 children)

Eh, I have used KeepassXC over multiple machines using NextCloud to sync it for years now and have never had any conflict.

[–] [email protected] 3 points 1 day ago

This. I have been running it the same way for some time now. Even if you change something on one machine and something else on another nextcloud will just happily inform you of the conflict and then you can open both databases and cherry pick. Never had corruption issues.

[–] [email protected] 13 points 1 day ago

Bitwarden keeps working just fine.

[–] [email protected] 1 points 1 day ago (1 children)

Sure, you're welcome to keep using the version you like, or to write or maintain one on your own. Or pay someone for their labor to do it for you.

But if you use something made out of someone's good will, don't rely on it for anything critical.

[–] gdog05 6 points 1 day ago

Money isn't necessarily a factor. I've paid for many services that have made business or operating changes to the point of needing to separate and then there's WinZip on the other side of things.

[–] just_another_person 18 points 1 day ago (2 children)

BitWarden already has lots of clients. There's also VaultWarden for the server if you want.

This is being blown a bit out of proportion though. All they are saying is the official SDK may have some non-free components going forward. So what? It's a private company, they can do what they want. Or the community can just fork it and move forward with a free one if they want, but it's just not going to be in the official BitWarden clients. Hardly news or a big deal.

[–] [email protected] 40 points 1 day ago (1 children)

I can only speak for myself, but I would never trust opaque, proprietary software to manage my credentials, especially in a networked environment. For me, that's a total showstopper.

I've never had need to use Bitwarden or Vaultwarden as I've always been happy with KeePass, but this news would definitely have me choosing an alternative.

[–] 486 23 points 1 day ago* (last edited 1 day ago) (1 children)

BitWarden already has lots of clients.

Does it? I'd be very much interested to know. I've been looking for other clients before, because I didn't like the sluggishness of the Electron client, but couldn't find any usable clients at all. There are some projects on Github, none of which seemed to be in a usable state. Perhaps I have been missing something.

This is being blown a bit out of proportion though. All they are saying is the official SDK may have some non-free components going forward. So what? It’s a private company, they can do what they want. Or the community can just fork it and move forward with a free one if they want, but it’s just not going to be in the official BitWarden clients. Hardly news or a big deal.

Nobody said that they can't do that (although people rightfully questioned that their changes are indeed comatible with the GPLv3). I very much disagree that this isn't a big deal, though.

[–] [email protected] 1 points 1 day ago (2 children)

I use Keyguard on my phone. Loving it so far. Mostly focused on Android but also available for all major platforms.

[–] [email protected] 14 points 1 day ago

Keyguard is not open-source, only source-available.

[–] 486 7 points 1 day ago

Thanks, I haven't seen that one before, but I'd really prefer an open source application.