I stopped endorsing closed-source software to friends and family years ago, because you can't trust the companies behind them not to quietly change directions.
Years ago I used a free workout app that I really liked. After a few months of using it I recommended it to friends. I only much later found out that I was on a grandfathered version of the free plan without ads or restrictions. The company had made changes to the free plan since I joined, and all new accounts (like my friends) were subject to ads and restrictions.
It was embarrassing to have unknowingly recommending something like that.
Bitwarden is open-source though? This is about the hosted version of it, which has a free tier. But you can run the same software on your server at home if you want, for free.
(That said, I am also concerned about the direction Bitwarden is taking. I just think this shows that even OSS projects can have direction/rugpull issues.)
How long after a public sale will Bitwarden clients keep compatible with Vaultwarden? The new owners could put a check in all clients on the first day of ownership if they wanted, and Vaultwarden would immediately be obselete and useless.
I wonder if Bitwarden shit on everyone, how long it would take for Vaultwarden specific clients to appear. A browser extension would be pretty simple, app store apps are a bit more complicated because of the pay-to-play aspects.
The problem is once Vaultwarden clients appear, then Vaultwarden becomes its own complete system and is no longer able to rely on the good reputation of Bitwarden. Plus developing clients for multiple browsers and OSes is a lot more difficult than just keeping a back end up to date.
If they went this path I think I would jump ship to a paid service.
As soon as they break compatibility with the official clients, it becomes much tougher. Even though the current versions can be forked, the whole system is set up to work against any kind of grassroots effort to maintain an open source version.
Apple and Google being the gatekeepers for all mobile app distribution is a real pain point. Without the clout of a big brand name the risk of being unable to distribute apps goes up.
Vaultwarden relies on the goodwill of Bitwarden to allow it to use its clients for compatibility. I would wager a new owner looking for money would block that pretty soon after buying the company.
Again, for how long? The answers to all the questions seems to be the same. If Bitwarden was sold they could remove all of this free functionality and interoperability with 3rd party clients immediately.
Then you could say well Vaultwarden will work with these forked clients, but then you are placing your security into the hands of multiple different open source maintainers and vaultwarden then has nothing to do with Bitwarden and becomes some random back end + some random 3rds party clients.
Sure, but vaultwarden as a system would be entirely usable, I don't think a lot of it is really relying on the bitwarden compatibility for much more than a little convenience.
Useable yes, but trustable? Not without some serious backing and regular auditing from some public security experts.
IMO that fact that the existing Vaultwarden system relies on Bitwarden clients and therefore caries Bitwardens secure reputation is its main selling point. Take that away and Vaultwarden is nothing more than some random back end software that can not really be trusted.
> the existing Vaultwarden system relies on Bitwarden clients and therefore caries Bitwardens secure reputation is its main selling point.
I hope that this could be a starting point and not an end-point of Vaultwarden. It has gotten far on the shoulders of the Bitwarden giant. If it forked, would it have a large enough community to continue to carry that trust forward (including building new clients)? How much financial support would they need? Could they find a sponsor? It's a European project -- would the EU help fund it as a data sovereignty push?
Agreed, it would be great to have a fully open source solution, however I would be wary of it until it was audited and backed by secuirty professionals in the field.
Maybe, I don't think that reputation really should transfer anyway, and it's not something I would consider necessary for using it. (I mean, some scrutiny is obviously good, but I don't think it needs to be as big as Bitwarden).
> I don't think that reputation really should transfer anyway
Why not? The most important security bits are implemented client-side which is developed by Bitwarden. If the clients are secure then my database is safe even if Vaultwarden turns out to be evil.
Switching from Bitwarden Client to Vaultwarden Client would require about 3 orders of magnitude more trust than switching the server which primarily deals with encrypted blobs. If the client turns out to be malicious then it's game over.
You're right, though the friends and family that I would feel the need to recommend a password manager to aren't the type that would self-host their own servers.
- KeePass files synced between laptop and phone on OneDrive, DropBox, etc
- KeePassXC on Windows and Mac
- Keepass2Android mobile client
- Browser integration on mobile.
- On laptop, I prefer no browser integration; Copy username and password with Ctrl+B and Ctrl+C
Slightly off topic, I use KeePassXC on Mac and browser integration almost never works for me. It never picks up the usernames, passwords for me, even if the entry has the url in it.
I've paid for and recommended Bitwarden. For years it's operated along a stable trajectory. I was confident in its security record. Vaultwarden is an escape hatch I'm in a position to set up for my family as a last resort. Almost any reputable password manager is more secure than reusing the same passwords or storing everything in a note file.
What I stopped doing so frequently could be described as "evangelizing" or "endorsing". I no longer actively tell people that I think they should use X, instead, if someone asks, I say "I use X, and it's worked for me so far".
The server is only recently free, if indeed it is at all. I don't remember when or if that changed, because for most of its life it was definitely not free (open source).
Early adopters are exactly the people that like to test and recommend things to the majority. Without being aware of it, I was recommending a different product than the one I was using.
People stake their own personal reputations behind their recommendations. I don't think quietly changing the product without warning is doing right by their early adopters.
Ooh, that's a great idea. I'm writing that down in my lost of ways to enshittify a company for money in case I ever end up in charge of a company that can be enshittified for money.
Years ago I used a free workout app that I really liked. After a few months of using it I recommended it to friends. I only much later found out that I was on a grandfathered version of the free plan without ads or restrictions. The company had made changes to the free plan since I joined, and all new accounts (like my friends) were subject to ads and restrictions.
It was embarrassing to have unknowingly recommending something like that.