38 comments

[ 4.9 ms ] story [ 93.9 ms ] thread
Very nice! Though I'll probably still be lazy and copy everything out of the Firefox Addon...
(comment deleted)
Is this the client or the self hosted server? The page doesn’t make that clear.
It's the desktop client. The unofficial vaultwarden server package is also available in the community repository.
The first dependency listed is electron11... that's desktop.
I had been maintaining (and patching) this package since 2018 on AUR and it's amazing to see it being promoted to community. Electron is definitely not the easiest to work with, but it's been fun turning a fat electron app into a sub-10MB package.
How did you reduce it?
I don't maintain this package, but with the ones I maintain you use the system Electron.
Nicely done. Thanks for your work! The Arch community is where it's at because of package maintainers. Btw I use arch.
I'm personally so happy with Password Store I cannot find a reason for the hype behind this.
Yeah, me too! I can even use it on iOS for that matter. It’s honestly good enough.

I actually tried setting up a bit warden server on a (not so old) computer but had just so much trouble with the docker image, couldn’t really find docs on how to set up without it, just ridiculous in my opinion. A few months later, I tried using pass full time and so far it’s been great!

Good to hear. There is a great app for it on Android, and I remember there being at least one for IOS.

On the desktop for browser integration there are at least a couple well-maintained extensions. There is also gopass for sharing passwords with a team or multiple people.

I use Password Store a dozen times a day, but for sharing passwords with my family Bitwarden is great. Cross platform, easy enough for anyone to use regardless of the IT profficiency and open source enough that I trust it more than Lastpass etc.
I've been using keepassxc for several months. I think it works well. Is pass functionally different?
Pass saves each password in a separate GPG encrypted file. I personally like this approach because it integrates into Git extremely well and they have `pass git` commands and also if you're syncing with a cloud service it only updates the actual passwords that have been modified, as opposed to something else which may need to sync a 300MB+ database whenever you update a single password or some metadata.
How "open source" is Bitwarden? From what I can tell (https://bitwarden.com/pricing/), the client is open-source, but the service feature-gates a large number of features behind premium accounts. Is this feature-gating accomplished by the server or the client? Is Bitwarden truly community-owned free open-source software, or solely a complement to their commercial services and open-source to make for better marketing?
There is an open-source server called Vaultwarden, but it is unofficial. The only truly open source part of Bitwarden is the client. :(
Is this not the server you are looking for? :-) https://github.com/bitwarden/server
It is. The parent and GP comments are wrong. Bitwarden is fully open source and can be deployed in a local environment.
Open Source, but not Free Software. Check out the custom licenced code within https://github.com/bitwarden/server/tree/master/bitwarden_li...
Yup, technically it looks like you can only use that "for the sole purposes of internal development and internal testing, and only in a non-production environment".

Basically, they clearly don't police individual users self-hosting, but they maintain the right to knock on the door of companies.

Redistribution is also not allowed.

Sure, but the initial assertion was that only the client was open source which is clearly false, so I was refuting that. I did not speak the the FOSS nature of the software.
The Bitwarden server is source-available, but not open source. This is because, for example, section 2.3 of the license agreement (https://github.com/bitwarden/server/blob/master/LICENSE_BITW...) conflicts with section 6 of the Open Source Definition (https://opensource.org/osd), titled No Discrimination Against Fields of Endeavor. I think the specific terminology is what others here are disputing.

The Bitwarden desktop and mobile clients are open source because they are under GPLv3, a license that meets the OSD. Vaultwarden is also GPLv3.

That licence is neither open source, nor free/libre software. Almost all licenses that are open source are also free/libre, and vice versa. Exceptions are very rare, because of how similar the definitions of open source software and free/libre software are in practise.

(By the way, the only widely accepted definition of open source software is the one published by the OSI, and the only widely accepted definition of free/libre software is the one published by the FSF, so those are the definitions we use.)

It's not "Open Source" except by the literal definition that the source is open to read (but by that definition, the software is free to access, too). It's just freeware / sample code.

The license for this code https://github.com/bitwarden/server/blob/master/LICENSE_BITW... says,

> 2.4 Third Party Software. The Commercial Modules may contain or be provided with third party open source libraries, components, utilities and other open source software (collectively, "Open Source Software").

which implies that the Commercial Modules, themselves, are not Open Source Software.

(Also it clearly doesn't follow the Open Source Definition or any other standard definition of Open Source.)

I hadn't realised half the "official" server was under a non-commercial custom licence. https://github.com/bitwarden/server

Last I looked, it wasn't fun to self-host anyway. Vaultwarden ftw!

I looked through the official server. 96 out of 1680 files were located in the bitwarden_license directory, so I'd say a lot less than "half" the official server. Nonetheless their web offering is still non-free, and from hearing about the difficulties self-hosting, it's probably a bad idea.

However I don't know whether I'm better off using Bitwarden free, paid, self-hosting and managing backups myself, or just sticking with Firefox Sync (which has a truly awful barely-working Android app).

We switched to vaultwarden from a much older Java+Flash based credential manager where I work, and I gotta say it's pretty good. It's a little weird the way accounts work from our perspective, but it makes sense given where it came from. And it's a distributed as a docker container, so it's pretty easy to deploy. Had to write a script to translate the old manager's export format into something vaultwarden could import, but it does have a lot of other managers' formats built in.
For those confused like me never having heard of Vaultwarden, it is what bitwarden_rs was renamed to.
I've used vaultwarden (formerly bitwarden_rs) for probably 2 years now. The author keeps up with the upstream quite well. It's written in rust and uses SQLite, which makes it lightweight and appropriate for a single user setup. It's so good it even passed the WAF test.
(comment deleted)
I'm new to Linux. Is there a good overview of different password managers out there? Switching off Apple Keychain so looking for some basics.

Apple made it easy so I didn't think about the concept much so not sure what I need. Is a password manager just for all my browser logins?

Bitwarden offers a browser extension you can use, I use it daily. You create a master password which only you know and then you can auto fill and generate new password just like Apple Keychain.
Wow that sounds great, and it can be self hosted too?

I've been curious about 1Password but it seems closed source and you can't self host so why bother. I'm leaving Apple for that reason.

I think you can self host with the browser extension, yeah. Personally I just use the standard hosting because I don’t have a good way to self-host but it shouldn’t be tied to any particular host.