Bitwarden is advertised as open source. However, many features are not available in the free version, e.g. MFA. There are other password managers advertised as open source, but when looked at more closely only the free version is open source, and the paid versions are not (or some features are not open source). A couple of questions:
Is all source code available for review, including for the features that are not available for the free version?
Am I able to compile my own client executable from source for the paid versions and, if yes, will that yield the same byte code as the executables available for download from Bitwarden?
“Yes” to both questions (byte code included) or “yes and no”? I’m aware it depends on compiler version etc but I’m interested in reproducing the same byte code when using the same compiler (and same statically linked libraries, if any)
Out of curiosity, has anyone on this forum compiled their own version to confirm?
Hi @bitbar it’s all there in the link @vachan provided. Have a look at the README.md and SETUP.md (if present) of the specific repository. The builds get executed via Github Workflows, which are also included in the repositories (.github/workflows/build.yml).
Bitwarden is winning me over. I may even contribute - I noticed you have a section about Github contributions. I’m interested in adding separate protection to TOTP codes to secure against attacks where someone gets access to the vault passwords, e.g. someone snatching the phone after I opened the vault (low likelihood notwithstanding).
Everything that we do has not been open source for many years now. We have several business/enterprise products that we sell under a proprietary source available license. Essentially an open core model. We have no plans to change that strategy.
Summarily, the server and clients’ codebases are FOSS. However, a significant amount of its dependencies, especially in the CI toolchain, are not, and this is deliberately so.