Package: wnpp
Severity: wishlist
Owner: Calum McConnell <[email protected]>
* Package name : bitwarden
Version : 1.17.2
* URL : http://www.bitwarden.com/
* License : GPL-3
Programming Lang: Typescript
Description : fully open-source, cross-platform password manager
== Long description ==
Bitwarden is an open-source password manager that syncs securly between devices.
The full stack is libre software, including the server, meaning one can host
their own passwords instead of storing them for free on bitwarden.com's service.
Passwords are stored encrypted on the server and on the client using an encryption
key derived from the master password by PKBDF2 SHA-256, and encrypted using AES-256.
Passwords are encrypted by the client before being sent to the cloud server: it is
not possible to determine the unencrypted passwords from the cloud server, unless
an attacker already knows the user's master password.
Bitwarden also supports saving of other data within the vault. However,
saving large files on the bitwarden.com servers requires a premium subscription.
This package contains the bitwarden client, which connects to a bitwarden server.
== Justifications/Plans ==
Note: New to the world of packaging
I think this package is very useful and relevant, because password managers are
a must in order to remain secure using online accounts, and this is the only
cross-platform, FOSS manager of which I am aware. I, for one, use it: I do
have the premium subscription, but only to support the authors.
This is my first Debian package, and as such I would appreciate support.
I will need a sponsor: I do plan on finding one thru debian-mentors. I am
not aware of any teams which would maintain this: it is a Node.js+electron
application, though they also distribute a C# port for mobile devices. I would
be happy to work with a team on this package, for I have little javascript
experiance and no Electron experience.
I plan on using Git and Git-buildpackage to maintain this, because I have
grown used to having a full revision history, and I quite like working
on several devices.
Salsa link is here: https://salsa.debian.org/CalumMcConnell-guest/bitwarden.
The branch structure is that recommended by gbp documentation: master
is upstream, debian/sid is the contents of the up-to-date debian packaging.
I plan on using debmake to make the debian/ files.
I figure I ought to post an update here. It's not looking good.
There is a very nifty tool for repackaging node.js packages for Debian
(shockingly called npm2deb), however, it assumes upstream uploaded
their package to the npm registry. The bitwarden upstream did not, as
it is a GUI application, and so they didn't know they even could. They
did not want to, however.
I then patched npm2deb to handle packages that were only available as
tarballs (which I was quite proud of). Though those changes have not
yet been merged in, they worked just fine-which was when I ran into the
showstopper.
Bitwarden has a long chain of dependencies, as it is an application
built on Angular.js and Electron.js. npm2deb gave a list of 28
separate packages. Although they are all node packages, and I am sure
npm2deb is up to the task, I am not sure if I could, or should, add
them all. I pasted the relevant section of npm2deb output bellow.
If someone could aid me in packaging and maintaining the dependent
packages, I'd be much more confident in continuing. But I don't want
to wait for my 29th package to get one that I actually use.
(Obviously, many of these may be prepackaged, and just not be known to
npm2deb by their Debian name. But there is a mechanism that attempts
to solve that (with a list that converts between them), and I assume it
is somewhat up-to-date. Additionally, I did manually attempt to find
them with apt, and failed.)
[error] @angular/animations: dependency node-@angular/animations not
in debian
[error] @angular/cdk: dependency node-@angular/cdk not in debian
[error] @angular/common: dependency node-@angular/common not in
debian
[error] @angular/compiler: dependency node-@angular/compiler not in
debian
[error] @angular/core: dependency node-@angular/core not in debian
[error] @angular/forms: dependency node-@angular/forms not in debian
[error] @angular/platform-browser: dependency node-@angular/platform
-browser not in debian
[error] @angular/platform-browser-dynamic: dependency node-@angular/
platform-browser-dynamic not in debian
[error] @angular/router: dependency node-@angular/router not in
debian
[error] @angular/upgrade: dependency node-@angular/upgrade not in
debian
[error] @microsoft/signalr: dependency node-@microsoft/signalr not
in debian
[error] @microsoft/signalr-protocol-msgpack: dependency
node-@microsoft/signalr-protocol-msgpack not in debian
[error] @nodert-win10-rs4/windows.security.credentials.ui:
dependency node-@nodert-win10-rs4/windows.security.credentials.ui not
in debian
[error] angular2-toaster: dependency node-angular2-toaster not in
debian
[error] angulartics2: dependency node-angulartics2 not in debian
[error] big-integer: dependency node-big-integer not in debian
[error] desktop-idle: dependency node-desktop-idle not in debian
[error] duo_web_sdk: dependency node-duo_web_sdk not in debian
[error] electron-log: dependency node-electron-log not in debian
[error] electron-store: dependency node-electron-store not in debian
[error] electron-updater: dependency node-electron-updater not in
debian
[error] keytar: dependency node-keytar not in debian
[error] nord: dependency node-nord not in debian
[error] papaparse: dependency node-papaparse not in debian
[error] rxjs: dependency node-rxjs not in debian
[error] sweetalert2: dependency node-sweetalert2 not in debian
[error] zone.js: dependency node-zone.js not in debian
[error] zxcvbn: dependency node-zxcvbn not in debian
Control: retitle -1 RFP: bitwarden -- fully open-source, cross-platform
password manager
Without packaging a massive number of javascript dependencies, from
angular (which might already be in Debian) to keytar, this can't be
packaged.
A person more skilled at javascript than I could probably cut down on
that, but I just can't. And there is no way I can maintain 6+ new
packages just as dependencies.
Thanks to whoever winds up working on this,
Calum
There is a rust implementation called bitwarden_rs and rebranded some
months ago vaultwarden.
There are already scripts for debian to generate a package
https://github.com/greizgh/vaultwarden-debian but I don't know the JS part
of that.
Subject: Re: Why not evaluate bitwarden_rs/vaultwarden
Date: Mon, 14 Aug 2023 03:39:07 +0800
> There is a rust implementation called bitwarden_rs and rebranded some
months ago vaultwarden.
vaultwarden is a server. This package in question is for the Bitwarden
client, as from the first message:
> This package contains the bitwarden client, which connects to a
bitwarden server.
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.