Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

  • wuphysics87@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    A few questions out of ignorance. How different is this to gitlab’s open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn’t meet our strict definition of foss?

    • Atemu@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      How different is this to gitlab’s open core model?

      That’s a really good question that I don’t immediately have a satisfying answer to.

      There are some differences I can point out though:

      • Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW’s clients cannot even be compiled without the proprietary SDK anymore.
      • Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
      • Gitlab-EE’s “closed” core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.

      Is this a permanent change?

      It’d be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.

      I don’t see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.

      The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat’s out of the bag and all the public goodwill and trust is gone.
      It’s honestly a bafflingly bad decision from even just a business perspective. I predict they’ll lose at least 20% but likely 30-50% of their subscribers to this.

      Is the involvement of investors the root of this?

      I find that likely. If it stinks, it’s usually something stinky’s fault.

      Are we overreacting as it doesn’t meet our strict definition of foss?

      They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.

      An “honest” switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.

      • asap@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 month ago

        Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW’s clients cannot even be compiled without the proprietary SDK anymore.

        None of that makes Bitwarden not open source. Not only that, they specifically state this is a bug which will be addressed.

        I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s open source. They would be insane to stop that.

        • cmhe@lemmy.world
          link
          fedilink
          arrow-up
          0
          ·
          1 month ago

          None of that makes Bitwarden not open source.

          Yes, it does, because it violates its own license GPLv3 by having proprietary build-/runtime dependencies.

          If it was under a different, maybe more permissive, open source license, then maybe it would still be open source, but as of right now i likely breaks its own license terms.

          Not only that, they specifically state this is a bug which will be addressed.

          From what they state, they think that because executables that share internal information via standard protocols does somehow not break GPL3 terms compared to two libraries that share internal state via the standardized C ABI which does. And they seem to not consider that a bug, just the build-time dependency.

          • asap@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            1 month ago

            Sorry that’s my mistake - I should have said “source available”, rather than “open source”. IMO, being source available is the critical component of a password manager like Bitwarden, and is what I meant when I referred to their main competitive advantage.

            They might also choose to be open source and fix this specific issue and return to GPL-compatibility, but remaining source available would seem to be the more critical factor.

            • cmhe@lemmy.world
              link
              fedilink
              arrow-up
              0
              ·
              1 month ago

              So you meant to say:

              I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s source is available.

              That is not true, there are a lot of other password management software out there where the client source code is either open source or source available. For instance keyguard: https://github.com/AChep/keyguard-app?tab=License-1-ov-file#readme which is an alternative proprietary bitwarden client, where the source is also available. Also the Proton Pass client is under GPLv3.

              I would argue that the main advantage of bitwarden compared to others is that it is open source and has an open source server for self-hosting (vaultwarden). Which of course makes it difficult in terms of business strategy with their VC funding. But maybe becoming a non-profit org and getting money from donors, the strategic funds of EU and other governments, etc. might be an alternative way.

  • fireshell@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    30 days ago

    https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977

    We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

    https://github.com/bitwarden/sdk-internal/commit/db648d7ea85878e9cce03283694d01d878481f6b

    Thank you to Bitwarden for relicensing a thing to GPLv3 License!

  • Andrew@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 month ago

    There’s a lot of drama in that Issue, and then, at the very end:

    Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

    the SDK and the client are two separate programs
    code for each program is in separate repositories
    the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

    Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

    • unbroken2030@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      There is always a very vocal minority itching to cause as much drama as possible. It’s very discouraging to see in general. I agree with and want more FOSS, but I’m not sure I’d ever consider making it myself; it’s not worth extra stress personally.

      • TheOubliette@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        1 month ago

        They’re trying to argue legal technicalities because acknowledging that they’re trying to reduce compatibility with servers like vaultwarden would be bad PR.

        Per their new license, anyone that uses their SDK to build a client cannot say, “this is for Bitwarden and compatible servers like vaultwarden”. They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.

      • superkret@feddit.org
        link
        fedilink
        arrow-up
        0
        ·
        1 month ago

        They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.

        The fact that the current version of Bitwarden doesn’t work at all without the SDK is just a bug, which will be fixed Soon™

        • CosmicTurtle0@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          Iirc, once reported, the project has 30 days to remedy or they are in violation of the license. They can’t even release a new version with a different license since this version is out under the GPL.

          • GissaMittJobb@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            1 month ago

            Given that they own all of the source code (CLA is required to contribute), they can just stop offering the code under GPL, unless they happen to have any GPL dependencies not under their control, in which case this would not be viable.

            • CosmicTurtle0@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              0
              ·
              1 month ago

              Switching licenses to future versions doesn’t invalidate previous versions released under GPL.

              I’m not a lawyer but I deal with OSS licenses for work and I don’t know if there’s ever been a case like this, that I can think of anyway.

              Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops. Again, I’m not a lawyer here but there is a lot of case law behind the GPL and I think the user who made the issue could take them to court to force them to make the change if they don’t respond in 30 days.

              • Redjard@lemmy.dbzer0.com
                link
                fedilink
                arrow-up
                0
                ·
                1 month ago

                It means previous versions remain open, but ownership trumps any license restrictions.
                They don’t license the code to themselves, they just have it. And if they want to close source it they can.

                GPLv3 and copyleft only work to protect against non-owners doing that. CLA means a project is not strongly open source, the company doing that CLA can rugpull at any time.

                The fact a project even has a CLA should be extremely suspect, because this is exactly what you would use that for. To ensure you can harvest contributions and none of those contributers will stand in your way when you later burn the bridges and enshittify.

              • Markaos@lemmy.one
                link
                fedilink
                arrow-up
                0
                ·
                1 month ago

                Licensing the source as GPL doesn’t really force the copyright holder (which is 100% BitWarden due to their Contributors Agreement^*, no matter who contributed the code) to do anything - they are absolutely free to release binaries built on the same codebase as proprietary software without any mention of the GPL.

                For example if I write a hello world terminal program, release its source code under GPLv3 and then build it and give the built binary to you (and a permission to use it), you cannot force me to give you the source code for that build because I never gave you a GPL licensed binary.

                If you were to take my GPLv3 source code and distribute a build of it however, you would have to license your binaries under GPLv3, because that’s the terms of the license I provided the source code to you under. Your users would then have the right to request the source code of those binaries from you. And if you released the build under an incompatible license, I (but not the users) could sue you for violating my license.

                Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops.

                License violations are usually not resolved by making the violator comply retroactively, just going forward. And it’s the copyright holder (so BitWarden themselves) who needs to force the violator to comply.

                ^* this is the relevant part of the CA:

                By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.

                It is followed by a workaround license for parts of the world where copyright cannot be given up.

        • Redjard@lemmy.dbzer0.com
          link
          fedilink
          arrow-up
          0
          ·
          1 month ago

          Also important to note is that they are creating the same license problems in other places.

          They broke f-droid builds 3 months ago and try to navigate users to their own repo now. Their own repo ofc not applying foss requirements, because the android app is no longer foss as of 3 months ago. Now the f-droid version is slowly going out of date, which creates a nice security risk for no reason other than their greed.

          Apparently they also closed-sourced their “convenient” npm Bitwarden module 2 months ago, using some hard to follow reference to a license file. Previously it was marked GPL3.

        • umbrella@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          1 month ago

          further translating it: they are closing it down but trying to make it look like they arent

  • fl42v@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

    • the SDK and the client are two separate programs
    • code for each program is in separate repositories
    • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

    Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

    I.e. “fuck you and your foss”

      • fl42v@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        1 month ago

        I doubt it. What’ll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don’t violate no stupid licenses, we just completely go against their spirit.

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          0
          ·
          1 month ago

          go against their spirit

          I think this is more of a failure of the license itself. It’s not a good look to allow something explicitly and then go “no not like that!”

          • fl42v@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            1 month ago

            I’m not sure you can classify this as a failure, as explicitly prohibiting interfacing with non-agpl stuff would greatly limit the amount of stuff you can license under it, perhaps up to the point of making it generally unusable. As for “not like that”… Well, yeah. But you can’t deny it’s misleading, right? Free software kinda implies you can modify it whatever you want, and if it’s a free ui relying on a source-available middleware… Turns out, not so much.

            Although, a posdible solution would be require explicitly mentioning if you’re basically a front-end for something; but I’m not sure if it can be legally distinguished from the rest of use-cases.

    • subtext@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      Vaultwarden is only the server, no? So any clients that you use to access Vaultwarden are built and maintained by 8bit solutions a.k.a. Bitwarden, including the desktop client that is the subject of this post.

    • TheOubliette@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.

      A likely outcome if they don’t reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That’s the outcome Bitwarden wants. This reeks of a bazinga, “how dare they benefit from our work and take our users”, which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.

  • twirl7303@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        1 month ago

        How will anyone know what they add to the code now? That’s the problem, and with our fucking passwords no less. They can fuck right off. In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.

        • kratoz29@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 month ago

          In my environment alone they will be loosing upwards of 3,500 dollars yearly, 700,000 if I can convince my boss to dump them for the company as well.

          And move to what?

          • youmaynotknow@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            1 month ago

            Anything, even Proton. The point is making a statement. If you start as OSS, you can fuck right off when you decide to come back sideways locking code down.

      • Croquette@sh.itjust.works
        link
        fedilink
        arrow-up
        0
        ·
        1 month ago

        The direction that the company is taking. Clearly that Bitwarden feels like other open source projects are diverting revenue from them.

        That’s a small step towards enshittification. They close this part of the software, then another part until slowly it is closed source.

        We’ve seen this move over and over.

        Stopping your business with Bitwarden over that issue sends a message that many customers don’t find this acceptable. If enough people stop using their service, they have a chance to backtrack. But even then, if they’ve done it once, they’ll try it again.

        Your current price is 10$/year now. But the moment a company tries to cull any open source of their project is the moment they try to cash it in.

  • umbrella@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    1 month ago

    i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.

    ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.

  • rozlav@lemmy.blahaj.zone
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    Nobody here talks about keepassxc ? I’ve been using it for almost a decade, it can be used with sync tools to be shared, I’ve managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/

    • Atemu@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      Keepass isn’t really in the same category of product as Bitwarden. The interesting part of bitwarden is that it’s ran as a service.

    • unrushed233@lemmings.world
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      Bitwarden can’t be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

        • unrushed233@lemmings.world
          link
          fedilink
          arrow-up
          0
          ·
          1 month ago

          Nope. Since the entire database is contained in a single file, it can’t sync multiple edits properly, leading to sync conflicts. Because KeePass was built around local database files, whereas Bitwarden uses actual synced databases, where individual updates can be uploaded, instead of causing conflicts or overwriting the entire db.

          • Hexarei@programming.dev
            link
            fedilink
            arrow-up
            0
            ·
            1 month ago

            Conflicts haven’t been an issue for years, all modern iterations of KeePass (XC, kp2a, DX) support automatically merging in the latest before saving.

            I’ve been using it for years this way across several devices, it’s incredibly solid

            • Dymonika@beehaw.org
              link
              fedilink
              arrow-up
              0
              ·
              16 days ago

              Do you sync it across your devices using Syncthing? That’s what I’m thinking of doing.

    • EveryMuffinIsNowEncrypted@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      1 month ago

      I just switched over. Honestly, I like it even more than Bitwarden. Then again, I don’t sync my stuff between devices because I’m old I guess. Lol. It makes it easier to switch because I don’t have to deal with stuff like Syncthing.

    • Atemu@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      1 month ago

      As with all of their services, the back-end is closed-source.

      For the purposes of user freedom, it’s not that critical as the back-end merely facilitates the storage and synchronisation of encrypted data. This is different from the bitwarden case where they’re now including freedom disrespecting code into the most critical part of their software: the clients which handle the unencrypted data.
      Fact of the matter remains however that Proton Pass restricts your freedom by not allowing you to self-host it.

      If you are fine with not being able to self-host, I’d say it’s a good option though. Doubly so if you are already a customer of their other services.
      Proton has demonstrated time and time again to act for the benefit of its users in the past decade and I see no incentive for them to stop doing so. I’d estimate a low risk of enshittification for Proton which is high praise for a company of their size.

    • NostraDavid@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      1 month ago

      Bitwarden has an export functionality. Export to JSON, import in Keepass, done.

      There’s KeePassXC if you want Linux support (keepass2 file is compat with XC variant).

  • ᗪᗩᗰᑎ@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    Looks like I might be moving to Proton Pass after all! I’ll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.

  • nadiaraven@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    Okay, we’ll I’ve been using vaultwarden. When should I switch to something new, and what’s a good alternative?