@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This appears at least okay on the surface. The clients’ dependency on sdk-internal didn’t change but that’s okay now because they have licensed sdk-internal as GPL.

The sdk-secrets will remain proprietary but that’s a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn’t promise that it will not be used in the future.

The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn’t even attempt to apologise for that.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That’s pretty sad.

  • fartsparkles@sh.itjust.works
    link
    fedilink
    arrow-up
    90
    arrow-down
    1
    ·
    edit-2
    28 days ago

    Cool. They got that sorted nice and quickly.

    Edit:

    I don’t get why people think they’re suddenly doing stuff under a different license to subvert the open nature of the project. They’ve been totally transparent on what isn’t part of the GPL/AGPL licensed code for years.

    SSO, the password health service, organisation auth requests, member access report blah blah have been enterprise features under the Bitwarden License for ages and they architected the projects in a clear and transparent way to build without those features since they added them.

    • Telorand@reddthat.com
      link
      fedilink
      arrow-up
      17
      arrow-down
      3
      ·
      27 days ago

      I don’t get why people think they’re suddenly doing stuff under a different license to subvert the open nature of the project.

      But then what will I do with my day if I don’t have a good reason to be mad at them?

      /s

      (And thanks for the voice of reason)

    • doctortran@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      27 days ago

      What they’ve done in the past has earned them trust, but it is irrelevant to what they intend to do in the future. Bitwarden is growing company, not the scrappy little open source app they once were.

      In 2022, a private equity firm injected 100m into Bitwarden. From that point forward, users are rightfully going to scrutinize any action they take because it’s 2024 and the tech space is a hellscape of enshitification and acquisitions, thanks in part to VC money. We’ve seen this story play out too many times to assume there’s nothing to worry about.

      So yes, people are going to be suspicious. That’s not irrational.

      • nickwitha_k (he/him)@lemmy.sdf.org
        link
        fedilink
        arrow-up
        4
        ·
        27 days ago

        a private equity firm injected 100m

        That’s all that one needs to know. Once those leeches are involved as investors, it’s over. They demand enshitification from our destroy everything that they touch for a quick buck.

    • Atemu@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      26 days ago

      Until the situation now, this was limited to the server, not the clients. You could replace the server with Vaultwarden and build it without enterprise features. Not ideal but fine because the server isn’t the critical part. It never handles your secrets in any way.

      What they tried to do now was integrate proprietary code into the clients that everyone uses. This is a lot more critical as it can access the secrets in plain text.

      This also wasn’t a “mistake” or “bug”, they openly admitted to doing this with the intention of subverting the client code’s GPL.

        • Atemu@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          16 days ago

          Two posts up from what I posted: https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

          Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

          1. the SDK and the client are two separate programs
          2. code for each program is in separate repositories
          3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

          Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.