385

Bitwarden Desktop version 2024.10.0 is no longer free software (github.com)

submitted 19 hours ago by pnutzh4x0r@lemmy.ndlug.org to c/opensource@lemmy.ml

84 comments fedilink hide all child comments

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

top 50 comments

sorted by: hot top controversial new old

[-] daggermoon@lemmy.world 4 points 1 hour ago

Fuck. Is it difficult to export my data to something like Keypass? Very disappointed to hear this.

[-] smiletolerantly@awful.systems 11 points 3 hours ago

Does anyone have experience with keyguard? From a cursory glance, this + vaultwarden seems like a good alternative...

[-] bilb@lem.monster 5 points 3 hours ago

I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and... it works. So as long as their intentions are pure, you can use "bitwarden" without using any of their software or infrastructure.

[-] smiletolerantly@awful.systems 2 points 3 hours ago* (last edited 3 hours ago)

Just tried it, and it seems you can't edit or add items without a premium subscription??

Or am I missing something?

Edit: Apparently only when installing via the Play Store. Very weird decision.

[-] bilb@lem.monster 4 points 3 hours ago* (last edited 3 hours ago)

Ah, yeah, I installed it from their github with obtainium. I think open source/libre app that charges people to install with the play store is a model a few others have tried as well.

[-] smiletolerantly@awful.systems 2 points 3 hours ago

I don't think it's unreasonable to want to be paid, but a mandatory subscription when using the most common install method does irk me the wrong way

[-] bilb@lem.monster 2 points 3 hours ago

I haven't looked into it at all, but that just seems so strange. Who would pay that when the original Bitwarden app is still there for free? Most people who would even know about KeyGuard would know how to install it from somewhere else. Is it essentially a donation?

[-] smiletolerantly@awful.systems 1 points 1 hour ago

It would be if it's a one-time payment, but it's a yearly subscription, and not a cheap one!

[-] qaz@lemmy.world 1 points 2 hours ago* (last edited 2 hours ago)

License

The source code is available for personal use only.

That doesn't really seem like an improvement, although do they say they're planning on releasing it under the FSL.

[-] smiletolerantly@awful.systems 1 points 1 hour ago

Ah damn it -.-

Too bad, the app is really nice to use :/

[-] fireshell@lemmy.ml 1 points 2 hours ago* (last edited 2 hours ago)

pass is enough (+ xdotool + rofi + pass-menu). Synchronization via git or Syncthing.

[-] Danitos@reddthat.com 1 points 4 hours ago

@bitwarden bitwarden locked and limited conversation to collaborators

They also locked the thread 16 hours ago (as of writing this comment), with no explanation.

[-] asap@lemmy.world 4 points 3 hours ago

The explanation is the second-to-last comment before it got locked. 🤦

This hysteria is really stupid.

[-] cmhe@lemmy.world 2 points 44 minutes ago* (last edited 41 minutes ago)

That "explanation" is unsatisfactory and likely wrong: https://www.gnu.org/licenses/gpl-faq.html#MereAggregation

So they either have to license their SDK under a GPLv3 compatible license, or switch the license of their client to a non-GPL one.

Their "explaination" only mentions why they think can do it, but not why they are doing it.

[-] asap@lemmy.world 1 points 41 minutes ago

That may or may not be the case, but the comment I replied to said they locked the thread with "no explanation".

[-] cmhe@lemmy.world 1 points 36 minutes ago

I would say a proper explanation includes the goal you want to achieve, not just the statement that you think that you are allowed to do something.

[-] prosp3kt@lemmy.dbzer0.com 1 points 3 hours ago

They banned me from reddit and then reported me with mods those fckers...

[-] Lemmchen@feddit.org 15 points 8 hours ago* (last edited 8 hours ago)

ITT: A lot of conspiracy theories without much (any?) evidence. Let's see if they resolve the dependency issue before wet get our pitchforks, shall we?

[-] Atemu@lemmy.ml 8 points 5 hours ago* (last edited 4 hours ago)

I don't know what the heck you're talking about.

I see overwhelming evidence that they have intentionally made parts of the clients' code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients' code base.

This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE

You can read that license text to convince yourself of the fact that it is absolutely proprietary.

Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:

https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

the SDK and the client are two separate programs

code for each program is in separate repositories

the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

(Emphasis mine.)

The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.

[-] asap@lemmy.world 2 points 3 hours ago* (last edited 2 hours ago)

That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.

Open source !== Non-proprietary

I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to change that.

[-] cmhe@lemmy.world 1 points 25 minutes ago

Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3 on their client, by coupling it with proprietary code in a way that disallows building and/or usage without that proprietary component.

They would be insane to change that.

Yes. And i hope that they recover from it soon.

[-] asap@lemmy.world 1 points 11 minutes ago* (last edited 10 minutes ago)

Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3

Lucky for you, they provided that explanation:

This is a bug/mistake.
Our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
We will fix this.

[-] jjlinux@lemmy.ml 6 points 7 hours ago

Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.

[-] rozlav@lemmy.blahaj.zone 32 points 11 hours ago

Nobody here talks about keepassxc ? I've been using it for almost a decade, it can be used with sync tools to be shared, I've managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/

[-] Atemu@lemmy.ml 12 points 7 hours ago

Keepass isn't really in the same category of product as Bitwarden. The interesting part of bitwarden is that it's ran as a service.

[-] unrushed233@lemmings.world 7 points 7 hours ago

Bitwarden can't be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

load more comments (7 replies)

[-] EveryMuffinIsNowEncrypted@lemmy.blahaj.zone 18 points 11 hours ago

Damn, I just switched from Bitwarden to KeepPassXC.

Clearly just in time. Lol.

load more comments (1 replies)

[-] wuphysics87@lemmy.ml 13 points 11 hours ago

A few questions out of ignorance. How different is this to gitlab's open core model? Is this a permanent change? Is the involvement of investors the root of this? Are we overreacting as it doesn't meet our strict definition of foss?

[-] Atemu@lemmy.ml 9 points 6 hours ago

How different is this to gitlab’s open core model?

That's a really good question that I don't immediately have a satisfying answer to.

There are some differences I can point out though:

Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.
Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
Gitlab-EE's "closed" core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.

Is this a permanent change?

It'd be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.

I don't see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.

The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat's out of the bag and all the public goodwill and trust is gone.
It's honestly a bafflingly bad decision from even just a business perspective. I predict they'll lose at least 20% but likely 30-50% of their subscribers to this.

Is the involvement of investors the root of this?

I find that likely. If it stinks, it's usually something stinky's fault.

Are we overreacting as it doesn’t meet our strict definition of foss?

They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.

An "honest" switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.

[-] asap@lemmy.world 1 points 3 hours ago* (last edited 2 hours ago)

Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.

None of that makes Bitwarden not open source. Not only that, they specifically state this is a bug which will be addressed.

I would go as far as to say that Bitwarden's main competitive advantage and differentiation is that it's open source. They would be insane to stop that.

[-] cmhe@lemmy.world 1 points 7 minutes ago

None of that makes Bitwarden not open source.

Yes, it does, because it violates its own license GPLv3 by having proprietary build-/runtime dependencies.

If it was under a different, maybe more permissive, open source license, then maybe it would still be open source, but as of right now i likely breaks its own license terms.

Not only that, they specifically state this is a bug which will be addressed.

From what they state, they think that because executables that share internal information via standard protocols does somehow not break GPL3 terms compared to two libraries that share internal state via the standardized C ABI which does. And they seem to not consider that a bug, just the build-time dependency.

[-] twirl7303@lemmy.world 35 points 14 hours ago

If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.

load more comments (7 replies)

load more comments