Bitwarden SDK relicensed from proprietary to GPLv3

Posted by ferbivore 10/24/2024

Bitwarden SDK relicensed from proprietary to GPLv3(github.com)

1014 points | 369 commentspage 2

threatofrain 10/25/2024|

GPLv3 is interesting because it means to use their code in a commercial setting, then you must also have the guts to open source too.

odo1242 10/25/2024||

Not necessarily. You can run a “Bitwarden hosting service” or something like that without violating GPL. You’d only have to make your changes available on request if you changed the actual Bitwarden source code or linked some other library into it and shared that modified version with someone else (just running it on a server doesn’t mean you need to open source changes, for example)

hedora 10/25/2024||

Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.

For instance, Google can use bash in their backend infrastructure, but Apple cannot ship it on MacBooks or iOS anymore.

jcotton42 10/25/2024||

> Yeah; GPLv3 seems designed to give pure *aaS companies an unfair advantage over people that want to give users the option to buy commercially supported hardware that runs the company's software.

SaaS didn't exist when the GPL was drafted. If that's an issue for you, there's the AGPL.

alwayslikethis 10/25/2024||

> SaaS didn't exist when the GPL was drafted

If you mean v3, this isn't true. AGPLv3 is written the same time as GPLv3, and references each other to maintain compatibility (a special provision that lets you use code in the other license provided you follow the other license for that component)

npteljes 10/25/2024|||

Not if offered as a service. That's why they introduced the AGPL, that one has the service restriction too. In terms of a service offering, GPL software is free for the taking, and the restrictions don't apply as the distribution clause doesn't trigger.

sublimefire 10/25/2024|||

The context is inaccurate because it is actually dual licensed so thinking about GPLv3 alone is not painting the whole picture.

> The default license throughout the repository is your choice of GPL v3.0 OR BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE unless the header specifies another license. Anything contained within a directory named bitwarden_license is covered solely by the BITWARDEN SOFTWARE DEVELOPMENT KIT LICENSE.

hk1337 10/25/2024||

I don’t believe that is entirely accurate. I believe it depends on the application and what you’re doing with it whether or not you would be required to open source it. Like, if you’re distributing the application as a product, not necessarily saas application?

nine_k 10/25/2024|||

Yes, GPL3 only works for directly distributed software. But an important part of BitWarden is exactly such software, in the form of a browser extension.

HeatrayEnjoyer 10/25/2024|||

Yes, this is why AGPL is superior.

rochak 10/25/2024||

No good thing ever lasts, especially in the world of tech. So, I'll be sticking with Bitwarden until they somehow eventually fuck it up and something else takes its place.

crossroadsguy 10/25/2024|

What will be ideal is a FOSS competitor. At least in personal usage segment until. Until they also start looking at big money and enterprise/professional (which is fine), then another competitor will come in. As long as the chain of export-import-export doesn’t break.

MisterKent 10/25/2024||

People here are incredibly hard to please. Very clearly a packaging issue that got blown out of proportion.

They've done largely the right things for _years_ in terms of security. They've operated pretty transparently in terms of open sourcing. They've allowed vaultwarden to exist, and eventually created a self hostable version as well.

But one bad release with a license screw up and nobody is willing to give them an inch?

I will continue to use bitwarden, and am willing to give them the benefit of the doubt. Especially considering this action above. They are a company that is perfectly toeing the free/oss and commercial line.

hiatus 10/25/2024||

> Very clearly a packaging issue that got blown out of proportion.

CTO: > There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

https://github.com/bitwarden/sdk/issues/898

Doesn't seem like a mistake or unintentional action.

j_crick 10/25/2024|||

You build a hundred solid bridges and you get called John the Good Bridge Builder. But lest you once screw up your software licensing and people notice and it blows up, you'll end up as John the Software Screwer in the annals of history... until next week.

WesolyKubeczek 10/25/2024|||

It seems though, that in the world of software, you can unfuck a sheep.

What worries me, though, that people who should have known better commit such oopsie daisies more and more (across many projects, I don’t mean this one only), almost as if they are testing the waters to see what they can get away with.

j_crick 10/25/2024||

> almost as if they are testing the waters to see what they can get away with.

I think if it's a pattern then it's no accident. Of course people will test things. Kids, dogs, it's all the same: if you can get away with something, why not do it?

gitaarik 10/25/2024|||

Well it is kinda blasphemy to swear with evil proprietaryness in a loving FOSS community

ValentineC 10/25/2024||

And then we have WordPress, former champion of open source and GPL, with all their soap opera drama.

froggerexpert 10/25/2024|||

> But one bad release with a license screw up and nobody is willing to give them an inch?

I don't have a lot of context on the issue.

Is it clear it was just a packaging bug, rather than a move towards partially proprietary?

ferbivore 10/25/2024|||

The idea that this is was "just a packaging bug" is damage control by Bitwarden. It was a deliberate change, per the CTO's comment on https://github.com/bitwarden/sdk/issues/898 and elsewhere. They slowly worked their way towards adding this SDK dependency to every client, and the SDK was intentionally not open-source. The public outrage is the only reason Bitwarden is GPLv3 again.

odo1242 10/25/2024|||

Yeah - they've always used an open-core licensing model with like a few features (used only by business users/applications) behind a proprietary license. They just ended up mixing the code in a way such that the (theoretically open-source) app ended up having some utility functions for the business version mixed in. Since the client apps don't use that functionality, they split the repository so that you can build the app without using any proprietary code.

froggerexpert 10/25/2024||

Fair. I didn't know Bitwarden was open-core. In light of this, accidental packaging mixup sounds plausible.

the_duke 10/25/2024|||

Minor correction: the official self-hosted version existed BEFORE vaultwarden!

sneak 10/25/2024||

For a long time their KDF was bad and the iteration count was low. When I reported it to them they got really hostile and evasive about it.

Years later they switched to Argon, somehow solving all of the blocking problems they had repeatedly claimed they couldn’t fix.

I don’t trust the org at all. The software is ok but I only use it because it sucks marginally less than all my other options.

People who care about software freedoms don’t release proprietary software. Organizations like this or Microsoft are just engaging in open source cosplay.

gertop 10/25/2024||

> When I reported it to them they got really hostile

You're not the one who first reported it, but I did see your comments at the time. Calling them hostile is really the pot calling the kettle black, uh?

gitaarik 10/25/2024||

To me the story also sounds a bit like GP was a bit impatient and felt a bit ignored while the company was already working on the issue but just didn't respond promptly to per personally.

AzzyHN 10/25/2024||

I don't know why people are saying this is a bad thing.

crossroadsguy 10/25/2024||

Similarity to past experiences of start of the declines of service/apps.

Capricorn2481 10/25/2024||

What app got worse after going open source that you're thinking of?

alt227 10/25/2024|||

Its not 'going open source' as they were always open source, its change of license.

Plenty of other products started slipping downhill after management saw a need to change the license. Why else would you change your license terms if its not to then be able to change your business practises down the road?

Capricorn2481 10/26/2024||

I was posing a hypothetical for people that seem to think they were never open source. They packaged a proprietary part of Bitwarden into the app and quickly relicensed it to GPL.

I don't see how you think introducing a GPL license is gonna lead to worse business practices? Unless you don't know what the license is.

crossroadsguy 10/25/2024|||

> after going open source

I wasn't thinking that at all. BW started as open source afaik.

Capricorn2481 10/26/2024||

That's the point.

3np 10/25/2024||

Choosing GPL over AGPL for this kind of project combined with the previous recent CTO messaging is very telling if you consider the architecture of the software(s).

wmf 10/25/2024||

Telling what?

nocoder 10/25/2024||

What would be a good way to backup the passwords stored in Bitwarden? I am worried that someday suddenly bitwarden could stop working and I will lose access to all the stored passwords? Should I have a physical copy of all the passwords stored in a vault at home?

Happily2020 10/25/2024||

The simplest way of doing this would be to export your bitwarden vault in plaintext (as a json or csv) and then store it as a password protected zip file.

This should be easy to encrypt and decrypt on all operating systems, and would make it easy to move your vault to a new password manager.

fy20 10/25/2024|||

If you have some sort of home server, I'd recommend hosting vaultwarden (an open-source implementation of the BitWarden server). It works fine with the official apps. Their enterprise model requires a standard API, so it's not going to break anytime soon.

beAbU 10/25/2024||

This does not take the need for separate backups way though. In fact, I'd argue it makes it even more important to maintain a 3-2-1 backup of your vault.

Running vaultwarden on a home server is one small disaster away from losing everything. Homelabs typically don't enjoy the same level of protections and redundancies compared to a commercial DC.

Saris 10/29/2024|||

Use the export feature and just save the file somewhere safe, mine is in a Cryptomator vault. You could also import to Keepass and then delete the file.

nichos 10/25/2024|||

Export your BE vault and import it into key pass. Then store that file somewhere safe.

palata 10/25/2024|||

I personally went (a year ago) to pass: https://www.passwordstore.org/.

It just creates a git repository that I can back up wherever I want.

s2l 10/25/2024|||

Desktop: keepass variants.

Android: Keepass2 android.

Use syncthing to stay in sync.

cja 10/25/2024||

How to use Syncthing on Android now that the app has gone?

TheFreim 10/25/2024|||

There is a fork: https://github.com/Catfriend1/syncthing-android

s2l 10/25/2024|||

For this type of data, preference could be toward fully open source stack (i.e. fdroid, etc).

Another thing I recommend is to enable versioning on syncthing for the database. This way accidental changes can be reverted easily.

jannes 10/25/2024|||

You can do JSON exports within the apps. But careful, all your passwords are unencrypted in the JSON.

hexfish 10/25/2024||

Frankly I would worry about that with any third party that holds my data. There are a few Bitwarden exporters on Github that also account for attachments (something the builtin exporter doesn't for some reason).

aae42 10/25/2024||

BW synchronizes all your data on each client... if you logged in before, and your server goes down, you can still log in to a recent client, it just won't be able to update

you could recover from that

Saris 10/29/2024||

No way to export from the client though, so you would have to recover the server unless you previously made backups with the export feature.

sneak 10/25/2024||

Doesn’t GPL mean that it can’t be forked and published into the Apple iOS app store?

Presumably they are able to do it because they own the rights and can grant a non-GPL license to Apple for distribution.

This seems to me to still be a “nobody can fork this [and still have a viable iOS app] but us”.

cxr 10/25/2024||

The last time anyone did a serious published review of the App Store terms for GPL compatibility was probably 10+ years ago.

I remember pre-COVID trying to validate the popular claim that the App Store terms were incompatible with GPLv3 but being unable to do so. None of the provisions that were originally called out by the FSF were in the App Store terms anymore at that point. Certainly nothing I found in the terms at the time indicated any incompatibility.

FateOfNations 10/25/2024|||

Whenever I've heard about someone having problems publishing a fork on the App Store, it was a trademark rather than a copyright issue. If you fork it, you must completely re-brand it to publish it on the App Store.

throwaway290 10/25/2024||

Don't forget disclosing the source to users!

master-lincoln 10/25/2024||

Everybody can fork this and build an iOS app. You just can't distribute through the app store as far as I understand. Would be good now if there were other means to install an app on iOS for non-devs, but users chose to ignore that issue when they joined the walled garden that is Apple Inc

Maybe the European Union comes to the rescue... (for Europeans)

funvill 10/25/2024||

As a exercise I created my own password manager in response to the license issues with BitWarden last week.

Its rough, but functional, an exercise not a real product, never expected to be a real product. https://github.com/funvill/FancyGorillaPasswordManager

The tech is easy. Website, Browser extension, iOS, Android, Windows, Linux, MacOS apps done in less then a day.

Gaining trust is hard, who is going to trust a random guy on the internet.

jgauth 10/25/2024||

This update is great news. I was disappointed to see the issue that got raised last week, and I had started to consider looking for alternatives. I’m going to assume an honest mistake on their end and keep recommending their product. However, if they make a similar move again, I will assume the worst and move on.

ValentineC 10/25/2024|

To be fair, Bitwarden clients are mostly GPL and can be forked, and there's Vaultwarden for self-hosting.

We just need to rally together a community that would maintain such a fork.

ferbivore 10/25/2024||

The iOS client can never be meaningfully forked, ironically due to the GPL. If Bitwarden goes fully hostile that's lost forever.

ValentineC 10/25/2024||

I don't understand; isn't the repo licensed under GPLv3?

https://github.com/bitwarden/ios?tab=GPL-3.0-1-ov-file

Is proprietary config required to build the IPA file?

ferbivore 10/26/2024||

I was under the impression that Apple requires apps to be distributed under terms which conflict with the GPLv3, so the copyright holders effectively need to dual-license an app for it to be suitable for the App Store. Uploading your own version of bitwarden/ios would then open you up to a takedown notice from Bitwarden Inc. since they didn't consent to this.

Looking into it again, it seems like the Apple Media Services T&C now has provisions for distributing apps under a "Custom EULA", but it still has weird clauses like the one saying you can't "scrape, copy, or perform measurement, analysis, or monitoring of, any portion of the Content", which their definition of includes apps. (Ridiculous clause since it prohibits so much as looking at an app with Activity Monitor, but whatever.) The GPLv3 has a provision saying users can ignore additional restrictions, but you as an App Store uploader aren't in a position to grant that right, so... the situation still seems legally iffy enough that I'm not sure you could win against Bitwarden if they objected to a fork.

Thoreandan 10/25/2024||

The summary says "SDK relicensed from proprietary to GPLv3", the linked commit puts the Bitwarden license into LICENSE_SDK.txt, not GPLv3. Am I missing something?

mananaysiempre 10/25/2024|

The change to package.json of the sdk-internal package indicates it’s now GPL3.

This comment might be more illuminating: https://github.com/bitwarden/clients/issues/11611#issuecomme...

ok_dad 10/25/2024|

Luckily if they die another will rise up. At this point I’m thinking I’ll just use the Apple Keychain if Bitwarden gets up to no good again.

freedomben 10/25/2024||

It probably doesn't matter for you if you'll never be leaving Apple's ecosystem, but for anyone else, I think that's something to keep in mind before moving to a non-portable solution like Apple keychain.

accrual 10/25/2024|||

I would love to use Apple keychain but you're right - as a mixed OS user, it's a tough sell.

accrual 11/3/2024||

Just thinking outloud to myself - if Apple could embed their key management tech in a simple cross platform UI and support Windows, Linux, iOS, Android, and the web like Bitwarden - they'd be a viable alternative.

crossroadsguy 10/25/2024|||

> non-portable solution like Apple keychain

Yes, non-portable across different OEMs. But Apple Passwords app lets you export your passwords in a nice little simple csv file. It was a suspicion-filled (because it's Apple) pleasant surprise to find that out.

rqtwteye 10/25/2024||

In the old Apple passwords thing, they used to have that export feature but they took it away at some point. Learned this the hard way when I switched to Linux for a while.

lxgr 10/25/2024|||

Two things are preventing me from doing that: I occasionally want to access my passwords in a browser (and I do not want to log in to iCloud on that machine), and I'd feel really bad about having my passkeys stored in an Apple service with absolutely no way of exporting them in case I ever do switch platforms. (Bitwarden at least includes passkeys in their JSON export format, as far as I know.)

ValentineC 10/25/2024||

As another commenter has mentioned, Apple Passwords allows export to simple CSV:

https://support.apple.com/en-us/guide/passwords/mchl35b12625...

What I dislike about Apple Passwords is how tightly coupled everything is.

I just tried to set it up on my Windows 10 machine with a local account, but it requires Windows Hello to be turned on, which can't be done except with a Microsoft account.

Kinda ridiculous of them to force arbitrary restrictions on us.

lxgr 10/25/2024||

> Apple Passwords allows export to simple CSV

Not of passkeys, to my knowledge.

> What I dislike about Apple Passwords is how tightly coupled everything is.

That’s definitely also discouraging me as well.

rascul 10/25/2024|||

What was the no good that Bitwarden got up to?

abathur 10/25/2024||

https://news.ycombinator.com/item?id=41893994

Capricorn2481 10/25/2024||

Sounds like this is what they open sourced? So I don't really see the issue.

ValentineC 10/25/2024||

It was "source available", but licensed under their proprietary Bitwarden licence and not GPLv3.

Capricorn2481 10/26/2024||

What I mean is the problem is remedied now and was likely not the big deal people thought it was. Sounds like they packaged something into the software forgetting it was under a different license and quickly relicensed it. But this thread is framing it like they burned a bridge.

chillfox 10/25/2024||

If I wasn't busy playing with AI stuff then I would be very tempted to build my own password manager cloud service, it feels like a chance to shine shows up at least once every two years in that space.

I don't know what it is, but password managers just love the high-speed enshittification train.

TechDebtDevin 10/25/2024||

Its not very easy and you shouldn't do it unless your domain is cryptography. This is something I've tried to do myself as well and realized it's better off left to the pros.

More comments...