Posted by ferbivore 2 days ago
> We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
I guess it's time for another FOSS player here. It's fine, such things are cyclical I guess. Happened to Lastpass and Authy and someday it will happen to Ente and 2FAS and so on.
I'm confused what you're responding to. You're making it sound like this was a bad decision and your anecdote was another thing for the pile, but this is a good decision.
Which is all the more ridiculous as this looks like it wasn't really a big license change decision but more of a "forgot to change the license on a component from our internal default". Assuming malice seems like the most boneheaded reaction to this given that there are no other indications Bitwarden was trying to do anything nefarious and the previous license state would have made every single library or tool depending on it non-free.
This is different from criticisms of Mozilla for example which often boil down to "Mozilla positioned itself as privacy-focused but adds a privacy-violating feature you have to opt out of while claiming it's actually fine". Bitwarden never was 100% FLOSS to begin with but introducing downstream license problems is clearly against their own interest. Unless you believe Bitwarden is run by evil idiots who do evil things for no good reason (business or otherwise) whatsoever and then quickly cover their tracks only when called out, "oops" is the only explanation that passes the sniff test.
Here's what someone from Bitwarden said in that issue:
https://github.com/bitwarden/clients/issues/11611#issuecomme...
I think the submission should be rephrased as "Bitwarden SDK fixed license of sub-component" or something. Which of course sounds less bold and interesting and newsworthy because it really isn't.
https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...
> Additionally, one thought that came to mind in evaluating this that might make this not possible is that our rust SDK, a dependency, is not published under an OSS license. See https://github.com/bitwarden/sdk . I assume that is a problem that might disqualify us from the main [fdroid] repo still.
https://gitlab.com/fdroid/fdroiddata/-/merge_requests/15353#...
> At the moment, there are no plans to adjust the SDK license.
Doesn't sound like a mistake:
https://github.com/bitwarden/sdk/issues/898#issuecomment-222...
> There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/
This does, though:
https://github.com/bitwarden/sdk/issues/898#issuecomment-242...
It seems they reconsidered after the change impacted their F-Droid release. They've always been Open Core not fully Open Source so the SDK not being OSS isn't surprising. It just seems like they didn't think about the consequences of integrating a non-OSS SDK into their OSS clients.
Your first quote actually explicitly says that this incompatibility only became apparent after the fact:
> one thought that came to mind in evaluating this
So, yeah, a mistake although it's not so much they "forgot to change the license" but didn't consider which license it should use and stuck with the default.
> There are no plans to adjust the SDK license at this time
This doesn't mean it was an intentional choice or well thought out. It would have been pretty stupid to say "yeah, we actually just went with proprietary because it's the internal default and didn't think about the pros and cons of keeping it that way" so in lieu of wanting to make a decision then and there or signaling radio silence, that's just a standard corporate non-answer.
There's a difference.