@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.
This appears at least okay on the surface. The clients’ dependency on sdk-internal
didn’t change but that’s okay now because they have licensed sdk-internal
as GPL.
The sdk-secrets
will remain proprietary but that’s a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn’t promise that it will not be used in the future.
The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn’t even attempt to apologise for that.
Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That’s pretty sad.
Uhh what does this mean for us dummies? For reference I run a self hosted vaultwarden server and connect to it with Bitwarden clients.
It means all the code you run is open source.
Only the Bitwarden back-end uses proprietary code, which you aren’t using when you’re self-hosting vaultwarden.
So this was what it changed then?
I also self-host Vaultwarden because it is stupidly simple…
No, this comment was wrong. Most of the back end is not closed source. One piece of code for secrets management is closed source, that is not used in clients and was accidentally (allegedly) added to the clients, which they removed.
Vaultwarden is open source.
Personally I think people are overreacting. If BitWarden were to do something dumb like shift away from GPL, there would very quickly be a fork.
With 2024.10, Bitwarden could no longer be built without their proprietary SDK.
That was deemed a bug and now the SDK is also licensed under the GPL.
To clarify, the desktop BitWarden client, only.
And this was corrected.
I think right now it doesn’t mean anything :/. It’s more a ‘wait&see’ situation… However as many many other stories in the past, this doesn’t sound good and bitwarden is slowly and carefully following the ‘enshitification’ path !
Keep an eye open and get ready to switch to another password manager (maybe a fork?).