Desktop version 2024.10.0 is no longer free software · Issue #11611 · bitwarden/clients
github.com
Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause: Y...

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

  • fireshell@lemmy.mlEnglish
    3·
    3 months ago

    https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977

    We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

    https://github.com/bitwarden/sdk-internal/commit/db648d7ea85878e9cce03283694d01d878481f6b

    Thank you to Bitwarden for relicensing a thing to GPLv3 License!

  • fl42v@lemmy.ml
    1·
    4 months ago

    Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

    • the SDK and the client are two separate programs
    • code for each program is in separate repositories
    • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

    Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

    I.e. “fuck you and your foss”

      • fl42v@lemmy.ml
        1·
        4 months ago

        I doubt it. What’ll probably happen is them moving more and more of the logic into the SDK (or adding the back-end of new features there), and leaving the original app to be more or less an agpl-licensed ui, while the actual logic becomes source-available. Soo, somewhat red-hat-esque vibes: no-no, we don’t violate no stupid licenses, we just completely go against their spirit.

  • twirl7303@lemmy.world
    1·
    4 months ago

    If this is not resolved I will likely switch to another service. Free software compatibility was the main reason I paid for bitwarden over its competitors.

    • AustralianSimon@lemmy.worldEnglish
      01·
      4 months ago

      What does this change for you?

      Seems to change nothing for all my devices which is a cheap offering at $10/year.

      • Croquette@sh.itjust.works
        2·
        4 months ago

        The direction that the company is taking. Clearly that Bitwarden feels like other open source projects are diverting revenue from them.

        That’s a small step towards enshittification. They close this part of the software, then another part until slowly it is closed source.

        We’ve seen this move over and over.

        Stopping your business with Bitwarden over that issue sends a message that many customers don’t find this acceptable. If enough people stop using their service, they have a chance to backtrack. But even then, if they’ve done it once, they’ll try it again.

        Your current price is 10$/year now. But the moment a company tries to cull any open source of their project is the moment they try to cash it in.

  • rozlav@lemmy.blahaj.zone
    1·
    4 months ago

    Nobody here talks about keepassxc ? I’ve been using it for almost a decade, it can be used with sync tools to be shared, I’ve managed to have db keepass file opened on several computers and it did work well. Gplv3 here https://keepassxc.org/

    • EveryMuffinIsNowEncrypted@lemmy.blahaj.zoneEnglish
      1·
      4 months ago

      I just switched over. Honestly, I like it even more than Bitwarden. Then again, I don’t sync my stuff between devices because I’m old I guess. Lol. It makes it easier to switch because I don’t have to deal with stuff like Syncthing.

    • Atemu@lemmy.ml
      1·
      4 months ago

      Keepass isn’t really in the same category of product as Bitwarden. The interesting part of bitwarden is that it’s ran as a service.

    • unrushed233@lemmings.world
      0·
      4 months ago

      Bitwarden can’t be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

        • unrushed233@lemmings.world
          1·
          4 months ago

          Nope. Since the entire database is contained in a single file, it can’t sync multiple edits properly, leading to sync conflicts. Because KeePass was built around local database files, whereas Bitwarden uses actual synced databases, where individual updates can be uploaded, instead of causing conflicts or overwriting the entire db.

          • Hexarei@programming.dev
            0·
            4 months ago

            Conflicts haven’t been an issue for years, all modern iterations of KeePass (XC, kp2a, DX) support automatically merging in the latest before saving.

            I’ve been using it for years this way across several devices, it’s incredibly solid

  • umbrella@lemmy.ml
    1·
    4 months ago

    i was about to replace my glorified encrypted text file for a password manager. guess relying on 3rd parties in a late-stage capitalist world is not a viable alternative.

    ill stay with my encrypted text file until they privatize encryption. by then ill probably be carving my passwords out on stone. or burning down the servers of these fucking pigs trying to make us identify ourselves for everything on the internet now.

    • NostraDavid@programming.dev
      1·
      4 months ago

      Bitwarden has an export functionality. Export to JSON, import in Keepass, done.

      There’s KeePassXC if you want Linux support (keepass2 file is compat with XC variant).

  • ᗪᗩᗰᑎ@lemmy.ml
    0·
    4 months ago

    Looks like I might be moving to Proton Pass after all! I’ll give them some time to see what they do about this, but will happily give my money to someone else and migrate friends/family as well.

  • Lemmchen@feddit.orgEnglish
    0·
    4 months ago

    ITT: A lot of conspiracy theories without much (any?) evidence. Let’s see if they resolve the dependency issue before wet get our pitchforks, shall we?

    • Atemu@lemmy.ml
      1·
      4 months ago

      I don’t know what the heck you’re talking about.

      I see overwhelming evidence that they have intentionally made parts of the clients’ code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients’ code base.

      This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE

      You can read that license text to convince yourself of the fact that it is absolutely proprietary.

      Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:

      https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

      Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

      • the SDK and the client are two separate programs
      • code for each program is in separate repositories
      • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

      Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

      (Emphasis mine.)

      The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.

      • asap@lemmy.worldEnglish
        0·
        4 months ago

        That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.

        Open source !== Non-proprietary

        I would go as far as to say that Bitwarden’s main competitive advantage and differentiation is that it’s open source. They would be insane to change that.

        • cmhe@lemmy.world
          0·
          4 months ago

          Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3 on their client, by coupling it with proprietary code in a way that disallows building and/or usage without that proprietary component.

          They would be insane to change that.

          Yes. And i hope that they recover from it soon.

          • asap@lemmy.worldEnglish
            0·
            4 months ago

            Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3

            Lucky for you, they provided that explanation:

            1. This is a bug/mistake.
            2. Our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
            3. We will fix this.
            • cmhe@lemmy.world
              0·
              4 months ago

              Ok, lets take it step by step:

              Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

              • the SDK and the client are two separate programs

              I think they meant executable here, but that also doesn’t matter. If both programs can only be used together and not separate, and one is under GPLv3, then the other needs to be under GPLv3 too.

              • code for each program is in separate repositories

              How the code is structured doesn’t matter, it is about how it is consumed by the end-user, there both programs are delivered together and work together.

              • the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

              The way those two programs communicate together, doesn’t matter, they only work together and not separate from each other. Both need to be under GPLv3

              Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

              Not being able to build a GPLv3 licenses program without a proprietary one, is a build dependency. GPLv3 enforces you to be able to reproduce the code and I am pretty sure that the build tools and dependencies need to be under a GPLv3 compatible license as well.

              But all of that still doesn’t explain what their goal of introducing the proprietary SDK is. What function will it have in the future? Will open source part be completely independent or not? What features will depend on the close-source part, and which do not? Have they thought about any ethical concerns, that many contributors contributed to their software because it under a GPL license? How are they planning on dealing with the loss of trust, in a project where trust is very important? etc.

              • asap@lemmy.worldEnglish
                0·
                4 months ago

                What features will depend on the close-source part, and which do not?

                There are definitely some terminology issues here.

                The SDK is not closed source, you can find the source here: https://github.com/bitwarden/sdk

                It might not be GPL open-source, but it is not closed either.

                Other than that, I agree with your points. I don’t agree with the kneejerk hysteria from many of the comments - it’s one of the worst things about FOSS is how quick people are to anger (I am not referring to you here).

                But all of that still doesn’t explain what their goal of introducing the proprietary SDK is.

                Let’s wait and see before we get out the pitchforks.

  • 31337@sh.itjust.works
    0·
    4 months ago

    I just exported my data from BitWarden and imported into ProtonPass. Was pretty easy. Hate the color palette of the app and browser extension though, lol.

  • fireshell@lemmy.mlEnglish
    0·
    4 months ago

    pass is enough (+ xdotool + rofi + pass-menu). Synchronization via git or Syncthing.

  • Danitos@reddthat.com
    0·
    4 months ago

    @bitwarden bitwarden locked and limited conversation to collaborators

    They also locked the thread 16 hours ago (as of writing this comment), with no explanation.

    • asap@lemmy.worldEnglish
      0·
      4 months ago

      The explanation is the second-to-last comment before it got locked. 🤦

      This hysteria is really stupid.

        • asap@lemmy.worldEnglish
          0·
          4 months ago

          That may or may not be the case, but the comment I replied to said they locked the thread with “no explanation”.

          • cmhe@lemmy.world
            1·
            4 months ago

            I would say a proper explanation includes the goal you want to achieve, not just the statement that you think that you are allowed to do something.