- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:
You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This violates freedom 0.
It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.
ITT: A lot of conspiracy theories without much (any?) evidence. Let’s see if they resolve the dependency issue before wet get our pitchforks, shall we?
Too late. Found a pitchfork sale in my local hardware store, so got a few for this and whatever fucking company does a rug pull next.
I don’t know what the heck you’re talking about.
I see overwhelming evidence that they have intentionally made parts of the clients’ code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients’ code base.
This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE
You can read that license text to convince yourself of the fact that it is absolutely proprietary.
Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:
https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225
(Emphasis mine.)
The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.
That would be an issue if they were not open source. Them making their own SDK proprietary is not a pitchfork issue.
Open source !== Non-proprietary
Well, then it would be nice to hear from them an explanation on why they decided to violate the GPLv3 on their client, by coupling it with proprietary code in a way that disallows building and/or usage without that proprietary component.
Yes. And i hope that they recover from it soon.
Lucky for you, they provided that explanation:
Ok, lets take it step by step:
I think they meant executable here, but that also doesn’t matter. If both programs can only be used together and not separate, and one is under GPLv3, then the other needs to be under GPLv3 too.
How the code is structured doesn’t matter, it is about how it is consumed by the end-user, there both programs are delivered together and work together.
The way those two programs communicate together, doesn’t matter, they only work together and not separate from each other. Both need to be under GPLv3
Not being able to build a GPLv3 licenses program without a proprietary one, is a build dependency. GPLv3 enforces you to be able to reproduce the code and I am pretty sure that the build tools and dependencies need to be under a GPLv3 compatible license as well.
But all of that still doesn’t explain what their goal of introducing the proprietary SDK is. What function will it have in the future? Will open source part be completely independent or not? What features will depend on the close-source part, and which do not? Have they thought about any ethical concerns, that many contributors contributed to their software because it under a GPL license? How are they planning on dealing with the loss of trust, in a project where trust is very important? etc.
There are definitely some terminology issues here.
The SDK is not closed source, you can find the source here: https://github.com/bitwarden/sdk
It might not be GPL open-source, but it is not closed either.
Other than that, I agree with your points. I don’t agree with the kneejerk hysteria from many of the comments - it’s one of the worst things about FOSS is how quick people are to anger (I am not referring to you here).
Let’s wait and see before we get out the pitchforks.
Sure. To me “source available” is still closed-source, since looking might give companies an attack surface for you to have violated their copyright in the future. Happened with IBM in the past: https://books.google.de/books?id=gy4EAAAAMBAJ&lpg=PA15&pg=PA15&redir_esc=y#v=onepage&q&f=false
Sure. Bitwarden doesn’t owe us anything, but it is still sad to see this decision and better clarification and explanation could have alleviated the breaking of the trust here.