Bitwarden Makes Change To Address Recent Open-Source Concerns
([Free Software] 5 Hours Ago
Bitwarden Update)
- Reference: 0001501780
- News link: https://www.phoronix.com/news/Bitwarden-Code-Cleared-Up
- Source link:
Following the recent [1]concerns over Bitwarden potentially moving further away from open-source given SDK changes that appeared, Bitwarden has now further addressed the situation to ease the community concerns.
The issue stems from a user discovering the Bitwarden client introducing a "bitwarden/sdk-internal" dependency and that internal SDK having a license clause that stipulated:
"You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."
Bitwarden called it a packaging bug. Bitwarden founder and CTO Kyle Spearrin has now further cleared up the situation in a [2]comment on GitHub:
"@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there."
With that it appears the situation is now cleared up and should also avoid any user confusion for those using this open-source password management solution.
[1] https://www.phoronix.com/news/Bitwarden-Open-Source-Concerns
[2] https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977
The issue stems from a user discovering the Bitwarden client introducing a "bitwarden/sdk-internal" dependency and that internal SDK having a license clause that stipulated:
"You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."
Bitwarden called it a packaging bug. Bitwarden founder and CTO Kyle Spearrin has now further cleared up the situation in a [2]comment on GitHub:
"@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there."
With that it appears the situation is now cleared up and should also avoid any user confusion for those using this open-source password management solution.
[1] https://www.phoronix.com/news/Bitwarden-Open-Source-Concerns
[2] https://github.com/bitwarden/clients/issues/11611#issuecomment-2436287977
Espionage724