Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms
- Reference: 1729769774
- News link: https://www.theregister.co.uk/2024/10/24/bitwarden_foss_doubts/
- Source link:
The question has been highlighted by a new issue on the project's GitHub page, with the strong title " [1]Desktop version 2024.10.0 is no longer free software ."
This is because of a new build requirement, added in a pull request a couple of weeks ago titled " [2]Introduce SDK client ." This SDK (software development kit) is required to compile the software from source – either the Bitwarden server or any of its client applications. The problem is that although the [3]SDK is available , it is under a [4]license that means it's not free software. The license says:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
Restricting what users can do with the software violates the first of GNU's [5]four essential freedoms . In other words, although you can get the source code, the restrictions on what you can do with it mean that it's not truly open source anymore.
Although the license is different, the comparisons with other not-so-open-sourcey-anymore companies and products, from [6]Hashicorp to [7]Redis , are irresistible.
[8]
The issue hasn't attracted much discussion on GitHub itself because [9]Kyle Spearrin , the company's chief technical officer, [10]responded that the FOSS Bitwarden tools and the SDK were not the same thing:
the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
He then closed and locked the discussion. However, this claim appears contractually doubtful as it may fall under the GPL's provisions regarding [11]the aggregation of software .
There are other BitWarden-compatible tools out there, such as the Rust-based replacement server [12]Vaultwarden . However, since that first appeared, lead developer [13]Daniel García was hired by BitWarden. As such, its existence as an independent alternative is dubious.
[14]Google apologizes for breaking password manager for millions of Windows users with iffy Chrome update
[15]For password protection, dump LastPass for open source Bitwarden
[16]Intruders get their hands on user data in LastPass incident
[17]1Password's Insights tool to help admins monitor users' security practices
There were signs long in advance. Back in September 2022, Abdullah Atta, lead developer of Notesnook, a similar secure and encrypted online storage tool, blogged that " [18]It's time to leave Bitwarden ." His reasoning was that Bitwarden had just obtained [19]$100 million of venture capital financing . He predicted that the company would move away from FOSS in the direction of raising revenue, and it looks like he was right.
Bad news for our own SJVN, who just a few months later wrote that it was time to [20]dump LastPass for open source Bitwarden – although he did say "Bitwarden is a kinda sorta open source program." It looks rather like it's a little less so now, as noted by some amusingly [21]snarky comments on [22]the Fediverse .
[23]
There are many other alternatives out there, from [24]Buttercup to [25]KeePassXC . Many will require you to synchronize your own password database between computers, either on your own, or using other cloud services. Or you could use a FOSS tool such as [26]SyncThing . Note, however, that SyncThing just [27]discontinued its official Android client – but independent ones remain available. ®
Get our [28]Tech Resources
[1] https://github.com/bitwarden/clients/issues/11611
[2] https://github.com/bitwarden/clients/pull/10974
[3] https://github.com/bitwarden/sdk
[4] https://github.com/bitwarden/sdk/blob/main/LICENSE
[5] https://www.gnu.org/philosophy/free-sw.en.html#four-freedoms
[6] https://www.theregister.com/2023/08/11/hashicorp_bsl_licence/
[7] https://www.theregister.com/2024/09/20/redis_users_considering_alternatives/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZxpvKf9jyF4FcyWCI7U9qgAAAFI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[9] https://github.com/kspearrin
[10] https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225
[11] https://www.gnu.org/licenses/gpl-faq.html#MereAggregation
[12] https://github.com/dani-garcia/vaultwarden
[13] https://github.com/dani-garcia
[14] https://www.theregister.com/2024/07/29/google_password_manager_outage/
[15] https://www.theregister.com/2023/01/16/dump_lastpass_bitwarden/
[16] https://www.theregister.com/2022/12/01/lastpass/
[17] https://www.theregister.com/2022/06/21/1password_trots_out_insights_tool/
[18] https://blog.notesnook.com/its-time-to-leave-bitwarden/
[19] https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/
[20] https://www.theregister.com/2023/01/16/dump_lastpass_bitwarden/
[21] https://chaos.social/@scy/113340104207001138
[22] https://chaos.social/@n0toose/113340052961123604
[23] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/applications&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxpvKf9jyF4FcyWCI7U9qgAAAFI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[24] https://buttercup.pw/
[25] https://keepassxc.org/
[26] https://syncthing.net/
[27] https://forum.syncthing.net/t/discontinuing-syncthing-android/23002
[28] https://whitepapers.theregister.com/
Re: The balance tipped.
You make some very good points and well presented list of software that has fallen foul of this method of operating.
VCs will do what's right for them and it's never the end user or community that brought it into the target sights of the VC.
Re: The balance tipped.
[Author here]
> VSCode.
Hang on hang on hang on a cotton-pickin' minute there.
You mean you *ever* trusted Microsoft?
...
Want to buy a bridge? It's very historic. Pretty too.
Re: The balance tipped.
"VSCode". Hahaha.
Like the last reply alluded to, VSCode was never FOSS. It is just an example of a covert operation employed by big tech to get developers work for free because it is "FOSS". These operations are running rampant nowadays. Never contribute to these projects unless it is truly FOSS in origin. The sooner people start realizing that, the sooner big tech will be forced to hire developers again.
Re: The balance tipped.
Never contribute to these projects unless it is truly FOSS in origin.
Never contribute to a FOSS project that asks you to sign over your copyright.
Then your contributions will be bound by the licence you expect and only you will have the right to re-licence them at a later time.
All good things must come to an end
While I am not a fan of private equity firms attempting to purchase/invest in anything and everything of value on the planet, it does provide the opportunity for good projects to reward the main contributors and for the supporting infrastructure to grow and be stable. As an alternative, may I suggest you recall the growing pains of the Mozilla and Apache foundations and the projects dependent on their fundraising. While remaining true to the ideals of FOSS, it is wholly dependent on large corporate donations. Pick your poison.
The balance tipped.
This news should come as no surprise to anyone. This is the standard play for venture-capital (or private-equity) bought "Open Source."
What it means – simply – is that the balance has tipped: the suits have determined that the loss of goodwill from those who flee is less than the stakes to be gained by this change. That, in turn, is trivially easy to interpret: "we" – the users, developers and community – are worth less than the Dollars knocking on their door. That follows by definition.
Why would we trust them, then? They're demonstrating contempt for our worth, as a community, so only a fool would expect them to value us!
WordPress. Bitwarden. VSCode. GitHub. Redis. MySQL. (… and I haven't even started to 'think' to find examples, yet.)