this post was submitted on 20 Oct 2024
533 points (95.4% liked)

Open Source

31396 readers
307 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
 

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 130 points 1 month ago* (last edited 1 month ago) (3 children)

There's a lot of drama in that Issue, and then, at the very end:

Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

the SDK and the client are two separate programs
code for each program is in separate repositories
the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

[–] [email protected] 60 points 1 month ago (3 children)

Um can someone translate what this means?

[–] [email protected] 121 points 1 month ago (3 children)

They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.

The fact that the current version of Bitwarden doesn't work at all without the SDK is just a bug, which will be fixed Soon™

[–] [email protected] 26 points 1 month ago (1 children)

Iirc, once reported, the project has 30 days to remedy or they are in violation of the license. They can't even release a new version with a different license since this version is out under the GPL.

[–] [email protected] 18 points 1 month ago (1 children)

Given that they own all of the source code (CLA is required to contribute), they can just stop offering the code under GPL, unless they happen to have any GPL dependencies not under their control, in which case this would not be viable.

[–] [email protected] 12 points 1 month ago (2 children)

Switching licenses to future versions doesn't invalidate previous versions released under GPL.

I'm not a lawyer but I deal with OSS licenses for work and I don't know if there's ever been a case like this, that I can think of anyway.

Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops. Again, I'm not a lawyer here but there is a lot of case law behind the GPL and I think the user who made the issue could take them to court to force them to make the change if they don't respond in 30 days.

[–] [email protected] 13 points 1 month ago (1 children)

It means previous versions remain open, but ownership trumps any license restrictions.
They don't license the code to themselves, they just have it. And if they want to close source it they can.

GPLv3 and copyleft only work to protect against non-owners doing that. CLA means a project is not strongly open source, the company doing that CLA can rugpull at any time.

The fact a project even has a CLA should be extremely suspect, because this is exactly what you would use that for. To ensure you can harvest contributions and none of those contributers will stand in your way when you later burn the bridges and enshittify.

[–] [email protected] 3 points 1 month ago (1 children)
[–] [email protected] 9 points 1 month ago

Licensing the source as GPL doesn't really force the copyright holder (which is 100% BitWarden due to their Contributors Agreement^*, no matter who contributed the code) to do anything - they are absolutely free to release binaries built on the same codebase as proprietary software without any mention of the GPL.

For example if I write a hello world terminal program, release its source code under GPLv3 and then build it and give the built binary to you (and a permission to use it), you cannot force me to give you the source code for that build because I never gave you a GPL licensed binary.

If you were to take my GPLv3 source code and distribute a build of it however, you would have to license your binaries under GPLv3, because that's the terms of the license I provided the source code to you under. Your users would then have the right to request the source code of those binaries from you. And if you released the build under an incompatible license, I (but not the users) could sue you for violating my license.

Their previous versions, still being under the GPL, would require them to release a change to make it usable on desktops.

License violations are usually not resolved by making the violator comply retroactively, just going forward. And it's the copyright holder (so BitWarden themselves) who needs to force the violator to comply.

^* this is the relevant part of the CA:

By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.

It is followed by a workaround license for parts of the world where copyright cannot be given up.

[–] [email protected] 17 points 1 month ago

further translating it: they are closing it down but trying to make it look like they arent

[–] [email protected] 17 points 1 month ago

Also important to note is that they are creating the same license problems in other places.

They broke f-droid builds 3 months ago and try to navigate users to their own repo now. Their own repo ofc not applying foss requirements, because the android app is no longer foss as of 3 months ago. Now the f-droid version is slowly going out of date, which creates a nice security risk for no reason other than their greed.

Apparently they also closed-sourced their "convenient" npm Bitwarden module 2 months ago, using some hard to follow reference to a license file. Previously it was marked GPL3.

[–] [email protected] 48 points 1 month ago

They're trying to argue legal technicalities because acknowledging that they're trying to reduce compatibility with servers like vaultwarden would be bad PR.

Per their new license, anyone that uses their SDK to build a client cannot say, "this is for Bitwarden and compatible servers like vaultwarden". They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.

[–] [email protected] 22 points 1 month ago

The main program is open, but the development tools are not

[–] [email protected] 24 points 1 month ago

plan to resolve

timeline unknown, maybe 2124

[–] [email protected] -2 points 1 month ago

There is always a very vocal minority itching to cause as much drama as possible. It's very discouraging to see in general. I agree with and want more FOSS, but I'm not sure I'd ever consider making it myself; it's not worth extra stress personally.