this post was submitted on 25 Oct 2024
220 points (98.7% liked)

Open Source

31184 readers
249 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml
220
Bitwarden update: sdk-internal now GPL, sdk/sdk-secrets to remain proprietary but not used in clients (github.com)
submitted 2 weeks ago by Atemu@lemmy.ml to c/opensource@lemmy.ml
37 comments fedilink hide all child comments
 

@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This appears at least okay on the surface. The clients' dependency on sdk-internal didn't change but that's okay now because they have licensed sdk-internal as GPL.

The sdk-secret will remain proprietary but that's a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn't promise that it will not be used in the future.

The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn't even attempt to apologise for that.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That's pretty sad.

you are viewing a single comment's thread
view the rest of the comments
[–] 7ai@sh.itjust.works 31 points 2 weeks ago (2 children)

The way the founder replied coldly and closed the GitHub issue is pretty telling. Now they're doing damage control.

It's usually better to stay away from VC funded software. They exist for the sole purpose of turning a rich guy's million dollars into 100.

[–] Lojcs@lemm.ee 38 points 2 weeks ago (2 children)

They literally said the issue was an unintentional bug and then fixed it. How is that damage control?

[–] Redjard@lemmy.dbzer0.com 23 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

They were doing the same on other repos for months.
Both their npm module and android client.
On android they tried to get people to add their own fdroid repo because the official fdroid has not had updates for 3 months due to the license changes.

Edit: Looking at it now compared to 4 days ago, they apparently got frdoid to remove bitwarden entirely from the repo. To me this looks like they are sweeping it under the rug, hiding the change pretending it has always been on their own repo they control.

Next time they try this the mobile app won't run into issues, the exact issues that this time raised awareness and caused the outcry on the desktop app, which similarly is present in repos with license requirements.

If they were giving up on their plan, wouldn't they "fix" the android license issue and resume updating fdroid, instead of burning all bridges and dropping it from the repo entirely, still pushing their own ustom repo? Where is the npm license revert?

[–] lemmeBe@sh.itjust.works 9 points 2 weeks ago

Thanks for the input and research.

[–] Atemu@lemmy.ml 2 points 2 weeks ago

One does not "accidentally" build a proprietary SDK for months and make the clients depend on it, intentionally violating the GPL.

They even publicly admitted to doing precisely that, defending their GPL violation with dubious claims how the GPL supposedly works.

[–] Eyck_of_denesle@lemmy.zip 17 points 2 weeks ago (3 children)

Open source community getting too reactionary ngl

[–] Corgana@startrek.website 23 points 2 weeks ago (1 children)

Did you know that Mozilla is literally worse than Google and Meta? It's true! Line 4,362 of the old "Firefox Send" source code contains a unicode character that in a very specific part of papua new guinea is used as a mark of shame against trans people. Also I am not paid by Google!

[–] Telorand@reddthat.com 8 points 2 weeks ago (1 children)

Also, Mozilla never said they don't use actual fox skins to warm their devs during development, so one can only wonder why they've been so silent on that glaring issue...

/s

[–] Corgana@startrek.website 3 points 2 weeks ago

Concerning 🤔

[–] lemming741@lemmy.world 6 points 2 weeks ago

Gotta let companies know you're watching

[–] Engywuck@lemm.ee 2 points 2 weeks ago

Drama and pitchforks over nothing, as usual.