this post was submitted on 25 Oct 2024

230 points (97.5% liked)

Linux

47866 readers

2318 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

230

Bitwarden update: sdk-internal now GPL, sdk/sdk-secrets to remain proprietary but not used in clients (github.com)

submitted 1 day ago by Atemu@lemmy.ml to c/linux@lemmy.ml

19 comments fedilink hide all child comments

@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This appears at least okay on the surface. The clients' dependency on sdk-internal didn't change but that's okay now because they have licensed sdk-internal as GPL.

The sdk-secrets will remain proprietary but that's a separate product (Secrets Manager) and will apparently not be used in the regular clients. Who knows for how long though because, if you read carefully, they didn't promise that it will not be used in the future.

The fact that they had ever intended to make parts of the client proprietary without telling anyone and attempted to subvert the GPL while doing so still remains utterly unacceptable. They didn't even attempt to apologise for that.

Bitwarden has now landed itself in the category of software that I would rather move away from and cannot wholeheartedly recommend anymore. That's pretty sad.

top 19 comments

sorted by: hot top controversial new old

[–] fartsparkles@sh.itjust.works 87 points 1 day ago* (last edited 1 day ago) (2 children)

Cool. They got that sorted nice and quickly.

Edit:

I don’t get why people think they’re suddenly doing stuff under a different license to subvert the open nature of the project. They’ve been totally transparent on what isn’t part of the GPL/AGPL licensed code for years.

SSO, the password health service, organisation auth requests, member access report blah blah have been enterprise features under the Bitwarden License for ages and they architected the projects in a clear and transparent way to build without those features since they added them.

[–] Telorand@reddthat.com 15 points 1 day ago

I don’t get why people think they’re suddenly doing stuff under a different license to subvert the open nature of the project.

But then what will I do with my day if I don't have a good reason to be mad at them?

(And thanks for the voice of reason)

[–] doctortran@lemm.ee 6 points 1 day ago (1 children)

What they've done in the past has earned them trust, but it is irrelevant to what they intend to do in the future. Bitwarden is growing company, not the scrappy little open source app they once were.

In 2022, a private equity firm injected 100m into Bitwarden. From that point forward, users are rightfully going to scrutinize any action they take because it's 2024 and the tech space is a hellscape of enshitification and acquisitions, thanks in part to VC money. We've seen this story play out too many times to assume there's nothing to worry about.

So yes, people are going to be suspicious. That's not irrational.

[–] nickwitha_k@lemmy.sdf.org 4 points 1 day ago

a private equity firm injected 100m

That's all that one needs to know. Once those leeches are involved as investors, it's over. They demand enshitification from our destroy everything that they touch for a quick buck.

[–] Miimikko@lemmy.world 22 points 1 day ago* (last edited 1 day ago) (3 children)

Uhh what does this mean for us dummies? For reference I run a self hosted vaultwarden server and connect to it with Bitwarden clients.

[–] superkret@feddit.org 52 points 1 day ago (1 children)

It means all the code you run is open source.
Only the Bitwarden back-end uses proprietary code, which you aren't using when you're self-hosting vaultwarden.

[–] kratoz29@lemm.ee 5 points 1 day ago (1 children)

Only the Bitwarden back-end uses proprietary code

So this was what it changed then?

I also self-host Vaultwarden because it is stupidly simple...

[–] fmstrat@lemmy.nowsci.com 9 points 1 day ago

No, this comment was wrong. Most of the back end is not closed source. One piece of code for secrets management is closed source, that is not used in clients and was accidentally (allegedly) added to the clients, which they removed.

Vaultwarden is open source.

Personally I think people are overreacting. If BitWarden were to do something dumb like shift away from GPL, there would very quickly be a fork.

[–] that_leaflet@lemmy.world 11 points 1 day ago (1 children)

With 2024.10, Bitwarden could no longer be built without their proprietary SDK.

That was deemed a bug and now the SDK is also licensed under the GPL.

[–] fmstrat@lemmy.nowsci.com 3 points 1 day ago* (last edited 1 day ago)

To clarify, the desktop BitWarden client, only.

And this was corrected.

[–] N0x0n@lemmy.ml 9 points 1 day ago (1 children)

I think right now it doesn't mean anything :/. It's more a 'wait&see' situation... However as many many other stories in the past, this doesn't sound good and bitwarden is slowly and carefully following the 'enshitification' path !

Keep an eye open and get ready to switch to another password manager (maybe a fork?).

[–] Buckshot@programming.dev 13 points 1 day ago (1 children)

Yeah I'll willing to give them the benefit of the doubt on this one. Could very easily believe that a dev added the reference without realising the implications and they fixed it very quickly. Will be watching for any future attempts though.

[–] deadcade@lemmy.deadca.de 3 points 1 day ago (1 children)

If this was the case, the phrashing around the issue would've likely been different. Yet bitwarden remained very vague, and even locked github comments on the issue.

Especially considering that a move like this alienates their core target demographic (people who use FOSS), they would've been much more open and much quicker if it wasn't intentional.

I will personally be switching, likely to KeePassXC.

[–] fartsparkles@sh.itjust.works 4 points 1 day ago* (last edited 1 day ago)

They highlighted it was a bug and said it would be fixed very soon after it was flagged. It was addressed in a matter of days. You can build the server with the /p:DefineConstants=“OSS” flag still and you can build the clients with the bitwarden_license folder deleted again (now they’ve fixed it).

I don’t understand why you’re throwing FUD about this. Building without the Bitwarden Licensed code has been possible for years and those components under that license have been enterprise focused (such as SSO). The client is still GPL and the server is still AGPL.

This has been the way for years.

[–] fl42v@lemmy.ml 13 points 1 day ago

Huh, nice to see my initial judgment was incorrect

[–] Gutless2615@ttrpg.network 6 points 1 day ago (1 children)

What does this mean for Vaultwarden?

[–] Eyck_of_denesle@lemmy.zip 22 points 1 day ago (1 children)

All open source baby

[–] fartsparkles@sh.itjust.works 3 points 1 day ago

And it’s made by a Bitwarden developer.