Password Manager Bitwarden Makes Changes to Address Concerns Over Open Source Licensing (github.com) 10
Bitwarden describes itself as an "open source password manager for business." But it also made a change its build requirement which led to an issue on the project's GitHub page titled "Desktop version 2024.10.0 is no longer free software."
In the week that followed Bitwarden's official account on X.com promised a fix was coming. "It seems a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users." And Thursday Bitwarden followed through with new changes to address the concerns.
The Register reports the whole episode started because of a new build requirement added in a pull request a couple of weeks ago titled "Introduce SDK client." This SDK is required to compile the software from source — either the Bitwarden server or any of its client applications... [But the changed license had warned "You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."]
Phoronix picks up the story: The issue of this effectively not making the Bitwarden client free software was raised in this GitHub issue... Bitwarden founder and CTO Kyle Spearrin has commented on the ticket... "Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug." The ticket was subsequently locked and limited to collaborators.
And Thursday it was Bitwarden founder and CTO Kyle Spearrin who again re-appeared in the Issue — first thanking the user who had highlighted the concerns. "We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included." The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.
In the week that followed Bitwarden's official account on X.com promised a fix was coming. "It seems a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users." And Thursday Bitwarden followed through with new changes to address the concerns.
The Register reports the whole episode started because of a new build requirement added in a pull request a couple of weeks ago titled "Introduce SDK client." This SDK is required to compile the software from source — either the Bitwarden server or any of its client applications... [But the changed license had warned "You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK."]
Phoronix picks up the story: The issue of this effectively not making the Bitwarden client free software was raised in this GitHub issue... Bitwarden founder and CTO Kyle Spearrin has commented on the ticket... "Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug." The ticket was subsequently locked and limited to collaborators.
And Thursday it was Bitwarden founder and CTO Kyle Spearrin who again re-appeared in the Issue — first thanking the user who had highlighted the concerns. "We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included." The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.
The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.
"only uses GPL licenses at this time" (Score:5, Funny)
"Damnit, they noticed. We'll try again later."
Is open source eating the world? (Score:2)
Could be just coincidence, there seem to be more or more frequent moves to put restrictions around what was previously free software. The motive always seems to be around successful projects, open and paid, using the open source, and even in instances where the open source consumers are doing nothing wrong.
We still need to figure out how to get quality open source paid for consistently.
Re: (Score:3)
Bitwarden's pricing is quite reasonable - $40/year for a family plan, $10/year for an individual. All people need to do is decide they're willing to pay for the software they want to use.
We subscribe to the Bitwarden family plan, FWIW.
Re: (Score:2)
Careful with the family plan if you share a lot of credentials. After you've got a few thousand credentials stored, the client side performance turns to crap because it's not very well designed. Basically the entire vault gets stored in memory once you've opened it. Works great for small scale, but despite that they sell an enterprise plan, it'll only do somewhat ok for smaller shops. Their enterprise licensing mechanism is also prone to leaving you with unexpected outages even when your license hasn't expi
Re: (Score:2)
Our family organization currently includes somewhat fewer than 200 items. My personal vault is bigger, somewhere around 600-700 entries. We haven't seen any performance issues to this point.
Anecdotally, I see better performance with Bitwarden than I see with our LastPass work vault, which has fewer items and is shared only by a 5-person team.
Re: (Score:2)
Careful with the family plan if you share a lot of credentials. After you've got a few thousand credentials stored, the client side performance turns to crap because it's not very well designed. Basically the entire vault gets stored in memory once you've opened it. Works great for small scale, but despite that they sell an enterprise plan, it'll only do somewhat ok for smaller shops. Their enterprise licensing mechanism is also prone to leaving you with unexpected outages even when your license hasn't expired.
Storing a few thousand credentials (username + passwords, possibly 2FA credentials if they support that) in memory should still be negligible, maybe 100 kB? Also, for one of the values (username) they could reduce memory usage by an order of magnitude in most cases if necessary.
Re: (Score:2)
The linked Register article [theregister.com] actually has some interesting stuff around Bitwarden's VC funding ($100M) and it's employment of the creator of sort-of-competitor product Vaultwarden.
As someone who has "set up local Bitwarden" on my TODO list for a couple of years, I quickly changed it to "set up Vaultwarden" and now I'm not sure that project has any longevity.
Self-Hosted (Score:3)
One thing that I love about Bitwarden is that they let you have a self-hosted server. And there's a re-implemented compatible server, Vaultwarden, that is simpler, which is what I use. My password vault never leaves my network.