Major Changes to Bitwarden: License Modification Suggests a Move Away from Full Open Source
Brook.X
Note: A response from a Bitwarden engineer has been added at the end of this article.
Bitwarden, known for its open-source password management, allows users not only to opt for its paid hosted version but also to build and use a self-hosted version for free, leveraging the open-source edition indefinitely.
Thanks to its open-source nature, developers have been able to fork the project's source code to create versions with unique features, catering to the needs of certain users.
However, this might not be sustainable much longer. Community members have discovered a licensing statement in the @bitwarden/sdk-internal dependency, explicitly stating that this SDK cannot be used for software development outside of Bitwarden or for incompatible implementations.
This license was introduced in Pull request #10974, stating:
"You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK." (Note: The English version is authoritative).
In essence, this license allows the use of this SDK exclusively for developing applications, modules, or features for Bitwarden. Utilizing it for developing functionalities or modules for other software breaches the license agreement.
The @bitwarden/sdk-internal dependency is crucial for building various versions of Bitwarden, including desktop, browser, CLI, and web client applications. Attempting to remove this dependency makes it impossible to successfully build any version of Bitwarden, rendering forking and maintaining a version impractical.
Given this, some community users speculate that Bitwarden Inc. might be transitioning from open-source software towards proprietary software, potentially halting the open-source project in the future to offer a free, closed-source version within certain terms for user use.
What does Bitwarden officially have to say about the community discussion? In the discussion on issue #11611, a Bitwarden-Bot did add an internal tracking system with the number PM-13815, generating a list of issues for the Bitwarden development team to review.
However, the account @Bitwarden, which is not a bot, locked the topic, preventing new replies or responses to existing ones, without providing any explanation for this issue, suggesting the license change was intentional.
It remains unclear what Bitwarden's intentions are, but similar discussions have emerged in the Gentoo Linux project, indicating an increasing awareness of the license statement within the community.
Bitwarden's large user base, attributed to its open-source and free nature, leaves many speculating. We will continue to monitor and report on this issue.
Discussion 1: Bitwarden Clients Issue #11611
Discussion 2: Gentoo GitHub Pull #39027
Update: A Bitwarden engineer has responded in the issue section, clarifying that:
- The SDK and the clients are two separate programs.
- Each program's code is housed in its repository.
- Their communication via standard protocols does not imply they are a single program under GPLv3 (indicating that the SDK was never intended to be open-sourced under GPLv3).
The claim that Bitwarden's desktop and other versions cannot be built without this SDK is a mistake, which will be addressed in the future.
