Bitwarden's FOSS halo slips as new SDK requirement locks down freedoms
Arguments continue but change suggests it's not Free Software anymore
The Bitwarden online credentials storage service is changing its build requirements – which some commentators feel mean it's no longer FOSS.
The question has been highlighted by a new issue on the project's GitHub page, with the strong title "Desktop version 2024.10.0 is no longer free software."
This is because of a new build requirement, added in a pull request a couple of weeks ago titled "Introduce SDK client." This SDK (software development kit) is required to compile the software from source – either the Bitwarden server or any of its client applications. The problem is that although the SDK is available, it is under a license that means it's not free software. The license says:
3.3 You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
Restricting what users can do with the software violates the first of GNU's four essential freedoms. In other words, although you can get the source code, the restrictions on what you can do with it mean that it's not truly open source anymore.
Although the license is different, the comparisons with other not-so-open-sourcey-anymore companies and products, from Hashicorp to Redis, are irresistible.
The issue hasn't attracted much discussion on GitHub itself because Kyle Spearrin, the company's chief technical officer, responded that the FOSS Bitwarden tools and the SDK were not the same thing:
- the SDK and the client are two separate programs
- code for each program is in separate repositories
- the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
He then closed and locked the discussion. However, this claim appears contractually doubtful as it may fall under the GPL's provisions regarding the aggregation of software.
There are other BitWarden-compatible tools out there, such as the Rust-based replacement server Vaultwarden. However, since that first appeared, lead developer Daniel García was hired by BitWarden. As such, its existence as an independent alternative is dubious.
- Google apologizes for breaking password manager for millions of Windows users with iffy Chrome update
- For password protection, dump LastPass for open source Bitwarden
- Intruders get their hands on user data in LastPass incident
- 1Password's Insights tool to help admins monitor users' security practices
There were signs long in advance. Back in September 2022, Abdullah Atta, lead developer of Notesnook, a similar secure and encrypted online storage tool, blogged that "It's time to leave Bitwarden." His reasoning was that Bitwarden had just obtained $100 million of venture capital financing. He predicted that the company would move away from FOSS in the direction of raising revenue, and it looks like he was right.
Bad news for our own SJVN, who just a few months later wrote that it was time to dump LastPass for open source Bitwarden – although he did say "Bitwarden is a kinda sorta open source program." It looks rather like it's a little less so now, as noted by some amusingly snarky comments on the Fediverse.
There are many other alternatives out there, from Buttercup to KeePassXC. Many will require you to synchronize your own password database between computers, either on your own, or using other cloud services. Or you could use a FOSS tool such as SyncThing. Note, however, that SyncThing just discontinued its official Android client – but independent ones remain available. ®