Desktop version 2024.10.0 is no longer free software

[brjsp]

Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:

You may not use this SDK to develop applications for use with software other
than Bitwarden (including non-compatible implementations of Bitwarden) or to
develop another SDK.

This violates freedom 0.

It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.

[bitwarden-bot]

Thank you for reporting this issue! We've added this to our internal tracking system.
ID: PM-13815

[brjsp]

Namely trying to build with bitwarden_license directory removed (like we have been always doing) and sanitized node_modules results in the following:

[Prel] assets by status 30.6 KiB [cached] 1 asset
[Prel] orphan modules 28.2 KiB [orphan] 25 modules
[Prel] ./src/preload.ts + 25 modules 28.4 KiB [not cacheable] [built] [code generated]
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/abstractions/sdk/sdk.service.ts
[Prel] 3:32-57
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/abstractions/sdk/sdk.service.ts(3,33)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal' or its corresponding type declarations.
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/abstractions/sdk/sdk-client-factory.ts
[Prel] 1:37-62
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/abstractions/sdk/sdk-client-factory.ts(1,38)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal' or its corresponding type declarations.
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk.service.ts
[Prel] 3:54-79
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk.service.ts(3,55)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal' or its corresponding type declarations.
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk-client-factory.ts
[Prel] 1:21-46
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk-client-factory.ts(1,22)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal' or its corresponding type declarations.
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk-client-factory.ts
[Prel] 2:24-81
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/default-sdk-client-factory.ts(2,25)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal/bitwarden_wasm_internal_bg.wasm' or its corresponding type declarations.
[Prel]
[Prel] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/noop-sdk-client-factory.ts
[Prel] 1:37-62
[Prel] [tsl] ERROR in /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/libs/common/src/platform/services/sdk/noop-sdk-client-factory.ts(1,38)
[Prel]       TS2307: Cannot find module '@bitwarden/sdk-internal' or its corresponding type declarations.
[Prel]
[Prel] 6 errors have detailed information that is not shown.
[Prel] Use 'stats.errorDetails: true' resp. '--stats-error-details' to show it.
[Prel]
[Prel] webpack 5.94.0 compiled with 6 errors in 14233 ms
[Prel] npm error Lifecycle script `build:preload` failed with error:
[Prel] npm error code 1
[Prel] npm error path /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/apps/desktop
[Prel] npm error workspace @bitwarden/[email protected]
[Prel] npm error location /home/abuild/rpmbuild/BUILD/bitwarden-2024.10.0/apps/desktop
[Prel] npm error command failed
[Prel] npm error command sh -c cross-env NODE_ENV=production webpack --config webpack.preload.js
[Prel] npm run build:preload exited with code 1

[xndc]

Also see bitwarden/sdk-sm#898. It looks like this is part of a deliberate campaign by Bitwarden, Inc. to fully transition Bitwarden to proprietary software, despite consistently advertising it as open source, without informing customers about this change.

For whatever the opinion of one user is worth, I've switched away from Bitwarden due to this.

[aphedges]

I noticed and reported a similar problem with the NPM releases of the CLI client (#10648) two months ago, and I have yet to receive a response. Bitwarden definitely seems to be moving away from being open-source software without making any sort of announcement about it.

[rafntor]

what alternatives do you guys recommend?

[iHarryPotter178]

Bitwarden was good to me.. Now it's time to switch to alternatives...

[adrian-afl]

Best alternative is to fork the version before this change!

[LalOpen]

Ohhh noooo... That's a shame. You're right: i'll go to a fork or to any alternative!

[impredicative]

i'll go to a fork or to any alternative!

I would be careful going to "any alternative". It's your passwords you're talking about.

Also, a fork of the client still leaves the open issue of relying on the server service or software.

[Gallocon]

This is... concerning to say the least. I'm a long term paid Bitwarden user, and it's making me reconsider that decision.

[cat-pat]

https://github.com/dani-garcia/vaultwarden

[ludouzi]

I'll be looking for an alternative after hearing this. Quietly moving away from open source raises serious concerns.

[zarlo]

7.3 The Company may at any time, terminate the License Agreement with you if:
........
d) the Company decides to no longer provide the SDK or certain parts of the SDK
to users in the country in which you are resident or from which you use the
service, or the provision of the SDK or certain SDK services to you by the
Company is, in the Company’'s sole discretion, no longer commercially viable or
technically practicable.

well so it can be striped from us at any time?

[impredicative]

https://github.com/dani-garcia/vaultwarden

That's interesting for a server, and while the server has a web client, are there comparable open source clients too for desktop and/or mobile?

[stukinnear]

what alternatives do you guys recommend?

If it's for the home Vaultwarden.

[NikunjKhangwal]

No no no, not Bitwarden please. A service i dearly loved and was satisfied with :(

[JeanneD4RK]

what alternatives do you guys recommend?

If it's for the home Vaultwarden.

Why home use only ?

[Ollie1101]

enshitification is inevitable with these god forsaken companies

[GauthierPLM]

Note that the SDK is used (and enabled as a feature flag) not only in the release of desktop app, but also in the browser, CLI and web clients.

This mean that all versions of BitWarden 2024.10.0 are using the SDK.

[Foosec]

How many times do we have to teach companies that try to rug pull this lesson, you want to end up like redis? This is how you end up like redis.

[Yaikava]

Yikes, that sucks

[impredicative]

enshitification is inevitable with these god forsaken companies

It's practically a given with almost any VC (venture capital) or PE (private equity) backed company with worth between 10 million and 1 trillion USD. When outside of this range, they can do what they want.

People keep getting surprised every time this happens, but it's so common as to be inevitable indeed.

[ssddanbrown]

Bitwarden has before released projects advertised as "open source" while not under a non-open restrictive license details, discussion. This may now indicate a pattern or direction.

[ninjadev64]

This sucks. I am going to develop an alternative desktop app which wraps Vaultwarden's web interface using Tauri, if anyone is interested.

[Paddy-NI]

So I guess all my customers and myself of course will be moving to an alternative.

[ercoppa]

Removed the annual subscription (never used the extra features, I had it only to support the project) and moving away very soon to a truly free software solution. Very disappointed since I have pushed a lot of people toward Bitwarden.

[LalOpen]

Very disappointed since I have pushed a lot of people toward Bitwarden.

Same to me. And I quite regret it now...

[russeg]

Spirit of open source died long time ago. Open source is now a business model.

[kspearrin]

Hi @brjsp,
Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
 

1. the SDK and the client are two separate programs
2. code for each program is in separate repositories
3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

[LalOpen]

Spirit of open source died long time ago. Open source is now a business model.

According to me, the spirit of open source still lives in free software philosophy.

[kspearrin]

@brjsp thanks again for submitting the concern here. We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.