Do free premium and organization features kill the project?

[Gregor-Agnes]

First, thank you for the great implementation and your efforts. Lately I installed and tested both the bitwarden_rs package and the official package on my NAS.

They work really fine :)

I then noted that your implementation offers all the premium and organization features for free, that are the only way to make money for the original project.

Quote from bitwarden:

Since we offer so much in bitwarden at no cost, it’s also a challenge for us to find ways to add value in order to monetize. Monetizing enables us to stay focused and continue to make bitwarden the quality product that you enjoy today.

I think it would be fair to mention this in your documentation and encourage the users - those who can affort it - to subscribe for premium features just to keep the great project alive. Am I wrong? What do you think?

[dani-garcia]

Yeah, some users have already asked me about donating to the project and I've pointed them to the upstream project, but we could definitely mention it somewhere. We depend a lot on all the upstream clients and bitwarden_rs wouldn't be much without those, so it seems only fair.

[mprasil]

I think that if anyone uses bitwarden_rs for financial reasons, they are very likely gaming themselves. Hosted Bitwarden solution is very reasonably priced and unless you live in a country with very low income rates you probably spent much more money in form of your (valuable) time than you would spend for the paid hosted solution.

From my experience majority of the users have completely different reasons to use bitwarden_rs and often enough they deploy the service on hardware that would never run the OG API. (Raspberry pi, various NAS devices, etc..) Also usually the deployments are single user only and wouldn't even require the paid account anyways.

I think it was Sytse Sijbrandij (Gitlab founder) that said, that people willing to install and maintain their own server usually wouldn't pay for your service anyways and would just use something else instead.

So I'm not really convinced that this is any noticeable monetary loss for the upstream.

Having said that I would like to have some better option to support project other than paying for unused licence. Some form of donation option or something like that.

[mprasil]

I've created a wiki page where users can share ideas how to support the upstream project. Let's use it as idea pool of things users can do to support the project.

[PrivatePuffin]

I want to add something to this:
Legally you just pay for a subscription to use their servers. The selfhosting unlock they present as a "feature" for premium membership isn't legally a thing.

Simply put:

• Normally you Buy/Rent a licence to use a premium features set, for example Windows Pro.
• In this case you don't legally buy/rent a licence, because the AGPL licence already permits almost everything you reasonably use a premium licence for.
• Selling a licence to already (A)GPL licenced selfhosted/on-premise alone, would, under some jurisdiction, be considered to be fraud. Due to you not actually buying/renting anything at all, not even a licence.
• They circumvent this by bundling it with the subscription to using those features on their servers.

It might be worth noting that there are many people do not approve of adding arbitrary limits in (A)GPL code and selling the "privilage"/"service" of "unlocking" it. While its still opensource, it's shady at best.

It gets even more shady when you realise that said company does itself use quite a lot of free services like DockerHub to cut distribution costs.

And: Don't get me started about the installation keys which are used to gather personal information (email adresses and such) and the (unused) hidden feature for them to ban keys. Or them doing their best to add multiple layers of security to prevent people creating their own licencing system (putting licence cert inside the DLL, adding mostly useless fingerprinting etc.)

What I tried to say with the above rant is the following:
This company is not morally white/good, but rather gray. Depending the legal system you reside in and your personal moral stance, they can be darker or ligher gray.

But please, don't make them look like a saint.

[mprasil]

I don't think you're correct there @Ornias1993, GPL explicitly allows selling the software.

The fact that you can grab and modify the sources to get full functionality without license key does not automatically mean you are "not actually buying/renting anything". You are using binaries provided by 8bit Solutions LLC, they can ask for money and the only condition is that they also need to provide source code.

Actually the fact that they provide the source code even for non-customers is beyond what GPL requires. It's just very common practice, but only actual customers are entitled to get the source code from developers. (according to GPL)

[PrivatePuffin]

It isn't about what the GPL allows, its about law.
While you can sell binaries of something that has free sourcecode, selling a licence for something that already has a free more permissive licence (or binaries for something that is already freely available) , is considered to be fraud under some jurisdictions.

Anyway: you don't "sell" software. You sell the service "distribution of binaries" and/or "Licences" legally speaking. Of which payed distribution is indeed allowed by the (A)GPL. However, above referenced legal systems might not allow selling faux licences which overrules the GPL.

However: (A)GPL itself does not allow selling licences for (A)GPL code thats owned by someone else, because it doesn't grant you the right to add licences or relicence. (which is required for giving licenes on the code. Considering 8 bit is not the only entity that wrote code in that repo, they don't have full ownership including relicencing rights.

Luckily they don't and they actually sell a subscription, which is fine. :)
But I personally don't like they way they seem to be flirting with violations and their marketing making it seem like self-hosting is limited to certain subscriptions (which actually, is not allowed in my country under "dwaling" and lead to a situation where subscription contract might be legally voidable)

Actually, it's AGPL which actually requires to publish the sourcecode for all users of the software either directly or as users of a service hosting the software, not just consumers.

Ergo.
I don't try to have a debate, I just wanted to make VERY clear, they are clearly not some angelic entity and they are surely not moraly white. Even limited to this project.

I tried to be short and simple and that skips a LOT of legal nuances. But no: They are both legally and morally not a saint. Thats all i wanted to make clear.

If you want more info, pay for legal advice ;)