Bitwarden has sought to calm user backlash following changes to the source code that had raised concerns among users.
Phoronix readers recently expressed concern about the company's apparent move away from an open source model. The password management platform has traditionally operated on a 'freemium' model, providing some of the code as open source.
But a pull request in early October 2024 caught attention because the Bitwarden client introduced a “bitwarden/sdk-internal“Dependency on the desktop client.
Bitwarden Changes
The company's licensing statement notes: “You may not use this SDK to develop applications for use with non-Bitwarden software (including unsupported implementations of Bitwarden) or to develop another SDK.”
This particular statement sparked speculation that the move could mean the Bitwarden client would no longer be freely available to users, and a GitHub issue further fueled speculation about the rumored move.
“It appears this is part of a deliberate campaign by Bitwarden to completely transition Bitwarden to proprietary software, despite constantly announcing it as open source, without informing customers of this change,” one user wrote.
“Because as long as a user's opinion is worth it, I have stayed away from Bitwarden because of this.”
While initial concerns were raised, Bitwarden has since clarified the issue. In a comment on GitHub, Bitwarden founder and CTO Kyle Spearrin attempted to allay users' concerns, commenting that this was the result of a “packaging error.”
Spearrin confirmed that Bitwarden has “made some adjustments” to the way the SDK code is organized and packaged. This will allow users to continue building and running the application only with GPL/OSI licenses included, Spearrin added.
“Internal SDK package references in clients now come from a new internal SDK repository, which follows the licensing model we have historically used for all of our clients,” he said.
“The internal SDK reference only uses GPL licenses at this time. If the reference included Bitwarden license code in the future, we will provide a way to produce multiple client build variants, similar to what we do with web vault client builds,” Spearrin added.
Following the move, the original SDK repository will be renamed 'sdk-secrets', Spearrin revealed. This will maintain your existing Bitwarden SDK licensing structure for the platform's commercial secrets manager products.
“The sdk-secrets repository and packages will no longer be referenced from client applications, as that code is not used there.”
Concerns continue over open source licenses
While Spearrin and Bitwarden have since clarified the changes, user concerns about a possible move away from open source licenses are not without justification.
In recent years, a large number of open source solution providers have taken surprising steps away from open licenses toward more restrictive terms of use, such as MongoDB.
In 2023, HashiCorp drew criticism from some industry stakeholders after it changed its source code license to the Business Source License (BSL).
More recently, Redis once again drew criticism when it revealed that future versions of Redis would be available under the RSALv2 (Redis Source Available License) and SSPLv1 (Server Side Public License) licenses.