Bitwarden has sought to calm user backlash in the wake of source code changes that had raised concerns among users.
Phoronix readers recently flagged concerns about the company’s apparent shift away from an open source model. The password manager platform has traditionally operated on a ‘freemium’ model, providing some code as open source.
But a pull request earlier in October 2024 raised eyebrows due to the fact the Bitwarden client introduced a “bitwarden/sdk-internal” dependence to the desktop client.
Bitwarden changes
The firm’s license statement noted: “You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
This statement in particular prompted speculation that the move could mean the Bitwarden client would no longer be freely available to users, with a GitHub issue further fueling speculation over the rumored move.
It looks like this is part of a deliberate campaign by Bitwarden to fully transition Bitwarden to proprietary software, despite consistently advertising it as open source, without informing customers about this change,” one user wrote.
“For wherever the opinion of one user is worth, I’ve switched away from Bitwarden due to this.”
While initial concerns were raised, Bitwarden has since clarified the issue. In a comment on GitHub, Bitwarden founder and CTO Kyle Spearrin sought to calm user concerns, commenting this was the result of a ‘packaging bug’.
Spearrin confirmed that Bitwarden has “made some adjustments” to how the SDK code is organized and packaged. This will allow users to continue building and running the app with only GPL/OSI licenses included, Spearrin added.
“The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients,” he said.
“The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds,” Spearrin added.
Following the move, the original sdk repository will be renamed to ‘sdk-secrets’, Spearrin revealed. This will retain its existing Bitwarden SDK License structure for the platform’s secrets manager business products.
“The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.”
Open source licensing concerns continue
While Spearrin and Bitwarden have since clarified the changes, user concerns over a potential shift away from open source licensing aren’t without justification.
A host of open source solutions providers in recent years have made shock moves away from open licensing to more restrictive terms of use, such as MongoDB.
In 2023, HashiCorp sparked criticism from some industry stakeholders after it changed its source code license to the Business Source License (BSL).
More recently, Redis again prompted criticism when it revealed future Redis releases were to be made available under RSALv2 (Redis Source Available License) and SSPLv1 (Server Side Public License) licenses.