I have recently heard some concerns regarding Bitwarden moving away from its open-source model, and I wanted to discuss this topic with all of you. In particular, the recent addition of the “bitwarden/sdk-internal” dependency to the Bitwarden client and the accompanying licensing changes have raised some questions about what this shift might mean for us.
I’m wondering how the limitation of the SDK to only work with Bitwarden’s products might affect us as users. This situation poses risks concerning our security, privacy, and the open-source nature of the software. Furthermore, if Bitwarden adopts a more closed model in the future, it could negatively impact our community’s ability to contribute to the development of the software.
I’m curious about your thoughts on this matter:
→ How do you think Bitwarden’s recent steps will impact the user experience?
→ What are your views on these changes from the perspective of open-source software philosophy?
→ Are you considering alternatives to a password manager, or do you plan to continue using Bitwarden?
I would appreciate your insights and thoughts on this topic. Together, we can better understand this situation!
Hi @chomar, Gary from Bitwarden here. It seems like a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users.
The reddit’s post above has comments from Kyle matching what Gary said above, including:
Everything that we do has not been FOSS for many years now. We have several business/enterprise products that we sell under a proprietary source available license. Essentially an open core model. We have no plans to change that strategy.
The licensing FAQ also hasn’t substantially changed since at least Oct 2021:
Our current software products have the following licenses:
Bitwarden clients: The core password management code for individual password vaults, including Desktop, Web, Browser, Mobile, and CLI versions, is available under the GPL 3.0 license.
Bitwarden server: The main Bitwarden server code is licensed under the AGPL 3.0 license.
So, back to your questions, in my opinion:
→ For most users, nothing. Bitwarden is not changing feature sets, pricing tiers, and access to the source code. In the Reddit post, Kyle was talking about the strategy of retaining GPL, A-GPL licenses with proprietary, source-available software, which may be controversial/unacceptable to a portion of OSS community. If this is unacceptable, then these people most likely will move off Bitwarden. For people using Vaultwarden, I don’t know. For people using Goldwarden, probably nothing (but we have to ask @quexten for that).
→ This licensing model seems to have been dated back as far as Oct 2021, it only comes to a harsh light because of a possible mistake in packaging. I personally am not attached to a FOSS software, but being able to inspect the code itself is a very good feature to have.
→ Personally, no, but I note that it’s easy to move completely/partially off Bitwarden. Bitwarden has become a standard, and I don’t see a problem if there’s a need to move off BW.
Goldwarden does not use any Bitwarden code or the sdk whatsoever.
I’ll note that policy wise nothing changed. The referenced issue is a packaging bug, but the goal still is the dual licensing model, with the core being open source, and some (mostly enterprise) features being source-available. This is how the Bitwarden clients have worked the past years too; for instance sso login was never included in the OSS version of the Bitwarden clients.
My understanding is that there have not been any “recent” intentional changes, but that there has been (for some time) a question about the extent to which derivatives of the Bitwraden source code can be compiled and distributed under GPL.
This will not affect users who are not developers. The SDK is only necessary if you are compiling Bitwarden source code yourself for distribution to other users.
Switching doesn’t really make sense, unless you are a developer who had plans to develop Bitwarden-adjacent products, or perhaps a hardcore FOSS-absolutist who objects on a philosophical basis.
It's time to leave Bitwarden