Bitwarden has tried to calm user reactions in the wake of source code changes that had raised concerns among users.
Phoronix readers have recently voiced their concerns about the company’s apparent shift away from an open source model. The password management platform traditionally operated on a ‘freemium’ model and provided some of the code as open source.
But a pull request earlier in October 2024 raised eyebrows due to the fact that the Bitwarden customer had a “bitwarden/sdk-internaldependency on the desktop client.
Bitwarden is changing
The company’s license statement stated: “You may not use this SDK to develop applications for use with software other than Bitwarden (including incompatible implementations of Bitwarden) or to develop any other SDK.”
This statement in particular led to speculation that this move could mean that the Bitwarden client would no longer be freely available to users, with a GitHub issue further fueled speculation about the rumored move.
It appears this is part of a deliberate campaign by Bitwarden to completely transition Bitwarden to proprietary software, despite consistently advertising it as open source, without informing customers of this change,” one user wrote.
“Because wherever the opinion of one user is worthwhile, it is because of this that I switched from Bitwarden.”
Although concerns were initially raised, Bitwarden has since clarified the issue. In a comment on GitHub, Bitwarden founder and CTO Kyle Spearrin attempted to address users’ concerns, noting that this was the result of a “packaging bug.”
Spearrin confirmed that Bitwarden has “made some adjustments” to the way the SDK code is organized and packaged. This allows users to continue building and running the app with only GPL/OSI licenses included, Spearrin added.
“The SDK internal package references in the clients now come from a new SDK internal repository, which follows the licensing model we have used in the past for all our clients,” he said.
“The SDK internal reference currently only uses GPL licenses. In the future, if the reference were to include the Bitwarden license code, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds,” Spearrin added.
Following the move, the original SDK repository will be renamed to “sdk-secrets,” Spearrin revealed. This retains the existing Bitwarden SDK licensing structure for the secrets management platform’s enterprise products.
“The sdk-secrets repository and packages will no longer be referenced from the client apps, as that code is not used there.”
Concerns about open source licensing persist
Although Spearrin and Bitwarden have since clarified the changes, user concerns about a potential shift away from open source licensing are not without reason.
A large number of open source solution providers have made shocking moves from open licensing to more restrictive terms of use in recent years, such as MongoDB.
In 2023, HashiCorp sparked criticism from some industry stakeholders after changing its source code license to the Business Source License (BSL).
More recently, Redis attracted criticism again when it revealed that future Redis releases would be made available under RSALv2 (Redis Source Available License) and SSPLv1 (Server Side Public License) licenses.