Pull request #10974 introduces the @bitwarden/sdk-internal dependency which is needed to build the desktop client. The dependency contains a licence statement which contains the following clause:
You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.
This violates freedom 0.
It is not possible to build desktop-v2024.10.0 (or, likely, current master) without removing this dependency.
They’re trying to argue legal technicalities because acknowledging that they’re trying to reduce compatibility with servers like vaultwarden would be bad PR.
Per their new license, anyone that uses their SDK to build a client cannot say, “this is for Bitwarden and compatible servers like vaultwarden”. They cannot support those other servers, per their license. Anyone that gets suckered into using their SDK now becomes a force against alternative implementations.
They claim the SDK and Bitwarden are completely separate, so Bitwarden is still open source.
The fact that the current version of Bitwarden doesn’t work at all without the SDK is just a bug, which will be fixed Soon™
Also important to note is that they are creating the same license problems in other places.
They broke f-droid builds 3 months ago and try to navigate users to their own repo now. Their own repo ofc not applying foss requirements, because the android app is no longer foss as of 3 months ago. Now the f-droid version is slowly going out of date, which creates a nice security risk for no reason other than their greed.
Apparently they also closed-sourced their “convenient” npm Bitwarden module 2 months ago, using some hard to follow reference to a license file. Previously it was marked GPL3.
Iirc, once reported, the project has 30 days to remedy or they are in violation of the license. They can’t even release a new version with a different license since this version is out under the GPL.
Given that they own all of the source code (CLA is required to contribute), they can just stop offering the code under GPL, unless they happen to have any GPL dependencies not under their control, in which case this would not be viable.
