License is not FOSS-compatible.

[RokeJulianLockhart]

Steps To Reproduce

Attempt to compile the package to enter it into the F-Droid repository, per https://gitlab.com/fdroid/rfp/-/issues/114.

Expected Result

It should utilize a FOSS-compatible license.

Actual Result

1. https://github.com/bitwarden/sdk/blob/de2a64c10b1e37091adc9eb419e5dc19c6c23971/LICENSE#L1-L295

2. https://gitlab.com/fdroid/rfp/-/issues/114#note_1995138172:~:text=Given%20that%20Bitwarden%20SDK%20is%20not%20FOSS%20Bitwarden%20can't%20be%20included states:

   Given that Bitwarden SDK is not FOSS Bitwarden can't be included.

Screenshots or Videos

No response

Additional Context

No response

Operating System

Linux

Operating System Version

cpe:/o:fedoraproject:fedora:40, from https://download.fedoraproject.org/pub/fedora/linux/releases/40/Spins/x86_64/iso/Fedora-KDE-Live-x86_64-40-1.14.iso

Build Version

https://github.com/bitwarden/sdk/blob/de2a64c10b1e37091adc9eb419e5dc19c6c23971/

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[kspearrin]

There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

[hobbes]

woah, that probably means that the whole bitwarden suite is not really open source...

[RokeJulianLockhart]

#898 (comment)

@kspearrin, indeed - there are evidently no plans, hence the issue. This is fairly significant, considering how much of your user base value the fact that BW is FOSS.

#898 (comment)

@hobbes, I've filed an FR at https://community.bitwarden.com/t/bitwarden-is-not-foss/69734/1?u=rokejulianlockhart#:~:text=Bitwarden%20is%20not%20FOSS.

[bt4ibwem8]

There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

Why you do not want to change the SDK licence?

[nvllsvm]

There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

Thank you for continuing to publish those. It's one of the reason why I initially embraced Bitwarden.

---

Section 3.3 is particularly concerning. There's ambiguity on whether Vaultwarden would be considered an implementation of Bitwarden.

Additionally, regardless of whether it is or isn't - section 3.3 forbids use of this SDK if Vaultwarden were to no longer be considered an implementation of Bitwarden.

 1.2 "Bitwarden" means the Bitwarden software made available by the Company, 
 available for download at the following URL, as updated from time to time. 
  
 1.3 A "Compatible Application" means any software program or service that (i) 
 connects to and interoperates with a current version of the Bitwarden server 
 products distributed by the Company; and (ii) complies with the Company’s 
 acceptable use policy available at the following URL: 
 https://bitwarden.com/terms/#acceptable_use. ```

...
 
 3.3 You may not use this SDK to develop applications for use with software other 
 than Bitwarden (including non-compatible implementations of Bitwarden) or to 
 develop another SDK. 

[yikerman]

woah, that probably means that the whole bitwarden suite is not really open source...

@hobbes It doesn't mean it's not open-source. It makes Bitwarden not free-as-in-speech.

[RokeJulianLockhart]

#898 (comment)

@Xiaoyu2006, the more accurate term for this repository would be “source available”, in contrast to “source unavailable”. Any additional distinctions like “open source” or “closed source” unfortunately differ in definition from situation to situation.

Irrespective, ultimately, what we want from this issue is for BW to become FOSS, which means that its source code can be reused for any purpose (whether the author mandates accreditation or not) as https://fsfe.org/freesoftware/comparison.en.html#:~:text=Free%20Software%2C%20Open%20Source%2C%20FOSS%2C%20FLOSS%20%2D%20same%20but%20different explains.

Consequently, a discussion of semantics isn't particularly useful, although I'm thankful for the specification.

[xlionjuan]

bitwarden/clients#11611
From Bitwarden's response, we can tell that they are willing to suppress freedom of speech at all costs in order to keep the software closed-source.

[RokeJulianLockhart]

Unfortunately, misconceptions appear to abound here. In retrospect, the premise of this issue that I created is included. Hopefully the undermentioned quotations at least provide some clarity:

1. Comment #1

   Hi, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

   1. the SDK and the client are two separate programs
   2. code for each program is in separate repositories
   3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

   Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

2. Comment #2

   Everything that we do has not been open source for many years now. We have several business/enterprise products that we sell under a proprietary source available license. Essentially an open core model. We have no plans to change that strategy.

I understand this rationale, to an extent:

Comment #3

People here are thinking this is going closed source, which is not the case. "Free software" is a very specific thing that usually means a permissive (ex: BSD) or 'copyleft' (GPL-like) license. You can still look through the code and find vulnerabilities. You can still download the code and compile it. What you have lost is distributing forks.

This usually means they are afraid of competitors essentially cloning their technology or their concerned about their identity (name, trademark, etc) being used in products they don't have any control over and could create negative publicity. The last thing you'd want is someone from some corner of the world releasing something like a Bitwarden-compatible server that steals your passwords. Mozilla has had the same concerns about Firefox for a long time, though they simply restricted use of the name if built not to Mozilla's spec.

However, to have such an important dependency of otherwise entirely FOS software be non-FOSS appears disingenuous when the advertisements explicitly state not that the software adheres to the GPLv3, but that it's FOSS. Bitwarden can utilize the legal definition instead, but to advertise software as FOSS when it's at best solely so in a technically legal sense shan't be thought of well by those who learn of it.

I dare say that BW may have to cope with the Streissand effect from now onward.

Lastly, I suggest that everyone subscribed here at least upvote the undermentioned response to the last aforementioned comment, so that we might gain some more clarity:

Comment #2.1

Would making the SDK also follow the GPL both alleviate everyone's concerns, while still allowing bitwarden to reserve it's rights with the source available license for enterprise products?

[sastromo]

@RokeJulianLockhart thanks for the clarification!
(I removed my previous comment that was clearly based on wrong assumptions)

[My1]

is there no way to keep clients without the SDK as has been done all the time so they can be fully open source without needing this source available extra thing that makes some things kinda annoying?

[RokeJulianLockhart]

#898 (comment)

@My1, it's certainly possible if someone forks the client soon, and maintains that fork. Considering that the PR to implement the SDK was recent, I would be very surprised if the major refactor to implement the SDK's methods (replacing existent methods) couldn't be undone without losing near feature parity. However, the longer that the last commit without the SDK is left without maintenance in a fork, the more difficult that it becomes to revive it.

Without a maintained fork soon, anyone who wishes to create a client that doesn't use the SDK may realize that it might be more trivial to write an entirely new client with a cross-platform language (like .NET Framework via C#, Java, or Python 3) and GUI toolkit (like Qt 6).

[distransient]

There are no plans to adjust the SDK license at this time. We will continue to publish to our own F-Droid repo at https://mobileapp.bitwarden.com/fdroid/repo/

You've effectively made it impossible for third parties to distribute any derivatives of your own GPL'd repositories which depend on the SDK code, especially where its contents have been obfuscated, according to the GPL (Section 1):

The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.

Continued (Section 6):

You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:

You cannot have your cake and eat it, do you want to release open source software or not? Historically, software that tries to sit on the fence in the middle has for the most part not endured, usually being superseded by software written under less bizarre models. In this case, there is not even a difficult to get past hardware dependence for these programs, which can easily be replaced readily with already existing, truly open alternatives. I at least know I shouldn't stake my own confidence in those who are unsure what they even want to happen with derivatives of their software.

[julian-klode]

As Bitwarden has combined this work with the client applications into a combined work said to be distributed under the GPL-3, the license terms on the SDK as part of the clients corresponding source must be considered further restrictions as defined in the GPL, and as such the license is null and void as per section 7:

If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term

[RokeJulianLockhart]

#898 (comment)

@julian-klode, have you read this comment by a developer involved, as aforecited? I ask because it appears to contradict what you have stated.

[julian-klode]

The claim is rather absurd. While ultimately that's for judges to decide and I don't know precedent, the intent of the license is to allow two programs to communicate over standard interfaces without both needing to be GPL. Make no mistake, this is not what happens here, the SDK is directly embedded and called in shared memory, so as is the common understanding (and this is a very common case, to import one module into another) they constitute a combined work.

You can find a detailed explainer in

https://www.gnu.org/licenses/gpl-faq.en.html#MereAggregation

[My1]

If the are truly Seperate programs it's be a pretty weird architecture as the program needs a like api or whatever to connect to thw sdk which then in turn connects to the server, seems a very intentional thing to me.

If it's just linked as a dll or whatever GPL's infecting iirc might get fun again

[TheScreechingBagel]

woah, that probably means that the whole bitwarden suite is not really open source...

@hobbes It doesn't mean it's not open-source. It makes Bitwarden not free-as-in-speech.

the most commonly accepted definition for "open source" is the OSI OSD, which, similar to the FSF Free Software Definition, requires the freedom to (re)distribute derived works:
https://opensource.org/osd
Licensing not meeting these basic criteria should not in good faith be called "open source"

[RokeJulianLockhart]

#898 (comment)

@kspearrin, I forgot to mention this earlier, but this issue should be closed as "unplanned", not https://github.com/bitwarden/sdk/issues?q=reason%3Acompleted.

[RokeJulianLockhart]

#898 (comment)

The mobile client is again suitable for inclusion in F-Droid, per https://gitlab.com/fdroid/rfp/-/issues/114#note_cf629f7d0a0499cc0e57963e883018da5bfcc712. Shall hide #898 (comment) as resolved.

Specifically, bitwarden/clients#11611 (comment) states (formatting-modified):

We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

Summarily, solely this repository's contents – the secrets portion of the SDK – should now be non-FOSS, and are packaged separately to the rest of the SDK, which none of the clients reference anymore, consequently.

An important improvement. Of course, if I've interpreted that comment correctly.

Crossposted to https://community.bitwarden.com/t/bitwarden-is-not-foss/69734/2?u=rokejulianlockhart#:~:text=rokejulianlockhart:-,Bitwarden%20isn%E2%80%99t%20FOSS%2C%20because%20the,I%E2%80%99ve%20interpreted%20that%20comment%20correctly.,-Reply.