back to article Bitwarden switches password manager and SDK to GPL3 after FOSS-iness drama

Fear not, FOSS fans. Bitwarden isn't going proprietary after all. The company has changed its license terms once again – but this time, it has switched the license of its software development kit from its own homegrown one to version three of the GPL instead. The move comes just weeks after we reported that it wasn't strictly …

  1. Anonymous Coward
    Anonymous Coward

    > It does, however, look as if the company is leaving itself room to build more non-FOSS tools in the future.

    As is their right, of course, and good luck to them.

    It's the "bait and switch" that annoys everyone, as it's usually the first step on a path that leads to them charging for (or closing) services people have come to depend on. It sounds like that's not what's happening here, so a tip-of-the-hat to Bitwarden from a satisfied and now largely reassured user.

    1. klh

      I was fully expecting another bait and switch when I read the original news. I was considering migrating to it before, now they have a paid customer.

      1. katrinab Silver badge
        Linux

        I use a self-hosted Valtwardern server with the Bitwardern clients.

        1. Anonymous Coward
          Anonymous Coward

          That's the other bit I like about them - no BS licensing from a corporate perspective. Self hosting or cloudy - no games, simply costs the same. Full stop. And if you want to self host, here's the code.

          I need to see if I can get this to run on FreeBSD so I can stick on the facilities I have with my ISP.

          1. katrinab Silver badge
            Devil

            I'm running it on FreeBSD. It is even easier than getting it to run on Linux.

            pkg install vaultwarden

            Do the usual configuration stuff. Set it up in your reverse proxy.

            1. Anonymous Coward
              Anonymous Coward

              I'll have to convince my ISP to run that, I don't think this can be executed in my instance from its command line but it's worth asking.

              Thanks for the heads up that it's happy on FreeBSD, would be seriously cool if I could run my own.

        2. Lee D Silver badge

          Vaultwarden appears to suffer heavily from the "We'll just throw everything in Docker" method of package deployment.

          I'm going to have to dig through all those "unofficial" repos to generate an deb package or deploy with apt by the look of it.

          It seems that in the last decade we have thrown away everything to do with basic package management in favour of absolute overblown nonsense like docker, snap, etc.

          1. sweh

            No docker needed

            It's trivially simple to extract the minimum necessary files from the container and run this "native". You don't even need docker engine to do the extract.

            Even better, they document the process at https://github.com/dani-garcia/vaultwarden/wiki/Pre-built-binaries using the docker-image-extract script

            1. Lee D Silver badge

              Re: No docker needed

              Which you have to do manually for every update and their dependencies.

              Welcome to 1990 and Slackware packages.

              It's dumb compared to an "apt-get" "yum install" or whatever equivalent.

          2. katrinab Silver badge
            Happy

            I installed it on FreeBSD. It is in the ports collection, so really easy to install.

      2. Anonymous Coward
        Anonymous Coward

        They just gained an upgrading customer as well - I don't need the family edition, but the ability to separate vaults makes it interesting nevertheless.

  2. ethindp

    I was about to set up vaultwarden or Proton Pass. Hell, I even had imported all my passwords into Proton Pass (but sadly it didn't import my passkeys). I'm very glad to see Bitwarden not being the typical company that does these bates and switches and that they actually give a damn about something like this. I don't mind them making closed offerings in the future, that's one thing, but I do mind when they take an open-source offering and make it closed.

    1. Fred Flintstone Gold badge

      We had a corporate demo from them, with Q&A after.

      Frankly, they were simply the most convincing of all the ones we reviewed, and complete to boot. I did have to laugh as I saw the sales exec cringe when the tech guy said "there's no such thing as perfect security", but that's actually what I liked: zero BS. I prefer companies that are brutally realistic when it comes to security, especially when they're about to supply you with tools to protect your own.

      Hiding from the stark reality benefits nobody. They're out there, and they're getting WAY too smart. The days of script kiddies are gone and you best learn to deal with it.

      These people offer a decent product in the only way to inspire trust: by being open.

      1. ethindp

        100-percent agreed. I'm glad that they're that open. For me, if the sales guy cringes, well, why should I care? I'd rather have a brutally honest company that wants to be blunt and direct about their offering when they're trying to sell me on their product (especially when they're protecting my data!) instead of a company that gives me lots of word salad that sounds and tastes really good but turns out to have incredibly toxic ingredients in it. (Bad metaphor, I know, I was never good with those...)

  3. Mockup1974

    Current list of ways to circumvent the GPL:

    - Tivoization (solved by GPL 3)

    - Apps that are run on a server (solved by AGPL)

    - Apps that cannot be compiled without a proprietary SDK (another example would be the OnlyOffice Android app)

    - Separate contract that punishes you if you share the source code (such as Red Hat Enterprise Linux, where they can end your support contract and future updates)

    - maybe you could count AI to some degree, such as Copilot spitting out GPL'd code

    1. Drakon

      > - Separate contract that punishes you if you share the source code (such as Red Hat Enterprise Linux, where they can end your support contract and future updates)

      From the GPLv3:

      > You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it.

      Is punishing you for exercising your rights under the GPL an “additional term”? I don’t know, I’m not a lawyer.

      1. Doctor Syntax Silver badge

        The alternative to asking a lawer seems to be "walk", hence Rocky, Alma etc.

  4. AgentMyth

    A great tool

    I moved from Lastpass to Bitwarden family after a bit of research years ago.

    The capability of the Android app alone provides enough value for me but add in integrations, hardware keys etc. and I see a tool that would help staff be more secure in most businesses.

  5. Oninoshiko
    Thumb Up

    Genuinely happy to see this

    I've used Bitwarden for a while now, and wasn't particularly comfortable with what happened... but this response was perfect, they said "it's a mistake, and we'll resolve it." Then they proceed to resolve it pretty quickly. Good job, guys!

  6. Natewrench

    Finally compatible with keepass

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like