Bitwarden switches password manager and SDK to GPL3 • The Register

Fear not, FOSS fans. Bitwarden isn't going proprietary after all. The company has changed its license terms once again – but this time, it has switched the license of its software development kit from its own homegrown one to version three of the GPL instead.

The move comes just weeks after we reported that it wasn't strictly FOSS any more. At the time, the company claimed that this was just a mistake in how it packaged up its software, saying on Twitter:

It seems like a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users.

Now it's followed through on this. A GitHub commit entitled "Improve licensing language" changes the licensing on the company's SDK from its own license to the unmodified GPL3.

Previously, if you removed the internal SDK, it was no longer possible to build the publicly available source code without errors. Now the publicly available SDK is GPL3 and you can get and build the whole thing.

CTO Kyle Spearrin added a new comment to the discussion on bug #11611 on GitHub, "Desktop version 2024.10.0 is no longer free software." He said:

We have made some adjustments to how the SDK code is organized and packaged to allow you to build and run the app with only GPL/OSI licenses included. The sdk-internal package references in the clients now come from a new sdk-internal repository, which follows the licensing model we have historically used for all of our clients (see LICENSE_FAQ.md for more info). The sdk-internal reference only uses GPL licenses at this time. If the reference were to include Bitwarden License code in the future, we will provide a way to produce multiple build variants of the client, similar to what we do with web vault client builds.

The original sdk repository will be renamed to sdk-secrets, and retains its existing Bitwarden SDK License structure for our Secrets Manager business products. The sdk-secrets repository and packages will no longer be referenced from the client apps, since that code is not used there.

This is genuinely good news for the program's more fervently FOSS-focused fans. It's all open source, and it's possible to build the whole thing, including the SDK, from freely available code.

Long years of disappointments and letdowns have left The Reg FOSS desk suspicious and cynical, and to us, this comment seems to be a somewhat measured response, rather than a whole-hearted commitment. The description on the commit message says:

Improve language around licensing for most crates to be GPL or Bitwarden SDK License.

We have not been able to find any clarification on the precise definition of "most" here. We have requested clarification around this from the company, and we'll update this article if we receive more information.

The eponymous Bitwarden password manager isn't the company's only product. It also offers two team-oriented tools, Secrets Manager, plus the Passwordless.dev authentication tool the company acquired in 2023.

While Secrets Manager was still in beta, its web page said it was open source – see, for example, this snapshot from August 19 last year. The product officially launched later that month. The mention of open source was removed from the product page around then, although it does have a free-to-use tier.

It seems to us that Bitwarden has responded to its users' unhappiness with the changes to the licensing around its password manager and has not merely undone the changes but gone further towards making it all Free Software – even if it continues to maintain that it was all just an error. The change is commendable, and we're glad to see it. It does, however, look as if the company is leaving itself room to build more non-FOSS tools in the future. ®

Send us news