I think even if they do reverse course or it was a genuine mistake, it's easy to lose people's trust forever, ESPECIALLY when it comes to something sensitive like storing ALL of your passwords.

I don't know what the heck you're talking about.

I see overwhelming evidence that they have intentionally made parts of the clients' code proprietary. You can check the client code yourself (for now anyways) and convince yourself of the fact that the bw SDK code is in indeed integrated into the bitwarden clients' code base.

This is the license text of the sdk-internal used in 2024.10.1 (0.1.3): https://github.com/bitwarden/sdk/blob/16a8496bfb62d78c9692a44515f63e73248e7aab/LICENSE

You can read that license text to convince yourself of the fact that it is absolutely proprietary.

Here is also the CTO and founder of Bitwarden admitting that they have done it and are also attempting to subvert the GPL in using sdk-internal:

https://github.com/bitwarden/clients/issues/11611#issuecomment-2424865225

Hi @brjsp, Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.

• the SDK and the client are two separate programs
• code for each program is in separate repositories
• the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3

Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.

(Emphasis mine.)

The fluff about the ability to even build the app is secondary, the primary issue is that the Bitwarden clients are no longer free software. That fact is irrefutable.

Keepass isn't really in the same category of product as Bitwarden. The interesting part of bitwarden is that it's ran as a service.

Bitwarden can't be compared to KeePassXC. Bitwarden is fundamentally built around a sync server, whereas KeePass is meant to exclusively operate locally. These are two very different fundamental concepts for, you know, how to actually store and access your passwords.

I have some! I use a self hosted vaultwarden and just two days ago I saw and installed KeyGuard out of curiosity. So far, I can say KeyGuard is a nicer looking and feeling app and... it works. So as long as their intentions are pure, you can use "bitwarden" without using any of their software or infrastructure.

How different is this to gitlab’s open core model?

That's a really good question that I don't immediately have a satisfying answer to.

There are some differences I can point out though:

• Gitlab has demonstrated its commitment to keep the core of their product, though limited in features, free and open source. As of now, BW's clients cannot even be compiled without the proprietary SDK anymore.
• Gitlab was always a permissive license (MIT) and never attempted to subvert its original license terms
• Gitlab-EE's "closed" core is actually quite open (go read the source code) but still squarely in the proprietary camp because it requires you to have a valid subscription to exercise your freedoms.

Is this a permanent change?

It'd be quite trivial for them to do in technical terms: Either license the SDK as GPL or stop using it in the clients.

I don't see a reason for them to roll it back though. This was decided long ago and they explicitly decided to stray away from the status quo and make it closed source.

The only thing I could see making them revert this would be public pressure. If they lose a sufficient amount of subscribers over this, that might make them reconsider. Honestly though by that time, the cat's out of the bag and all the public goodwill and trust is gone.
It's honestly a bafflingly bad decision from even just a business perspective. I predict they'll lose at least 20% but likely 30-50% of their subscribers to this.

Is the involvement of investors the root of this?

I find that likely. If it stinks, it's usually something stinky's fault.

Are we overreacting as it doesn’t meet our strict definition of foss?

They are attempting to subvert one of the FOSS licenses held in the highest regard. You cannot really be much more anti than this.

An "honest" switch to completely proprietary licenses with a public announcement months prior would have been easier to accept.

Yes because it is about, ultimately, making the major clients incompatible with vaultwarden on both a legal and technical level.

A likely outcome if they don't reverse course is a split where FOSS Nerfs fork the clients and have to maintain their own versions. That's the outcome Bitwarden wants. This reeks of a bazinga, "how dare they benefit from our work and take our users", which is hilarious for a FOSS ecosystem that almost universally benefits corporations with free labor.

Vaultwarden is only the server, no? So any clients that you use to access Vaultwarden are built and maintained by 8bit solutions a.k.a. Bitwarden, including the desktop client that is the subject of this post.

KeePassXC is pretty amazing. :)