Bitwarden is not fully Open Source

oat-walker · March 5, 2022, 5:22am

I just found out that Bitwarden’s server side is only Source Available and not Open Source.

I don’t hate Source Available licenses but do wish they’d have done more to make that known. Their website simply and proudly state that it’s “Open Source”. It’s the same issue I’ve had with Protonmail and Tutanota for years, Open Source whitewashing. It’s alright to be Source Available or in the case of Tutanota and Protonmail only client open, but be honest.

As far as Source Available licenses go the “Bitwarden License” seems bad. Only allowing use for " sole purposes of internal development and internal testing, and only in a non-production environment." They could at least have allowed for noncommercial use.

github.com

bitwarden/server/blob/master/LICENSE_BITWARDEN.txt

BITWARDEN LICENSE AGREEMENT
Version 1, 4 September 2020

PLEASE CAREFULLY READ THIS BITWARDEN LICENSE AGREEMENT ("AGREEMENT"). THIS
AGREEMENT CONSTITUTES A LEGALLY BINDING AGREEMENT BETWEEN YOU AND BITWARDEN,
INC. ("BITWARDEN") AND GOVERNS YOUR USE OF THE COMMERCIAL MODULES (DEFINED
BELOW). BY COPYING OR USING THE COMMERCIAL MODULES, YOU AGREE TO THIS AGREEMENT.
IF YOU DO NOT AGREE WITH THIS AGREEMENT, YOU MAY NOT COPY OR USE THE COMMERCIAL
MODULES. IF YOU ARE COPYING OR USING THE COMMERCIAL MODULES ON BEHALF OF A LEGAL
ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE AUTHORITY TO AGREE TO THIS
AGREEMENT ON BEHALF OF SUCH ENTITY. IF YOU DO NOT HAVE SUCH AUTHORITY, DO NOT
COPY OR USE THE COMMERCIAL MODULES IN ANY MANNER.

This Agreement is entered into by and between Bitwarden and you, or the legal
entity on behalf of whom you are acting (as applicable, "You" or "Your").

1. DEFINITIONS

"Bitwarden Software" means the Bitwarden server software, libraries, and
Commercial Modules.

This file has been truncated. show original

Eltuxo · March 5, 2022, 9:06am

It’s about money, i guess. If you got something that really works, and needs constant support and development, then i understand that you’re not so willing to open it up to everyone.
That being said, you don’t go boasting you’re open source either, only to lock it down.
Or am i seeing this the wrong way and is there some symbiosis between the two? They make the code accessible to anyone, but with restricted use.
So it’s not fuully open but then again it is? Getting confused here…

SquirrellyDave · March 5, 2022, 12:04pm

I kinda thought this was known? Their entire business model is around a subscription (an eminently fairly priced sub IMO) so them not fully opening/allowing the server side to be used, even in non-commercial applications makes sense. They don’t seem to have any issues with Vaultwarden, as mentioned above, which uses all the client side API’s to create a self-hosted server.

I do wish they would be a little more clear about what’s open vs SA. All in all, it’s not a deal breaker for me, and doesn’t make me want to drop my sub.

This message has been brought to you by bitwarden (Kidding, I promise I’m really not a shill for them, just a happy customer)

oat-walker · March 5, 2022, 4:03pm

Signal server is Open Source under the AGPL.

Yeah the fact there is an Open Source Bitwarden server alternative is nice. I might switch to it when my sub expires.

oat-walker · March 6, 2022, 3:14am

You’re right. It seems not all of Signal’s server is Open Source.

Max · March 6, 2022, 7:53am

Oh. I didn’t know this. Most of the marketing is usually false so I am not surprised.

Bitwarden is still a great product though and its not that bad of a lie. I will continue using them, unless there’s a tutorial for vaultwarden somewhere. Maybe frontlinelinux topic idea?