How can someone comply with the AGPL license with bitwarden clients?

[ClashTheBunny]

It seems impossible to provide source code via the first party bitwarden clients. Is it possible to be in compliance with the license at all?

AGPL seems to require any user to be able to get the source code, but how do they know what the source code they are using is?

What's the sequence of events and actions that would let a user discover the source is different and where it is hosted?

The FSF says that AGPL doesn't protect against SaaSS:

The GNU Affero GPL does not address the problem of Service as a Software Substitute (SaaSS).
https://www.gnu.org/licenses/why-affero-gpl.html

Which links to this definition:

What Does Service as a Software Substitute Look Like?

Service as a Software Substitute (SaaSS) means using a service as a substitute for running your copy of a program. Concretely, it means that someone sets up a network server that does certain computing activities—for instance, modifying a photo, translating text into another language, etc.—then invites users to let that server do their own computing for them. As a user of the server, you would send your data to the server, which does that computing activity on the data thus provided, then sends the results back to you or else acts directly on your behalf.
https://www.gnu.org/philosophy/who-does-that-server-really-serve.html

This seems to match the use case sighted in the original relicensing bug: #2450

I read about this in this article: https://deavid.wordpress.com/2020/08/02/affero-gpl-is-toxic-avoid-it-like-the-plague/

[stefan0xC]

Do you run a modified Vaultwarden server?
edit: I am not a lawyer (so no idea if I am right or if this opinion would hold in court) but to me the general requirement is fulfilled by embedding the git commit hash of the Vaultwarden version you are using. With that you can as a user check the state of the source code that was used to build Vaultwarden. If you built Vaultwarden yourself from a private fork with modifications that are not shared you are (from my layman understanding of the AGPLv3) legally required to make those modifications easily available at least to your users so that they are not deprived of their essential freedoms. How that would look in practice (to not violate the licensing terms of the AGPLv3) I don't know but I would recommend just keeping the source code public.

[ClashTheBunny]

I don't think so. I read through the Dockerfile, which I assume is where the docker image comes from (how do I trace back from docker.io/vaultwarden/server:latest to the source code that built it?), and I can't see anywhere where it modifies it. How can I tell that my Vaultwarden server is unmodified?

[stefan0xC]

If you run it and query /api/config it will tell you the exact gitHash. But this won't necessary tell you if you run a modified version.

[BlackDex]

Technically someone can just fake it, and still point to this repo. There is no definitive way of really knowing this currently.
Also, any attempt to sign software and have it report it's signature might still also be faked i think.

Would be nice if that is somehow possible. But i think it still isn't possible to create bit-by-bit identical version of Vaultwarden on different platforms.

It is something we look for to see how to make it safer. Same for the web-vault, how to sign that and knowing it is a safe version to use, also if it build by someone else without any modifications.

[BlackDex]

Clients do not matter, those are GPLv3.
It's about our server code (And also the Bitwarden server code btw, which is also AGPLv3 for the most part).

The AGPLv3 does not prevent someone from running any version of Vaultwarden online, modified or not.
What it does say is that if you allow people to use a modified Vaultwarden version which is publicly usable (of which some are, and we do not recommend using them), that people who use it have the right to see the source code used if they have it modified.

If they just use it as-is, no problems, even AWS Is allowed to use Bitwarden and Vaultwarden as-is.
But, if they make modifications to the code and let people use that, they need to provide the modifications done to everyone who asks, not sure if they are obligated to do that without someone asking, like having there fork publicly available for example.

However, if AWS want's to use Vaultwarden internally and want to make some modifications to make it better for them self, and they do not allow usage of that outside of there company, they also do not have to provide these changes to anyone.

A good read about this https://medium.com/swlh/understanding-the-agpl-the-most-misunderstood-license-86fd1fe91275

[BlackDex]

Again, I'm not a lawyer. It looks like you want to monetize from Vaultwarden and make changes to make it better and not return those charges.

Also, using a Browser or any client will never have a user interact with any API directly. Not even if you use telnet, so nobody ever interacts directly with an API according to your statement.

I would suggest to present this case to a lawyer and report back if you really want to know how it works. Especially the reporting back would be nice.

[ClashTheBunny]

No, I just want to know what I'm on the hook for.

With all the relicensing of things as agpl by companies that have gone back and forth between closed source, agpl feels unsafe to rely on. Any project increasingly restricting what I can do with it becomes suspect.

For example, are you going to disable exporting data so that I'm stuck with whatever version vaultwarden that comes along in? I don't think that's a big risk, but having to go through all my family and walking them through even basic exporting would be a huge cost. Especially since I then need to teach everyone a new password manager.

[BlackDex]

I'm not sure what you think is the issue here.
If we disable it (Which will never happen i think), and you want to fork it, modify it and use it for your self or your family, you only have to supply the source to your family as far as i know. You do not have to contribute that back.

All the fuss about AGPLv3 and Companies like Elastic which now also have that added etc.. etc.. etc.. It is all a storm in a glass of water if you ask me.

If you use Elastic AGPLv3 version as-is, nothing is going to happen. Sure they might put some feature behind a payed/restricted license, but you can still use the OpenSource version as-is for your self.

And then again, what is the problem with adding that feature again to your fork, and supply the source code.
It doesn't matter if we use GPLv3, AGPLv3, MIT or Apache license. We can still remove any feature if we want and you will still be missing that feature.

If you are Open Source minded and any Open Source project removes a feature you still want to have. Fork that project, make the adjustments, use it and make the source available.

[stefan0xC]

Regarding relicensing I think the greater concern would be Bitwarden, Inc that they might sell their company because the contributors to Bitwarden are required to sign a CLA. I can't promise what we will do when that happens but even then it's very possible that the wider Bitwarden community will also maintain forks of their clients. (I mean there already are projects like rbw and Goldwarden which can be used instead of the official clients that also work with Vaultwarden.)

[Hate9]

I've tried out rbw and can confirm that it seems to work well with Vaultwarden

[jjlin]

@ClashTheBunny It's marked off-topic (which I don't really agree with), but you might want to take a look at

#2450 (comment)

[BlackDex]

I have un-off-topic'ed it. Not that it says anything else which is already mentioned here or in the links posted.

Though I'm not a lawyer and not sure how any claim would work out in a court. There haven't been a lot of cases regarding AGPLv3 as far as i know.