search

dani-garcia / bw_web_builds

Web vault builds for vaultwarden
GNU General Public License v3.0
229 stars 82 forks source link

Is GPL-3.0 correct? #162

Open jonathanspw opened 1 month ago

jonathanspw commented 1 month ago

Hi,

I'm a Fedora/EPEL packager and was working towards getting Vaultwarden and the web side packaged up into official packages and all is/was going smoothly until it came to my attention that code from https://github.com/bitwarden/clients/tree/main/bitwarden_license is indeed used in bw_web_builds.

I tested by simply removing the directory as part of the build scripts, and unsurprisingly, the build fails.

I believe this renders GPL-3.0 incorrect, at least for part of the content, anything built upon the bitwarden-licensed code, and unfortunately bars the web GUI from inclusion into Fedora/EPEL and any other distros which follow strict OSI-approved license requirements.

The restrictions from https://github.com/bitwarden/clients/blob/browser-v2024.5.0/LICENSE_BITWARDEN.txt#L27-L31 specifically make the bitwarden license incompatible with OSI standards.

I'm not very familiar with node/TS so I don't know exactly how/what these files are doing so I apologize if I'm totally off base here.

BlackDex commented 1 month ago

The code is GPL. And i think the build also fails if you omit our patches to be applied and remove that directory.

Also, we build using the dist:oss:selfhost option https://github.com/dani-garcia/bw_web_builds/blob/cc03d26ac0f47481067f6ae313375e198a7b1164/Dockerfile#L50

Which only uses GPL compatible code as far as i know.

jonathanspw commented 1 month ago

Which only uses GPL compatible code as far as i know.

I dug into the code a bit and as best I can tell you are right! Thanks for the quick reply and pointing me in the right direction on that.

Would you be open to a refactored patch that would allow removing that directory without causing failure?

tessus commented 1 month ago

working towards getting Vaultwarden and the web side packaged up into official packages

Nice. This means I won't have to build my own packages anymore. ;-) However, one thing I'd consider when packaging for Fedora is to create packages between releases.

e.g. I create packages (for the vw binary, not the webvault) like this: vaultwarden-1.30.5^20240519.753a9e0b-1.fc40.x86_64

jonathanspw commented 3 days ago

working towards getting Vaultwarden and the web side packaged up into official packages

Nice. This means I won't have to build my own packages anymore. ;-) However, one thing I'd consider when packaging for Fedora is to create packages between releases.

e.g. I create packages (for the vw binary, not the webvault) like this: vaultwarden-1.30.5^20240519.753a9e0b-1.fc40.x86_64

I'm happy to report that vaultwarden-web is in Fedora/EPEL stable repos. vaultwarden itself is currently in Fedora/EPEL testing repos and will hit stable in about a week.

As for the package updates between releases - is there a pressing reason to do that? If there are important changes that don't get cut in releases we can/should push upstream/vaultwarden to cut a release, or we can add them to the RPM as patches if it's important to get in the package before the next release.