How exactly is it violating the AGPL for the author to change licenses? They require contributors to assign copyright so... BitWarden belongs entirely to BitWarden.

Because if you've accepted patches you're not the author of the entire code base anymore. So it's not your own work, but a collaboration.

This is why I never sign CLA. Since I'm basically signing my rights away.

Right, but if you had signed a CLA then it's absolutely not violating the AGPL if the host decides to close the source. Since these organisations require that, they're not violating the AGPL.

That's not to say I agree with them and it's obviously shitty behaviour – but license violation is a specific act that they aren't guilty of.

That's only possible if Bitwarden requires a CLA, do they require a CLA for commits/PRs?

Isn't a CLA just a standard CYA move from more established open source projects? I had to sign one to contribute to Django as well and I don't see them "pulling a MongoDB" any time soon.

My assumption is this is so that they're legally protected from contributors revoking the right to use their contribution at some later point or other obnoxious legal shenanigans.

It depends on the CLA. Some just require you to affirm that you have the rights to license your contribution, and that you license it under the license of the project, which is indeed mostly just a CYA. It doesn't allow the project to unilaterally change the license of your contribution, and I haven't seen much people have a problem with this kind of CLA.

The other common form of CLA is a copyright assignment (or something equivalent) to a foundation or company representing the project, which is much more troublesome. This allows them to basically do whatever they want with your contribution, including charging for it, or closing the source all together.

Linux Kernel doesn't require attributing the code to the linux kernel for example

Yep, https://contributing.bitwarden.com/contributing/#contributor...

Yup: Section 2.1: "By submitting a Contribution, you assign to Bitwarden all right, title, and interest in any copyright in the Contribution and you waive any rights, including any moral rights or database rights, that may affect our ownership of the copyright in the Contribution.

It’s a fascinating situation, really: this kind of asymmetry (AGPL for you, but not for us, even if you contribute) is antithetical to the purpose of the AGPL, but desirable for the leaders of quite a large fraction of projects that choose the license (to the point that they might either not use the AGPL or not accept contributions if they couldn’t do it).

I think a CLA that says "You provide us with an additional license to re-publish your code under any license we choose" with modifications to limit attribution, might work. That way the code is perpetually AGPL, but the company is free to offer derivative works under other licenses. Hence you can always use your code, you can fork, you can do all you want, and the company cannot take the code, as it stands at that point, away from the public.