Support Clarification for self-hosted version

(writing this on behalf of, where I’ve filed a pull request for Bitwarden Server adding a page for Bitwarden Web Self-hosted.

I had a confusion about the support duration for Bitwarden. The docs website mentions (/help/bitwarden-software-release-support/)

Support for Bitwarden Server releases is available for a duration of 12 months following the initial release.

But it is unclear what counts as an “initial release” - a major or a minor version?

Our current draft assumes it to be a minor version (X.Y), but it will need to be updated in case it refers to a Major version.

Or to ask it another way:

  • Is v2023.5, supported till May 2024 with patch releases. Or
  • Is v2023, supported till 2024 Jan, with minor+patch releases.

Beyond this question, I’d appreciate any feedback on the Pull Request (either here or on GitHub).

1 Like

Hi @nemo, thanks for asking about this. The referenced article was a bit outdated, so we’ve made a small update.

Support is available for a duration of 3 major releases following a release. In our current versioning schema, which is, the .mm. represents what we’re referring to as a “major release” in this context, so support for 2023.5.0 is guaranteed for 2023.6.0, 2023.7.0, and 2023.8.0.

“Support” here means, specifically, client-server interoperability - a 2023.8.0 client will work with a 2023.5.0 server, though a 2023.9.0 client might not. I say “might” because it won’t always be the case that support will drop, and in cases where it will we’ll broadcast that information in advance via the Help Center Release Notes.

Thanks for the reply. I still had a few doubts:

If support only refers to client-server interop, is there a separate policy around “security updates”? Say, there is a vulnerability in the 2023.5.1 release, where all will the fix be backported to? Similarly, is there a separate consideration for critical fixes? Bug fixes?

If the only support guaranteed is “interop for next 3 releases”, then should a user always be expected to use the latest server version to get security patches? Wouldn’t that make the client-interop guarantee pretty weak?

@fschillingeriv Any luck with the remaining questions?

@fschillingeriv Bumping this thread to see if you or someone else from BitWarden could answer these.

@fschillingeriv Any update with the remaining questions?

Well, I can only speculate. I don’t see any updates of already released versions. In your example: the 2023.5.1 release remains unchanged. And to fix security issues, you have to constantly update (2023.6.x → 2023.7.x → …).

I think the answer would be yes. But isn’t this common security practice anyway, to always update? (okay, LTS would be another thing sometimes needed…)

Again, I guess, the idea is to always update all devices/apps - then there is also client-interop guaranteed. As Bitwarden doesn’t have some LTS versions, as I understand it, it builds upon the idea of constantly updating to fix security issues and remain “client-interop” - and there is a time frame of three months for that, so that you don’t have to go with the first day of a new release, so to speak…