Support Clarification for self-hosted version

Ask the Community Password Manager
,
1

(writing this on behalf of endoflife.date, where I’ve filed a pull request for Bitwarden Server adding a page for Bitwarden Web Self-hosted.

I had a confusion about the support duration for Bitwarden. The docs website mentions (/help/bitwarden-software-release-support/)

Support for Bitwarden Server releases is available for a duration of 12 months following the initial release.

But it is unclear what counts as an “initial release” - a major or a minor version?

Our current draft assumes it to be a minor version (X.Y), but it will need to be updated in case it refers to a Major version.

Or to ask it another way:

  • Is v2023.5, supported till May 2024 with patch releases. Or
  • Is v2023, supported till 2024 Jan, with minor+patch releases.

Beyond this question, I’d appreciate any feedback on the Pull Request (either here or on GitHub).

1 Like
2

Hi @nemo, thanks for asking about this. The referenced article was a bit outdated, so we’ve made a small update.

Support is available for a duration of 3 major releases following a release. In our current versioning schema, which is yyyy.mm.rr, the .mm. represents what we’re referring to as a “major release” in this context, so support for 2023.5.0 is guaranteed for 2023.6.0, 2023.7.0, and 2023.8.0.

“Support” here means, specifically, client-server interoperability - a 2023.8.0 client will work with a 2023.5.0 server, though a 2023.9.0 client might not. I say “might” because it won’t always be the case that support will drop, and in cases where it will we’ll broadcast that information in advance via the Help Center Release Notes.

3

Thanks for the reply. I still had a few doubts:

If support only refers to client-server interop, is there a separate policy around “security updates”? Say, there is a vulnerability in the 2023.5.1 release, where all will the fix be backported to? Similarly, is there a separate consideration for critical fixes? Bug fixes?

If the only support guaranteed is “interop for next 3 releases”, then should a user always be expected to use the latest server version to get security patches? Wouldn’t that make the client-interop guarantee pretty weak?

4

@fschillingeriv Any luck with the remaining questions?