RSS feed implementation has issues and KB page is hidden

ajh0912
ajh0912
Community Member
edited August 8 in Lounge

1Password customers need a way to be aware of the latest application updates of all platforms, in a way that can be alerted on.

This is especially relevant in the enterprise, where sometimes deploying applications must be done via machine-wide installers with fixed versions, and updated through a defined rollout cycle.

It's even more important when there are vulnerabilities in applications that have been found and fixed, but customers may not realise immediately that there is a new version, or may not prioritise the deployment of a new version as they were not aware of its security implications due to no mention in the release notes.
If there is no automated way to discover new updates or be informed of them, it will be down to their manual process to check for new versions - causing delays in patching.

I'm aware that the approach of having the application itself auto-update is used widely in the industry, especially in security critical contexts like password managers. But that doesn't mean the traditional application rollout cycle cannot be supported, or doesn't have it's place.

On this page, outlining the PKG install (which doesn't auto-update since 8.10.9), 1Password note that that newer versions must be manually deployed.

There have been many requests for RSS feeds for releases. RSS is an easy way to achieve this as it doesn't require mass-emailing or invoking WebHooks etc.

Here, some paths to XML files generated by Hugo are brought up. Those are also referenced on the Deploy 1Password page as RSS feeds.

For example:

This below example is for macOS, but the same issue applies to all platforms:

If we load https://releases.1password.com/mac/index.xml into an RSS reader, we only see the top-level item of '1Password for Mac' linking to https://releases.1password.com/mac/8.10/ (and another item for the beta).

Unfortunately these XML files don't have much use for RSS reader purposes - despite (mostly) meeting the RSS spec, as they don't contain a unique item for each individual version, with the version in the title, or the release notes in the body, and are instead just linking to the top item in a hierarchy based off the partial version number x.y.
So for releases 8.10.39, 8.10.38, 8.10.36, 8.10.34 etc - we only have one RSS item '8.10'.

If we visit https://releases.1password.com/mac/ in a browser, it has an item for https://releases.1password.com/mac/8.10/, which within it contains a section https://releases.1password.com/mac/8.10/#1password-for-mac-8.10.38
This is not easy to parse programmatically, without some effort with XPATH (and would need updated for each x.y release).

Some examples of RSS/Atom feeds that do release info correctly:

https://about.gitlab.com/security-releases.xml
https://obsidian.md/changelog.xml
https://github.com/bitwarden/clients/releases.atom

Something I would love to see:

https://releases.1password.com/feed.xml - shows all releases across all platforms
https://releases.1password.com/mac/feed.xml - shows all macOS releases
https://releases.1password.com/mac/8.10/feed.xml - shows all macOS 8.10 releases

This has been a problem for a while, but the specific reason that made me post this was finding out about a security vulnerability (in macOS clients prior to 8.10.36) via The Register first - and not from 1Password themselves. https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/
99% of our endpoints already have patched versions, but there are some that require manual updates.

You have a KB on the vulnerability posted on the 6th, but no reference to the vulnerability was made in the release notes for 8.10.36.

I have since discovered the RSS feed for the KB page: https://support.1password.com/kb/index.xml.

My suggestions:

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments