Status of 1Password 6 Standalone after 1Password 7 release: Is there a sort of LTS support?
Dear 1Password team,
I'd like to ask if there is an official statement by AgileBits on the support status of 1Password 6(.8.9) after 1Password 7 has been released.
In other words: Do you intend to still supply security fixes for 1Password 6 if necessary as a sort of long-term support for the release and do you plan to fix 1Password's browser add-on in case a new browser version breaks compatibility with version 6? Or is 1Password 6.8.9 a completely abandonned product and will thus remain the very last minor 1Password 6 version?
Thank you very much.
Best regards
Hackintosh HD
1Password Version: 6.8.9
Extension Version: 4.7.2.90
OS Version: macOS 10.13.6 High Sierra
Sync Type: Nextcloud
Comments
-
Welcome to the forum, @HackintoshHD! We've never issued a "formal" statement of the kind I think you're describing for any previous 1Password releases, and we're unlikely to do so now, mostly because that's just not how we deal with changing from one version to the next. We still have the occasional user on an ancient Mac that's limited to OS X Lion who's running 1Password 3 for Mac, who comes here and asks us for support -- and we provide it as we're able. But the bottom line is that as a security company, it would be irresponsible of us to do anything except recommend that users keep their versions of software (including our own) and macOS up to date. We understand sometimes this is not possible for various reasons, but we can't in good conscience give users instructions on how to purposely remain behind on legacy versions of software.
Typically, when a new version of any of our four native apps (Mac, iOS, Windows and Android) is released, it means development stops on the previous version, which enters "legacy" status at that point. This is the point 1Password 6 for Mac has entered. It will not be receiving further new features or development. To be clear, new features and development IS happening...but in the current version, not multiple legacy versions. The only likely potential exception to this would be if there were a serious security flaw found which needed to be patched, but even that stops at some point. For example, we are not making changes or updates of any kind to 1Password 3 for Mac any longer, even though there may be a tiny minority of users are still soldiering on with that decade-old version. To be clear: there are no unpatched security holes in 1Password 3 for Mac (or in 1Password 6 for Mac) at this time...I'm just saying, that version would not be receiving any updates at all because of its age. Right now, there are many users still using 1Password 6 for Mac, and so if something serious were discovered it would likely be patched. But at some point even security patches end, in the same way that Microsoft is no longer patching XP, and Apple is no longer patching or supporting Snow Leopard. Hope that helps!
0 -
Thank you, @Lars, for your answer.
To be clear, my question wasn't about feature development or bug fix supply for 1Password versions prior to version 7, but about the supply of security fixes that 1Password 6 for Mac users could expect from you in case of a 0-day exploit getting publicly available.
Provided I keep a supported (current version minus two) macOS release permantently updated, my intention was to find out if I could continue to use 1Password 6 for Mac safely if I simply have no interest in the new features of version 7. Which somehow would require positive knowledge about future availability of security fixes for it, in other words what is meant by the availability of "long-term support (LTS)" as understood in the Ubuntu/Debian/Linux world, making a stable, older software version that is no longer being actively developed, but actively maintained in the sense that security fixes are being made available, should a security issue be discovered.
From your answer, I get the impression that this would likely be the case for 1Password 6 for Mac at this point, but, on the other hand, that I should rather not count on it and that there wouldn't be an anouncement at the point in time when AgileBits starts to consider 1Password 6 "too old" for security fixes, either.
Under these circumstances, I think it's to risky for me to remain on version 6 rsp. 4 (Windows) and I probably upgrade both licenses to version 7 on their respective platforms, even if I have no interest in the newly added features.
0 -
Thank you, @Lars, for your answer.
To be clear, my question wasn't about feature development or bug fixes, but about the potential supply of security fixes necessary to keep 1Password 6 for Mac an application that is safely usable for its purpose, provided I keep a supported (current version minus two) macOS release permantly updated and I don't have an interest in the new features of 1Password version 7. In other words, would it be safe to simply continue to use 1Password 6 for Mac on a supported macOS version - and if so, for how long?
Hence my question for the status of 'long-term support' for version 6 as I know it from the Ubuntu/Debian/Linux world, where older, stable versions of software are no longer being actively developed, but still actively maintained in the sense that security fixes from the latest version are being ported back to that old, stable 'LTS' version and are made available without much delay whenever a serious security issue/exploitability is discovered.
What I understand from your answer is that for the time being, AgileBits would probably provide such security fixes for 1Password 6 for Mac, but on the other hand, that I should not rely on it the same way one can for the current 1Password version and that AgileBits won't issue an 'end of long-term support' statement, either, at the point in time when 1Password 6 for Mac enters a 'too old, won't fix' age, as apparently 1Password 3 for Mac has.
Would this be an accurate understanding of your post above?
Thank you very much.
0 -
@HackintoshHD - one of the reasons we don't have a set policy on such things is that at the same time that we want to serve 1Password users the best way we can, we don't want to commit formally to a backward-looking policy. We are doing work on developing and updating 1Password, every day. But that development is taking place on the current versions, not simultaneously on three or four different, older versions at the same time as the new one. Were we to do that, we'd be able to do far less of the work we're currently doing to advance 1Password.
Another reason there's no set policy is that it very much depends on a number of factors, many of which are out of our control: what specifically is the issue that's found? Is it a bug in our own code, or a vulnerability discovered in something else like one of the public crypto libraries we use? How long has version X been in legacy mode? How many people (best estimate) continue to use it? And many, many other factors. Generally, our strong advice to all users is to keep current with their version of OS including all security patches, with 1Password, and with any other security measures they use.
I can give you an example: just as we were rolling out 1Password 7 for Mac, the developers at Opera changed the bundle identifier on their browser so that it broke our code signature verification check. This made Opera temporarily unsupported in 1Password. A patch was applied as quickly as possible to 1Password 7 for Mac because it is the current version. After a little bit of time and user input, we also released version 6.8.9, for which the only change from 6.8.8 was the inclusion of the necessary changes for Opera to pass code signature validation checks in version 6. We made that decision in those specific circumstances because it had not been long since version 6 was the current version of 1Password, and even though Opera's share of the browser market is relatively tiny, a lot of people were still using version 6 of 1Password and we didn't want to strand the small percentage of them who were Opera users.
But although I don't make these decisions around here, I would guess from experience that if that change by Opera's devs had happened, say, now -- or in a few months, closer to the end of this year -- we might not have made the same decision. Why? Because the older versions of Opera would still have the previous bundle identifier (allowing 1Password 6 for Mac to continue to work), and it would have been more than half a year later by that time. We understand some people - as you say - just aren't interested in the new features of the current version of 1Password. And it's certainly every individual's decision whether to upgrade any particular piece of software. But a choice not to upgrade is just that -- a user's choice. We want to focus on improving 1Password and forging ahead, and we can't do that as effectively or as quickly if we're devoting developer cycles to making sure increasingly old legacy versions are updated to ensure users who've chosen not to upgrade can maintain compatibility with the new versions of everything else they've installed/downloaded.
0 -
First of all sorry for my double answer - my first text seemed to have disappeared after my attempt to edit it again (possibly as a rare and unwanted side effect of the uBlock Origin add-on I use in Firefox) and that's why I simply wrote it again, with obviously slight variations as I now realize.
Anyway, thank you for the additional comments which give me a better picture of the situation. As said before, I've now come to the conclusion that it's best for me to upgrade my password-related workflows from 1Password 6/4 to 7 on both platforms, just for the continued supply of bug and security fixes.
I've just purchased two new 1Password 7 standalone licenses for macOS and Windows hoping that I won't run into any feature regressions compared to my current 1Password 6 for Mac/4 for Windows combination.
0 -
Do you actually WANT stand-alone licences? If you are using both Mac and Windows, the best value is a subscription. There are also features in the subscription that can't be provided with the stand-alone licence.
You should be able to get a refund if you do decide on a subscription. I know that some people have such a strong objection to subs that they prefer to stay with stand-alone even when that is more expensive.
0 -
Thanks, but yes, I DO want standalone licenses and NO, I'll never ever put my keychain generated by a closed-source product like 1Password onto third party controlled servers.
0 -
I think you should check further. Even with a subscription you can still stay with only having vaults under your own control and not put anywhere in the cloud. It takes a bit of an effort, but it can be done, and saves a significant amount of money.
I take it that you are currently syncing using Folder Sync, which keeps syncing off the cloud, and can still be done. Dropbox sync is, of course, just as much a third party effort as AgileBits severs.
0 -
As AgileBits have never introduced WebDAV sync to 1Password, I am using Nextcloud and my own Debian Stretch server for the sync of 1Password's keychain/opvault file which has worked flawlessly over the last five years.
I indeed wasn't aware a subscription would allow using the desktop clients completely as standalone products. I assume you still have to create a 1password.com account and link 1Password 7 to this account in its preferences?
0 -
@HackintoshHD: Correct. That's how 1Password would know you've paid for it. Otherwise you'd be stuck with the trial limitations, with no account or license setup in the app.
0 -
I’m glad to hear it has worked for you @HackintoshHD but I’d be remiss if I didn’t point out for anyone else reading here that it is an unsupported solution, and we will not be implementing WebDAV sync.
While it is possible to utilize standalone vaults with a 1Password membership (membership includes “everything”) it isn’t something we generally recommend.
Ben
0 -
Thanks @brenty and @Ben. As I do not want to open a 1password.com account, two standalone licenses remain the preferred solution for me then (provided I get over my rather sobering first experiences with version 7, but that's another story).
0 -
@HackintoshHD - sticking with standalone licenses is fine with us, if that suits your preference. Keep an eye on updates and their release notes for word on the custom icon issue you raised in your other thread. New features and bug fixes will appear in the betas before they appear in the stable channel, so if you'd like to switch to the betas to be among the first to get these, go to Preferences > Updates and check the box marked "Include beta builds," then click "Check Now," and you'll be on the beta track.
0
