Concerns with extension auto-update

Community Feedback
1

We have a number of PASSBOLT installations all separated for security and legal reasons. Since the recent PASSBOLT EXTENSTION 3.0.0 update we suddenly had 6 of these installation go haywire. User area was completely blank.

We have now been able to fix 3 of the servers with the automated data cleansing CAKE routine:
/var/www/passbolt/bin/cake passbolt cleanup

Another 2 were fixed by diving into the database and fixing a couple of unusual records.

Last one, we are stuck. Cannot find the database record error causing user information problems.

This issue has sent TERRIFYING SHOCKWAVES through our teams and management who all now suddenly realize no matter how earnestly and diligently we backup, archive and gingerly update our PASSBOLT servers…

A SINGLE PASSBOLT EXTENSION LOSS, UPDATE, MAJOR UPDATE OR EVEN MINOR CHANGE WILL BE AUTOMATICALLY PUSHED OUT TO ALL BROWSERS WITH ZERO END-USER CONTROL AND NO OPTIONS FOR ROLLBACK!

This has the potential to completely lock everyone out of access to our entire password databases!

In the current Extension 3.0.0 update case we were only locked out of user management - unable to add, edit, remove users for about 5 days. Next time it could be SIGNIFICANTLY WORSE!

This major issue has quickly escalated to a DEAL BREAKER for us to continue using PASSBOLT. We are now looking into any way to BLOCK browser extension updates at the firewall/signature level. If we cannot solve this and prevent PASSBOLT from auto-updated the browser extension…
this may the be END of PASSBOLT for us.

2

Hi @Cordeos ,

Sorry that you experienced this problem. Please note that we take great care for testing the product prior to a rollout, for several weeks under a multitude of environments, but the fact that passbolt is self-hosted prevents us from completely emulating all the possible data scenarios that the application will face.

The most prominent bugs encountered in the last release seems to be related to older installations where some database entries are not considered invalid as per the data model. However, these data became incompatible with new stricter validation rules on the front-end side. We have been working hard to resolve these issues (with back to back hot-fixes last week), as soon as the data has been made available to us. We are committed to helping everyone resolve these issues and learning from this experience to make sure it does not happen again in the future.

Please note also that passbolt provides professional support services which can help you in the rare scenarios where you require fast support and resolution of issues. We know that this is not an option for all organizations, but if passbolt is critical to your organisation please consider this as a failsafe.

This latest release is indeed a major version bump (v2 => v3) and ships with the full rewriting of the front-end code along with the migration to a new framework (React). Luckily, this is not something that we do regularly.

Browser extension auto-updates are necessary to make sure that your users benefit from regular security updates. Disabling auto updates may also prevent you from having a working environment, as for example a new major version of the server (v3) will not work with older versions of the extension. Because of these reasons we strongly advise against disabling automatic updates.

Another option, less dangerous on the long term than telling your users to disable auto-updates, would be to rely on for example Chrome Extensions enterprise management best practices, to run and setup your own channels for extension updates. See. the following documentation, in particular “create your own on-premise web store”. This would allow you to control more precisely which extensions are allowed and how they are updated.

In the next few months, desktop apps will also be made available which should provide you with more granularity in regards to the update control mechanisms.

As said before, the team is committed to learning from this rollout to make sure we do not introduce breaking changes in the future.

Thank you for your patience and understanding.

3 Likes
3

We appreciate your reply and understand any software release has potential issues. Nobody expects everything will run perfectly with every release and it takes time to work through the multitude of possible scenarios.

However, this is exactly why software update processes NEED to be expected, announced, planned. Lets face it… “auto-updates are necessary to make sure that your users benefit from regular security updates” is a blanket statement used by developers to overly justify the forceful push of code out to end-users without the need for their consent, approval or even desire to do so.

This little ‘extension update’ caused a week-long, expensive nightmare for many - simply because we HAD NO IDEA IT WAS COMING!

As some browsers began updating there were one or two people who noticed and raised an issue. Oh, must be their computer or browser - spend time working with them.
After a day or two more users begin reporting problems. Oh, must be a server or network issue. Spend several days checking firewalls, load-balancers, LINUX installations, virtual machines… nothing.
Eventually, nearly everyone has the same issues and we finally figure out its because all the extensions have been updated.
Now we need to figure out how to fix it. Oh, but we cant… because there is nothing wrong with the server, load-balancing, network, reverse proxies, database - unless we pull apart and recompile the extension.
Finally we see others with the same issue, find post on solutions, pinpoint the issue, run the fixes, scan through the database records and get things working again.

Total week long nightmare.

Professional Support is a REACTIVE solution, not preventative and wouldnt have made any difference in the problems we and many others faced with this update.