mitro's project status?

[gingerlime]

Mitro looks absolutely amazing. I just started using it and fell in love instantly. Compared to other password managers I've used (lastpass, keepass, clipperz and maybe a couple more) - it's so intuitive, friendly, slick. I can't express my admiration enough.

I'm wondering about the status of the project though. The posts on https://groups.google.com/forum/#!forum/mitro-dev seem fairly bleak. I couldn't figure out if there was/were a company or a bunch of individuals picking the open-source version going forward, and if they do, how much of a commitment is there.

I also couldn't work out how long the hosted version is going to keep running, and if a viable hosted solution exists out there?

I understand the monumental effort involved in development, support, maintenance and so on. I'd love to help, even a little (although my knowledge probably won't cover every piece of technology / component, and my availability is also limited). I'm sure others are contributing too, but I'm wondering if there's some kind of outlook for this project. I'm sure many agree it will be a great loss if it's gone.

[tofuness]

See: https://twitter.com/MitroCo/status/577435506524336128

[vijayp]

We really don't have enough time or money to maintain the servers
indefinitely. It would be great if someone could volunteer to help run them
...

On Sat, Jun 27, 2015 at 5:25 AM, Desuvader notifications@github.com wrote:

See: https://twitter.com/MitroCo/status/577435506524336128

—
Reply to this email directly or view it on GitHub
#123 (comment).

[gingerlime]

What kind of help are you looking for precisely? and are you guys still committed to maintaining the codebase? (not talking about new features, but just keeping things running, e.g. when a new version of Java comes along, or when some dependency breaks)

[vijayp]

we maintain the service -- it requires upkeep, and money to pay for the
servers.

On Tue, Jun 30, 2015 at 1:42 PM, gingerlime notifications@github.com
wrote:

What kind of help are you looking for precisely? and are you guys still
committed to maintaining the codebase? (not talking about new features, but
just keeping things running, e.g. when a new version of Java comes along,
or when some dependency breaks)

—
Reply to this email directly or view it on GitHub
#123 (comment).

[gingerlime]

Is it correct that you're paying around $600 to AWS and Google Cloud right now? How many instances / types is it running on? Is there a chance for some cost-saving using Linode or DigitalOcean without compromising on capacity / performance / reliability?

Have you considered asking users to pay for the basic service? In my company we're about 4-5 people using it, and I think we'd be happy to pay something like $20-40 per month. I'm sure other companies / individuals will feel the same. This could potentially cover at least the direct costs(?)

Other than this cost - what else in terms of upkeep do you need help with?

[vijayp]

Basically we don't have the time to maintain the service or even build or
ask users to pay for stuff... we'd basically like someone to take over
operation of the service.

On Tue, Jun 30, 2015 at 1:55 PM, gingerlime notifications@github.com
wrote:

Is it correct that you're paying around $600 to AWS and Google Cloud
https://groups.google.com/d/msg/mitro-dev/CYsd4zoAmYs/a6AI8pK3_4kJ
right now? How many instances / types is it running on? Is there a chance
for some cost-saving using Linode or DigitalOcean without compromising on
capacity / performance / reliability?

Have you considered asking users to pay for the basic service? In my
company we're about 4-5 people using it, and I think we'd be happy to pay
something like $20-40 per month. I'm sure other companies / individuals
will feel the same. This could potentially cover at least the direct
costs(?)

Other than this cost - what else in terms of upkeep do you need help with?

—
Reply to this email directly or view it on GitHub
#123 (comment).

[ericallard]

I'm sure there's many users out there that "love" mitro. We should be able to put a team together. I use it internally (We're 10 users) and would be welling to pay 20-30$/year/user. I just installed LassPass... And let's be honest! It's ..."aaarrrrrrrr"! Not as good!

[robertknight]

This is possibly a very naive question given my limited knowledge of how Mitro works, but how feasible is it to run Mitro without a service or by leveraging an existing service? I'm working on an app for managing passwords and the approach I took was to get Dropbox to do all the heavy lifting, with enough abstractions in place to make replacing it with an alternative service a viable option if necessary.

[bitsofalex]

@vijayp keen to explore taking over and continue developing the service. i am part of a team of devs working on a startup. this would be a healthy addition to our service offering. are you willing to transfer the domain name as well?

[BrianTMaurer]

I would pay $1/month for Mitro. That is last pass premium's price. (And I would get most of my family and friends on it as well.)

[bjtucker]

Moving to a serverless/dropbox approach has been discussed a bit before. It looks like the biggest roadblock there is that we don't have good documentation on the API.

https://github.com/mitro-co/mitro/issues?utf8=%E2%9C%93&q=dropbox

So we have the server source code, and a test harness for it. This could give us a very good start on the API documentation, if someone wants to start writing it. Or, to save ourselves some work, maybe most of the questions we would use an API document to answer can be answered by looking directly at the tests.

https://github.com/mitro-co/mitro/blob/master/browser-ext/api/js/cli/runtests.py

@vijayp I am guessing here. Can you please let me know if I am leading people astray? :)

[bitsofalex]

@vijayp Can we take over the brand or must we rebrand the product? Thanks.

[Immortalin]

@vijayp I am willing to give monetizing Mitro another shot too.

[bjtucker]

I would love to see someone monetize this if there was a free/self-hosted option still available. For example: I'd pay, but for work, we would need to host our own.

Anyone who wants to rebrand and build this to sell it is allowed to do so under the GPL. If you want to rebrand, please go do it today. I'll subscribe to your service.

[jasper-lyons]

Totally up for getting together with some people to keep this running. Definitely want to help and from a quick glance at the code base I'm familiar with all of the technologies being used.

Lets make a plan?

[lababidi]

@vijayp What are your total costs right now? How much time are you spending on maintenance as a team? I would certainly consider taking over this project if we could talk about a few details.

[Roconda]

There is a whole community who want to run and maintain Mitro. I also want to help to maintain and brainstorm about Mitro's future. It's a great product.

[jasper-lyons]

What about a kickstarter / crowdfunding platform of choice

[birkof]

I would definitely pay per month for such a awesome product! Please keep it up, guys!

[bitsofalex]

A small team of us have started to rebuild the servers into several environments in hope of continuing this service's lifespan. We will continue to post to this forum to keep everyone updated.

[rogerwlucas]

@bitsofalex - is one of these environments RedHat 6? We are trying to get Mitro running on that. I think the server is running OK now but we have problems with the client extension not signing in (from initial debugging it looks like a problem with the crypto initialisation and "forge.random" remaining undef). Feel free to reach out directly if you want to discuss what we have done so far...

[syrm]

The environment should be a container, docker, openvz, or something else.
So anyone can install it easily and safely.

[Roconda]

I see that @rogerwlucas and @bitsofalex are forking Mitro and launching their own platform. I would like to see a seamless migration process from a user perspective. Is it possible to create a seamless migration instead of purging users' credentials? @vijayp

[teh]

We too liked Mitro so we decided to run a version for ourselves. We rebranded it to https://passopolis.com because we felt that it'd be confusing to keep the original branding when people are Googling for Mitro.

Getting everything to work from this repo was a fair amount of work (10 or so evenings) but we've started publishing our fixes and changes to https://github.com/WeAreWizards/passopolis-extensions, more repositories to follow.

Using the Passopolis (Mitro) server will stay free for personal use and small teams but for larger teams we will probably start charging some competitive price to pay for maintenance and infrastructure.

We have some ideas for improvements but for now our priorities are fixing bugs and stability. We think that our passopolis server is ready enough to start migrating this week if anyone wants to move but we do still expect some rough edges while we learn how the system behaves (or doesn't behave).

[rogerwlucas]

@Roconda - I'm not interested in forking Mitro. I just want to get it running on my own servers. I'll be publishing full install details for RedHat 6.x over the next week or so via comments to the appropriate Mitro issue threads on GitHub and there are some bugs that I have discovered for which I will be offering patches for back to GitHub again via the Mitro issues threads.

[syrm]

Nice job @teh, but like other i want a container version to install it on my server.

[teh]

@OXman Sure, I understand. Getting the java server to run is a pretty trivial undertaking (took me less than an hour) so I'm sure someone will dockerise that soon (we're running on nixos). Building the extensions and fixing the bugs is what took up our time. What we're offering is to keep the open source stuff running for people who don't want to deal with backups, availability, security, building their own extension, etc. A shared server also has the advantage that teams work for more than your personal friends.

We're not expecting this to be a money making machine (quite the contrary) but we think that the marginal cost of extra users (apart from ourselves) is ~0 so we decided to spend a few more evenings on opening it up to the public.

[Immortalin]

@teh it would make things much easier if you can dockerize it as using it offline would be easier e.g. syncing the encrypted database via Google Drive etc.

[ghost]

@rogerwlucas - did you sort out the crypto issues, or are they extension side? If the latter, than @teh - have you fixed these?

Once all this work is documented preferably one repo i'd have a go at building a Docker container for this.

[rogerwlucas]

@sofaofthedamned I've got it all working on RedHat 6.6 now. Sign up and password access works from Firefox and Chrome (latest versions on each). I've used the Python emailer from @fredericmohr to provide email support.

The problems with the browser extensions were due to the lru_cache.js handling of undefined vs null comparisons. I cannot see how it was working for anyone else but I have a small patch for that which makes it work properly. Basically, it couldn't put keys into its cache and this prevented signup (and everything else) from working. Once I've worked out how to drive GitHub properly, I'll get the patches up and available for everyone else.

You have to be very careful how you install on RedHat because its package versions are generally old (but stable) compared to the latest ones available but I've done the install from scratch a couple of times now on a clean system so I have the exact commands to run. Again, I'll make an install doc available once I can work out how get files uploaded to GitHub in a clean way.

I've a small patch for the Mitro core server to allow it to serve static files from the mitro-core/html folder. For some actions, the server sends a redirect to a static file (e.g. when verifying your email address) and without some other web server (or proxy or similar) then the redirect fails. I've got some trivial default files for these so that it is obvious what you need to change and where if you want to customise it on your own system.

I'll also post instructions for updating the server TLS certificate because the default one is for mitro.co (and has expired).

[teh]

@sofaofthedamned WeAreWizards/passopolis-extensions@b0fcf31 for the lru_cache fix

[disassembler]

Since I spent a number of hours on this, I figured I'd share how I got my own on-premise mitro server working with the passopolis chrome extension. I got the on-prem mitro server up and running pretty quickly, but it took me a while to figure out how to get the extension to connect to it.

Here's how I ended up doing it (thanks to WeAreWizards and hashtagsecurity):

1. Get mitro-server running and passing API check -- https://www.hashtagsecurity.com/mitro-login-manager-on-premise-2/

2. Generate a self-signed SSL certificate (nginx.crt/nginx.key)

3. Configure nginx:

   server {
   listen 443 ssl;
   server_name localhost;

   ssl_certificate      nginx.crt;
   ssl_certificate_key  nginx.key;
   
   ssl_session_cache    shared:SSL:1m;
   ssl_session_timeout  5m;
   
   ssl_ciphers  HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers  on;
   
   location / {
       proxy_pass https://localhost:8443/;
   }
   

   }

4. Copy SSL certificate (nginx.crt) to all client computers connecting to on-premise mitro server.

5. Install SSL certificate to local SSL store as trusted (in browser, or on a mac, in keychain)

6. Install passopolis extension from chrome store

7. Go to chrome-extension://gknclpdgpfkfckamhononecbipkbmpil/html/preferences.html

8. Set server hostname to your server running mitro.

9. Register using passopolis extension.

10. Import CSV downloaded from old mitro extension.

Congratulations, your secrets are now stored in your on-premise mitro server!

I'll try to get mitro server, postgresql and nginx proxy moved to docker containers using docker compose in the near future, but at least it's working now!