starred/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-25 17:25:57 +03:00
Code Issues 39 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #6416] Deleted Items stop login working #2427

New issue
Closed
opened 2026-03-03 02:18:12 +03:00 by kerem · 34 comments
kerem commented 2026-03-03 02:18:12 +03:00
Owner
Copy link

Originally created by @SAS-1 on GitHub (Oct 30, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6416

Prerequisites

Vaultwarden Support String

Your environment (Generated via diagnostics page)

  • Vaultwarden version: v1.34.3-3cd3d33d
  • Web-vault version: v2025.9.1
  • OS/Arch: linux/x86_64
  • Running within a container: true (Base: Debian)
  • Database type: MySQL
  • Database version: 12.0.2-MariaDB-ubu2404
  • Uses config.json: true
  • Uses a reverse proxy: true
  • IP Header check: true (X-Real-IP)
  • Internet access: true
  • Internet access via a proxy: false
  • DNS Check: true
  • TZ environment: Europe/London
  • Browser/Server Time Check: true
  • Server/NTP Time Check: true
  • Domain Configuration Check: true
  • HTTPS Check: true
  • Websocket Check: true
  • HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": false,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "*****://*************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****************",
  "domain_origin": "*****://*****************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "********",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": "/logs/bitwarden.log",
  "log_level": "info",
  "log_timestamp_format": "%d-%m-%Y %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "purge_incomplete_sso_nonce": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "**************,**********",
  "signups_verify": true,
  "signups_verify_resend_limit": 2,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "******",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": ***,
  "smtp_security": "****",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************",
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://**********************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-3cd3d33d

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

SWAG

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault, Android

Client Version

2025.10.0

Steps To Reproduce

Have deleted item in Vault
Log into App or Web client and it won't let you in just spins - log below

Expected Result

Able to login and deleted items in Recycle Bin

Actual Result

It just spins on Web vault after entering master password and before 2FA.

Logs

[30-10-2025 17:56:34.665][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from IP

[30-10-2025 17:56:34.666][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK

[30-10-2025 17:56:34.773][panic][ERROR] thread 'rocket-worker-thread' panicked at 'Error loading ciphers: DeserializationError(DeserializeFieldError { field_name: Some("deleted_at"), error: "Received a buffer with an invalid size while trying to read a timestamp value: Expected at least 40 bytes but got 0" })': src/db/models/cipher.rs:884

   0: vaultwarden::init_logging::{{closure}}

   1: std::panicking::rust_panic_with_hook

   2: std::panicking::begin_panic_handler::{{closure}}

   3: std::sys::backtrace::__rust_end_short_backtrace

   4: __rustc::rust_begin_unwind

   5: core::panicking::panic_fmt

   6: core::result::unwrap_failed

   7: vaultwarden::db::DbConn::run::{{closure}}::{{closure}}

   8: vaultwarden::db::models::cipher::Cipher::find_by_user::{{closure}}

   9: vaultwarden::db::models::cipher::Cipher::find_by_user_visible::{{closure}}

  10: vaultwarden::api::core::ciphers::sync::into_info::monomorphized_function::{{closure}}

  11: rocket::server::<impl rocket::rkt::Rocket<rocket::phase::Orbit>>::route::{{closure}}

  12: rocket::server::hyper_service_fn::{{closure}}::{{closure}}

  13: tokio::runtime::task::raw::poll

  14: tokio::runtime::scheduler::multi_thread::worker::Context::run_task

  15: tokio::runtime::scheduler::multi_thread::worker::run

  16: tokio::runtime::task::raw::poll

  17: std::sys::backtrace::__rust_begin_short_backtrace

  18: core::ops::function::FnOnce::call_once{{vtable.shim}}

  19: std::sys::pal::unix::thread::Thread::new::thread_start

  20: <unknown>

  21: __clone

[30-10-2025 17:56:34.821][response][INFO] (sync) GET /api/sync?<data..> => 500 Internal Server Error

[30-10-2025 17:58:58.991][vaultwarden::api::notifications][INFO] Closing WS connection from IP

Screenshots or Videos

No response

Additional Context

If I run

UPDATE ciphers SET deleted_at = NULL WHERE deleted_at IS NOT NULL;

to remove date and try logging in it works immediately but the record isn't in recycle bin.

It seems to be related to yesterday commit 2ee5819 Use Diesels MultiConnections Derive (https://github.com/dani-garcia/vaultwarden/pull/6279)

Originally created by @SAS-1 on GitHub (Oct 30, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6416 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-3cd3d33d * Web-vault version: v2025.9.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: MySQL * Database version: 12.0.2-MariaDB-ubu2404 * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * TZ environment: Europe/London * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, ADMIN_TOKEN **Config:** ```json { "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": false, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "*****://*************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*****************", "domain_origin": "*****://*****************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "********", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": "/logs/bitwarden.log", "log_level": "info", "log_timestamp_format": "%d-%m-%Y %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "purge_incomplete_sso_nonce": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "**************,**********", "signups_verify": true, "signups_verify_resend_limit": 2, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*************************", "smtp_from_name": "******", "smtp_host": "**************", "smtp_password": "***", "smtp_port": ***, "smtp_security": "****", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://**********************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-3cd3d33d ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy SWAG ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault, Android ### Client Version 2025.10.0 ### Steps To Reproduce Have deleted item in Vault Log into App or Web client and it won't let you in just spins - log below ### Expected Result Able to login and deleted items in Recycle Bin ### Actual Result It just spins on Web vault after entering master password and before 2FA. ### Logs ```text [30-10-2025 17:56:34.665][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from IP [30-10-2025 17:56:34.666][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK [30-10-2025 17:56:34.773][panic][ERROR] thread 'rocket-worker-thread' panicked at 'Error loading ciphers: DeserializationError(DeserializeFieldError { field_name: Some("deleted_at"), error: "Received a buffer with an invalid size while trying to read a timestamp value: Expected at least 40 bytes but got 0" })': src/db/models/cipher.rs:884 0: vaultwarden::init_logging::{{closure}} 1: std::panicking::rust_panic_with_hook 2: std::panicking::begin_panic_handler::{{closure}} 3: std::sys::backtrace::__rust_end_short_backtrace 4: __rustc::rust_begin_unwind 5: core::panicking::panic_fmt 6: core::result::unwrap_failed 7: vaultwarden::db::DbConn::run::{{closure}}::{{closure}} 8: vaultwarden::db::models::cipher::Cipher::find_by_user::{{closure}} 9: vaultwarden::db::models::cipher::Cipher::find_by_user_visible::{{closure}} 10: vaultwarden::api::core::ciphers::sync::into_info::monomorphized_function::{{closure}} 11: rocket::server::<impl rocket::rkt::Rocket<rocket::phase::Orbit>>::route::{{closure}} 12: rocket::server::hyper_service_fn::{{closure}}::{{closure}} 13: tokio::runtime::task::raw::poll 14: tokio::runtime::scheduler::multi_thread::worker::Context::run_task 15: tokio::runtime::scheduler::multi_thread::worker::run 16: tokio::runtime::task::raw::poll 17: std::sys::backtrace::__rust_begin_short_backtrace 18: core::ops::function::FnOnce::call_once{{vtable.shim}} 19: std::sys::pal::unix::thread::Thread::new::thread_start 20: <unknown> 21: __clone [30-10-2025 17:56:34.821][response][INFO] (sync) GET /api/sync?<data..> => 500 Internal Server Error [30-10-2025 17:58:58.991][vaultwarden::api::notifications][INFO] Closing WS connection from IP ``` ### Screenshots or Videos _No response_ ### Additional Context If I run UPDATE ciphers SET deleted_at = NULL WHERE deleted_at IS NOT NULL; to remove date and try logging in it works immediately but the record isn't in recycle bin. It seems to be related to yesterday commit 2ee5819 Use Diesels MultiConnections Derive (https://github.com/dani-garcia/vaultwarden/pull/6279)
kerem 2026-03-03 02:18:12 +03:00
kerem commented 2026-03-03 02:18:13 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Oct 31, 2025):

That sounds like yet another instance of https://jira.mariadb.org/browse/CONC-782. So it's likely an upstream issue in libmariadb.

<!-- gh-comment-id:3474192344 --> @weiznich commented on GitHub (Oct 31, 2025): That sounds like yet another instance of https://jira.mariadb.org/browse/CONC-782. So it's likely an upstream issue in libmariadb.
kerem commented 2026-03-03 02:18:13 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Oct 31, 2025):

You could use the Alpine image which shouldn't have this issue.

<!-- gh-comment-id:3474218554 --> @BlackDex commented on GitHub (Oct 31, 2025): You could use the Alpine image which shouldn't have this issue.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Oct 31, 2025):

Is this issue only a problem with the container image? After reading all the different issues starting with weiznich's link above it seems that this is always a problem when the mariadb connector lib is greater than 3.3.15.
e.g. Fedora 42 and 43 use mariadb-connector-c-3.4.5

So what is the solution? I compile vaultwarden on Fedora since my server runs Fedora.

<!-- gh-comment-id:3474417514 --> @tessus commented on GitHub (Oct 31, 2025): Is this issue only a problem with the container image? After reading all the different issues starting with weiznich's link above it seems that this is always a problem when the mariadb connector lib is greater than 3.3.15. e.g. Fedora 42 and 43 use mariadb-connector-c-3.4.5 So what is the solution? I compile vaultwarden on Fedora since my server runs Fedora.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 3, 2025):

@tessus There is no solution you as an end user can apply here other than not using the distro provided libmariadb version as it is not compatible with any diesel based application. You might want to notify the package maintainers of your distribution about this problem as well.

See https://github.com/diesel-rs/diesel/discussions/4806#discussioncomment-14857450 for more steps you can take.

<!-- gh-comment-id:3480287855 --> @weiznich commented on GitHub (Nov 3, 2025): @tessus There is no solution you as an end user can apply here other than not using the distro provided libmariadb version as it is not compatible with any diesel based application. You might want to notify the package maintainers of your distribution about this problem as well. See https://github.com/diesel-rs/diesel/discussions/4806#discussioncomment-14857450 for more steps you can take.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 3, 2025):

@weiznich thanks for the reply. Although I am a bit fuzzy on the situation. Version 3.3.15 is 7 months old. Most distributions have already moved on to 3.4.z, thus - as you mentioned - the only 2 options are: 1) for distros to use a patch or 2) for the libmariadb devs to make the lib compatible with mysql again.

A fix for diesel seems complex, since one would then also have to check for library versions. Hmm. This might be a maintenance burden in the future.

I will also check, whether I can just use the mysql client lib or connector or whatever is required instead of mariadb-connector-c-devel to compile vw.

I can certainly open an issue with the Fedora packagers and bug the mariadb devs, but I doubt that the latter will have any effect on the betterment of the situation. In the ticket you referenced they were rather determined to ignore the truth and live with the inconsistencies in their code. You cannot convince people like that nor have a constructive discussion with them.

<!-- gh-comment-id:3482926912 --> @tessus commented on GitHub (Nov 3, 2025): @weiznich thanks for the reply. Although I am a bit fuzzy on the situation. Version 3.3.15 is 7 months old. Most distributions have already moved on to 3.4.z, thus - as you mentioned - the only 2 options are: 1) for distros to use a patch or 2) for the libmariadb devs to make the lib compatible with mysql again. A fix for diesel seems complex, since one would then also have to check for library versions. Hmm. This might be a maintenance burden in the future. I will also check, whether I can just use the mysql client lib or connector or whatever is required instead of mariadb-connector-c-devel to compile vw. I can certainly open an issue with the Fedora packagers and bug the mariadb devs, but I doubt that the latter will have any effect on the betterment of the situation. In the ticket you referenced they were rather determined to ignore the truth and live with the inconsistencies in their code. You cannot convince people like that nor have a constructive discussion with them.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 4, 2025):

So... before trying to replace mariadb-connector-c with mysql-community-libs, I built the current main HEAD 9017ca265a on Fedora with mariadb-connector-c-3.4.5-1. I checked, they are not using any patches, so I should have received the same error as described in this issue.
On my test VM with a previous version of vw, I deleted a cipher and it was moved to the trash. Then I installed the new vw version, but was able to login. No errors in the log, no panic, no endless spinner in the webui.
Running select uuid, deleted_at from ciphers where deleted_at is not null confirmed that I had in fact 5 such entries in my database.

So now I am even more confused. I should have experienced the same issue as the OP. 🤔

<!-- gh-comment-id:3483303316 --> @tessus commented on GitHub (Nov 4, 2025): So... before trying to replace `mariadb-connector-c` with `mysql-community-libs`, I built the current main HEAD 9017ca265a28ff1370e6047b8e85c0a6c3327306 on Fedora with `mariadb-connector-c-3.4.5-1`. I checked, they are not using any patches, so I should have received the same error as described in this issue. On my test VM with a previous version of vw, I deleted a cipher and it was moved to the trash. Then I installed the new vw version, but was able to login. No errors in the log, no panic, no endless spinner in the webui. Running `select uuid, deleted_at from ciphers where deleted_at is not null` confirmed that I had in fact 5 such entries in my database. So now I am even more confused. I should have experienced the same issue as the OP. 🤔
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 4, 2025):

@tessus, 3.4.5 is not affected. Only versions after that.

<!-- gh-comment-id:3484106700 --> @BlackDex commented on GitHub (Nov 4, 2025): @tessus, 3.4.5 is not affected. Only versions after that.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 4, 2025):

@BlackDex thanks for the info. I guess I misunderstood https://github.com/diesel-rs/diesel/discussions/4806#discussioncomment-14814651 then, which mentioned downgrading to 3.3.15.

So I think I will work on trying to use the mysql lib instead. The problem is that mysql is not part of Fedora, which means creating a package that requires a lib from a non-Fedora repo makes it less portable/usable. This really sucks. On the other side, I am probably the only one using my Fedora vaultwarden package anyway. Well, first I have to make it work...

<!-- gh-comment-id:3484181869 --> @tessus commented on GitHub (Nov 4, 2025): @BlackDex thanks for the info. I guess I misunderstood https://github.com/diesel-rs/diesel/discussions/4806#discussioncomment-14814651 then, which mentioned downgrading to 3.3.15. So I think I will work on trying to use the mysql lib instead. The problem is that mysql is not part of Fedora, which means creating a package that requires a lib from a non-Fedora repo makes it less portable/usable. This really sucks. On the other side, I am probably the only one using my Fedora vaultwarden package anyway. Well, first I have to make it work...
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 4, 2025):

A possible solution would be to explicitly add the mysqlclient-sys crate to the vaultwarden dependency list. Then you should be able to use cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled to build and statically link a version of libmysqlclient that is known to work with diesel.

<!-- gh-comment-id:3484251740 --> @weiznich commented on GitHub (Nov 4, 2025): A possible solution would be to explicitly add the `mysqlclient-sys` crate to the `vaultwarden` dependency list. Then you should be able to use `cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled` to build and statically link a version of `libmysqlclient` that is known to work with diesel.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 4, 2025):

A possible solution would be to explicitly add the mysqlclient-sys crate to the vaultwarden dependency list. Then you should be able to use cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled to build and statically link a version of libmysqlclient that is known to work with diesel.

That is what I'm thinking about as trying to install older packages is also not really nice and easy. It will make compiling take longer though, at least the first time and as long the cache doesn't gets busted.

<!-- gh-comment-id:3484297095 --> @BlackDex commented on GitHub (Nov 4, 2025): > A possible solution would be to explicitly add the `mysqlclient-sys` crate to the `vaultwarden` dependency list. Then you should be able to use `cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled` to build and statically link a version of `libmysqlclient` that is known to work with diesel. That is what I'm thinking about as trying to install older packages is also not really nice and easy. It will make compiling take longer though, at least the first time and as long the cache doesn't gets busted.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 4, 2025):

I would suggest exposing this as optional feature so users could decide to use this or not. There are reasons to use one or the other variant. Using the system libraries allows you to easily update these libraries if necessary and overall better integrates in how linux distributions want to have their packages. On the other hand that means supporting several different versions of the library which can cause problems if the underlying is not carefully about changes itself. For deployment setups (docker/etc) is often easier to just statically link everything into one binary by using the bundled feature. Also as you already wrote: Buildtimes obviously suffer from this.

For building libmysqlclient-sys via the bundled feature it's required to have cmake + a working c/c++ compiler.

<!-- gh-comment-id:3484347279 --> @weiznich commented on GitHub (Nov 4, 2025): I would suggest exposing this as optional feature so users could decide to use this or not. There are reasons to use one or the other variant. Using the system libraries allows you to easily update these libraries if necessary and overall better integrates in how linux distributions want to have their packages. On the other hand that means supporting several different versions of the library which can cause problems if the underlying is not carefully about changes itself. For deployment setups (docker/etc) is often easier to just statically link everything into one binary by using the bundled feature. Also as you already wrote: Buildtimes obviously suffer from this. For building `libmysqlclient-sys` via the bundled feature it's required to have `cmake` + a working c/c++ compiler.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 4, 2025):

My main problem currently is that we use Debian Trixie, which uses a faulty version, and now causes these issues for our Debian based containers.

<!-- gh-comment-id:3484352783 --> @BlackDex commented on GitHub (Nov 4, 2025): My main problem currently is that we use Debian Trixie, which uses a faulty version, and now causes these issues for our Debian based containers.
kerem commented 2026-03-03 02:18:14 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 4, 2025):

A possible solution would be to explicitly add the mysqlclient-sys crate to the vaultwarden dependency list. Then you should be able to use cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled to build and statically link a version of libmysqlclient that is known to work with diesel.

I can try that tomorrow. I just patch the Cargo.toml before building. Nice.

As for the build time: Mathijs' last improvement PR pushed it down from 18 minutes to 14 minutes on my build VMs. Also, I am not building every 5 minutes, but when there are interesting commits in main. And even if I were building a package every day, I wouldn't care whether it took 14 minutes or 60 minutes. As long as it didn't take more than 24h. ;-) hahaha.

That is what I'm thinking about as trying to install older packages is also not really nice and easy.

My thoughts exactly. I want to find a proper solution now instead of 6 months from now when older versions of the mariadb-connector are no longer available. That would require me to build my own connector and either statically link that one or build another connector package. I reckon I'd rather go with statically linking the mysql lib....

I will still open a ticket with the Fedora mariadb-connector packager.

<!-- gh-comment-id:3484883817 --> @tessus commented on GitHub (Nov 4, 2025): > A possible solution would be to explicitly add the mysqlclient-sys crate to the vaultwarden dependency list. Then you should be able to use cargo install vaultwarden -F mysql -F mysqlclient-sys/bundled to build and statically link a version of libmysqlclient that is known to work with diesel. I can try that tomorrow. I just patch the Cargo.toml before building. Nice. As for the build time: Mathijs' last improvement PR pushed it down from 18 minutes to 14 minutes on my build VMs. Also, I am not building every 5 minutes, but when there are interesting commits in main. And even if I were building a package every day, I wouldn't care whether it took 14 minutes or 60 minutes. As long as it didn't take more than 24h. ;-) hahaha. > That is what I'm thinking about as trying to install older packages is also not really nice and easy. My thoughts exactly. I want to find a proper solution now instead of 6 months from now when older versions of the mariadb-connector are no longer available. That would require me to build my own connector and either statically link that one or build another connector package. I reckon I'd rather go with statically linking the mysql lib.... I will still open a ticket with the Fedora mariadb-connector packager.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 4, 2025):

Such an feature could also be enabled by "default" with some way to disable it. Eg. by having the vaultwarden mysql feature enable the bundled feature, but also provide a mysql-unbundled feature that doesn't bundle the lib.

Other than that I see the following options:

  • Someone needs to submit a fix/revert for the broken behaviour to libmariadb and see what is happening then
  • I still think it might be worth to notify distro maintainers of that package about this problem, possibly we can get at least a fix/revert there?
  • Someone needs to dig through and workaround the issue there. Possibly by changing this construction to use the known size for statically sized types instead. Such a change would need to be rather careful to verify that the buffer has the correct size and is correctly initialized. Additionally I'm still skeptical to include such a workaround given that libmariadb did already ship such a breaking change once and they don't really seam to care about that. That doesn't increase the trust in them not doing something like that again.
<!-- gh-comment-id:3485478110 --> @weiznich commented on GitHub (Nov 4, 2025): Such an feature could also be enabled by "default" with some way to disable it. Eg. by having the `vaultwarden` `mysql` feature enable the `bundled` feature, but also provide a `mysql-unbundled` feature that doesn't bundle the lib. Other than that I see the following options: * Someone needs to submit a fix/revert for the broken behaviour to libmariadb and see what is happening then * I still think it might be worth to notify distro maintainers of that package about this problem, possibly we can get at least a fix/revert there? * Someone needs to dig through and workaround the issue there. Possibly by changing [this](https://github.com/diesel-rs/diesel/blob/143b254c5b2cc49e2d7d52da69f68eec67a46d86/diesel/src/mysql/connection/bind.rs#L419) construction to use the known size for statically sized types instead. Such a change would need to be rather careful to verify that the buffer has the correct size and is correctly initialized. Additionally I'm still skeptical to include such a workaround given that libmariadb did already ship such a breaking change once and they don't really seam to care about that. That doesn't increase the trust in them not doing something like that again.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 4, 2025):

Here's my feedback. It worked mostly great, but interestingly I had to install 3 packages: libtirpc-devel, perl-Time-Piece, and ncurses-devel. (The cargo build process failed 3 times.) While I understand the first 2, ncurses makes no sense for a mysql lib nor for the build process. But it's not an issue, just strange.

Then it compiled successfully, but spat out a warning:

warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4

I updated with cargo update num-bigint-dig, but 0.8.5 yielded the same warning. It seems an additional fix has been added after 0.8.5 was released, so that should be solved soon.

The size of the binary has increased from 38 MB to 52 MB.

Digging a bit deeper it seems that -F mysqlclient-sys/bundled not only statically linked mysql, but also openssl. Hmmm. This is rather annoying and makes me slightly unhappy. But I guess I will have to live with it.

Another strange thing is that I removed all mariadb* packages before building vw with -F mysqlclient-sys/bundled and there was no libmysqlclient library (static or dynamic) on the system, because I forgot to install it after removing the mariadb packages. I ran a find on / and there was definitely not another one hiding somewhere else. Yet, I did not encounter a build error. Both crates mysqlclient-sys and mysqlclient-src explicitly state that the libmysqlclient library is required for building them.

I tested the binary and it works. I don't understand why and how, but it does.

The only explanation I could come up with is that mysqlclient-sys/bundled builds a static library even without the mysql development and library packages installed. But for the default feature set, a dynamic lib from the system is used.

Anyhoo, all in all it was successful. Thanks for the mysqlclient-sys/bundled suggestion. Now I'll have to decide whether I accept the fact that openssl is statically linked or that the resulting binary depends on a non-Fedora package.
Decisions, decisions. (crap, there is no pulling-out-my-hair emoji)

For reference:

ldd before 

linux-vdso.so.1 (0x00007f81b9e03000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f81b7b28000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f81b7600000)
libmariadb.so.3 => /lib64/libmariadb.so.3 (0x00007f81b9d9a000)
libpq.so.5 => /lib64/libpq.so.5 (0x00007f81b7ad5000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f81b75d4000)
libm.so.6 => /lib64/libm.so.6 (0x00007f81b74e6000)
libc.so.6 => /lib64/libc.so.6 (0x00007f81b72f4000)
libz.so.1 => /lib64/libz.so.1 (0x00007f81b72d1000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f81b727b000)
libldap.so.2 => /lib64/libldap.so.2 (0x00007f81b7215000)
/lib64/ld-linux-x86-64.so.2 (0x00007f81b9e05000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f81b714b000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f81b9d7f000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f81b9d78000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f81b7ac5000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f81b7abe000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f81b7139000)
liblber.so.2 => /lib64/liblber.so.2 (0x00007f81b7128000)
libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f81b70d0000)
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f81b70b1000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f81b7080000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f81b704b000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f81b6fa0000)

ldd after 

linux-vdso.so.1 (0x00007f3c7c9d9000)
libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f3c79600000)
libpq.so.5 => /lib64/libpq.so.5 (0x00007f3c7c962000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f3c7c936000)
libm.so.6 => /lib64/libm.so.6 (0x00007f3c7990c000)
libc.so.6 => /lib64/libc.so.6 (0x00007f3c7940c000)
libssl.so.3 => /lib64/libssl.so.3 (0x00007f3c79321000)
libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f3c78c00000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3c7c8de000)
libldap.so.2 => /lib64/libldap.so.2 (0x00007f3c798a5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f3c7c9db000)
libz.so.1 => /lib64/libz.so.1 (0x00007f3c79882000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3c79257000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3c79240000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3c7c8d6000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3c79230000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3c7987c000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3c7921e000)
liblber.so.2 => /lib64/liblber.so.2 (0x00007f3c7920d000)
libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f3c791b6000)
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f3c79197000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3c79166000)
libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f3c78bcc000)
libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f3c78b21000)

P.S.: I made a mistake. openssl is not linked statically.

<!-- gh-comment-id:3488463886 --> @tessus commented on GitHub (Nov 4, 2025): Here's my feedback. It worked mostly great, but interestingly I had to install 3 packages: `libtirpc-devel`, `perl-Time-Piece`, and `ncurses-devel`. (The cargo build process failed 3 times.) While I understand the first 2, ncurses makes no sense for a mysql lib nor for the build process. But it's not an issue, just strange. Then it compiled successfully, but spat out a warning: ``` warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4 ``` I updated with `cargo update num-bigint-dig`, but 0.8.5 yielded the same warning. It seems an additional fix has been added after 0.8.5 was released, so that should be solved soon. The size of the binary has increased from 38 MB to 52 MB. ~~Digging a bit deeper it seems that `-F mysqlclient-sys/bundled` not only statically linked mysql, but also openssl. Hmmm. This is rather annoying and makes me slightly unhappy. But I guess I will have to live with it.~~ Another strange thing is that I removed all mariadb* packages before building vw with `-F mysqlclient-sys/bundled` and there was no `libmysqlclient` library (static or dynamic) on the system, because I forgot to install it after removing the mariadb packages. I ran a find on / and there was definitely not another one hiding somewhere else. Yet, I did not encounter a build error. Both crates `mysqlclient-sys` and `mysqlclient-src` explicitly state that the `libmysqlclient` library is required for building them. I tested the binary and it works. I don't understand why and how, but it does. The only explanation I could come up with is that `mysqlclient-sys/bundled` builds a static library even without the mysql development and library packages installed. But for the default feature set, a dynamic lib from the system is used. Anyhoo, all in all it was successful. Thanks for the `mysqlclient-sys/bundled` suggestion. ~~Now I'll have to decide whether I accept the fact that openssl is statically linked or that the resulting binary depends on a non-Fedora package. Decisions, decisions. (crap, there is no pulling-out-my-hair emoji)~~ ---- For reference: <details><summary>ldd before</summary> <p> ``` linux-vdso.so.1 (0x00007f81b9e03000) libssl.so.3 => /lib64/libssl.so.3 (0x00007f81b7b28000) libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f81b7600000) libmariadb.so.3 => /lib64/libmariadb.so.3 (0x00007f81b9d9a000) libpq.so.5 => /lib64/libpq.so.5 (0x00007f81b7ad5000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f81b75d4000) libm.so.6 => /lib64/libm.so.6 (0x00007f81b74e6000) libc.so.6 => /lib64/libc.so.6 (0x00007f81b72f4000) libz.so.1 => /lib64/libz.so.1 (0x00007f81b72d1000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f81b727b000) libldap.so.2 => /lib64/libldap.so.2 (0x00007f81b7215000) /lib64/ld-linux-x86-64.so.2 (0x00007f81b9e05000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f81b714b000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f81b9d7f000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f81b9d78000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f81b7ac5000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f81b7abe000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f81b7139000) liblber.so.2 => /lib64/liblber.so.2 (0x00007f81b7128000) libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f81b70d0000) libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f81b70b1000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f81b7080000) libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f81b704b000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f81b6fa0000) ``` </p> </details> <details><summary>ldd after</summary> <p> ``` linux-vdso.so.1 (0x00007f3c7c9d9000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f3c79600000) libpq.so.5 => /lib64/libpq.so.5 (0x00007f3c7c962000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f3c7c936000) libm.so.6 => /lib64/libm.so.6 (0x00007f3c7990c000) libc.so.6 => /lib64/libc.so.6 (0x00007f3c7940c000) libssl.so.3 => /lib64/libssl.so.3 (0x00007f3c79321000) libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f3c78c00000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f3c7c8de000) libldap.so.2 => /lib64/libldap.so.2 (0x00007f3c798a5000) /lib64/ld-linux-x86-64.so.2 (0x00007f3c7c9db000) libz.so.1 => /lib64/libz.so.1 (0x00007f3c79882000) libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f3c79257000) libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f3c79240000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f3c7c8d6000) libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f3c79230000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f3c7987c000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f3c7921e000) liblber.so.2 => /lib64/liblber.so.2 (0x00007f3c7920d000) libevent-2.1.so.7 => /lib64/libevent-2.1.so.7 (0x00007f3c791b6000) libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f3c79197000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f3c79166000) libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f3c78bcc000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f3c78b21000) ``` </p> </details> P.S.: I made a mistake. openssl is not linked statically.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 5, 2025):

Here's my feedback. It worked mostly great, but interestingly I had to install 3 packages: libtirpc-devel, perl-Time-Piece, and ncurses-devel. (The cargo build process failed 3 times.)

These are required by mysql itself. There is unfortunately no way to run their configure script only for libmysqlclient, so you need to have all dependencies for all parts of the code on your system.

Digging a bit deeper it seems that -F mysqlclient-sys/bundled not only statically linked mysql, but also openssl. Hmmm. This is rather annoying and makes me slightly unhappy. But I guess I will have to live with it.

As far as I can tell this is correct, but might be something that could be changed. github.com/sgrif/mysqlclient-sys@65d2f05886/mysqlclient-src/Cargo.toml (L203) specifies that it uses the bundled openssl-sys build. It would need to be something more along this https://github.com/sgrif/pq-sys/blob/master/pq-src/Cargo.toml#L206 line. This likely requires some additional tweaking of the build parameters passed to cmake. Contributions for that are certainly welcome. With a solution like that implemented in pq-sys you would be able to dynamically link openssl or statically link it as well by manually enabling the openssl/vendored feature from the top level crate.

Another strange thing is that I removed all mariadb* packages before building vw with -F mysqlclient-sys/bundled and there was no libmysqlclient library (static or dynamic) on the system, because I forgot to install it after removing the mariadb packages. I ran a find on / and there was definitely not another one hiding somewhere else. Yet, I did not encounter a build error. Both crates mysqlclient-sys and mysqlclient-src explicitly state that the libmysqlclient library is required for building them.

The mysqlclient-src crate brings it's own copy of the mysql source code. https://docs.rs/crate/mysqlclient-src/latest/source/source/. So yes it still requires libmysqlclient but it brings its own version to satisfy that requirement.

<!-- gh-comment-id:3489922937 --> @weiznich commented on GitHub (Nov 5, 2025): > Here's my feedback. It worked mostly great, but interestingly I had to install 3 packages: libtirpc-devel, perl-Time-Piece, and ncurses-devel. (The cargo build process failed 3 times.) These are required by mysql itself. There is unfortunately no way to run their configure script only for libmysqlclient, so you need to have all dependencies for all parts of the code on your system. > Digging a bit deeper it seems that -F mysqlclient-sys/bundled not only statically linked mysql, but also openssl. Hmmm. This is rather annoying and makes me slightly unhappy. But I guess I will have to live with it. As far as I can tell this is correct, but might be something that could be changed. https://github.com/sgrif/mysqlclient-sys/blob/65d2f058864ec58fcb868cabeab85b908ab85f31/mysqlclient-src/Cargo.toml#L203 specifies that it uses the bundled openssl-sys build. It would need to be something more along this https://github.com/sgrif/pq-sys/blob/master/pq-src/Cargo.toml#L206 line. This likely requires some additional tweaking of the build parameters passed to cmake. Contributions for that are certainly welcome. With a solution like that implemented in pq-sys you would be able to dynamically link openssl or statically link it as well by manually enabling the openssl/vendored feature from the top level crate. > Another strange thing is that I removed all mariadb* packages before building vw with -F mysqlclient-sys/bundled and there was no libmysqlclient library (static or dynamic) on the system, because I forgot to install it after removing the mariadb packages. I ran a find on / and there was definitely not another one hiding somewhere else. Yet, I did not encounter a build error. Both crates mysqlclient-sys and mysqlclient-src explicitly state that the libmysqlclient library is required for building them. The `mysqlclient-src` crate brings it's own copy of the mysql source code. https://docs.rs/crate/mysqlclient-src/latest/source/source/. So yes it still requires libmysqlclient but it brings its own version to satisfy that requirement.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 5, 2025):

@weiznich thx for your reply. I made a mistake and it seems that the openssl is not statically linked.

I also found out that Fedora apparently now has mysql in its default repo as well. I don't know when that happened, but it seems it is no longer necessary to use the oracle mysql repo. I recall a rather nasty fight about licensing and whatnot, but I guess this was resolved at one point.

This means I can choose to statically link the mysql client or not. I like to have options, so that's great.

<!-- gh-comment-id:3489965147 --> @tessus commented on GitHub (Nov 5, 2025): @weiznich thx for your reply. I made a mistake and it seems that the openssl is not statically linked. I also found out that Fedora apparently now has mysql in its default repo as well. I don't know when that happened, but it seems it is no longer necessary to use the oracle mysql repo. I recall a rather nasty fight about licensing and whatnot, but I guess this was resolved at one point. This means I can choose to statically link the mysql client or not. I like to have options, so that's great.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

@weiznich thx for your reply. I made a mistake and it seems that the openssl is not statically linked.

I think it is, and to make it worse, it's statically linked, and dynamically.
The MySQL Client library uses the statically linked version, and all other parts of Vaultwarden will use the dynamically linked version.

You can verify this by running this command on the resulted binary.

strings ./target/debug/vaultwarden | grep -iE "OpenSSL 3"
# Or for release
strings ./target/release/vaultwarden | grep -iE "OpenSSL 3"

I also found out that Fedora apparently now has mysql in its default repo as well. I don't know when that happened, but it seems it is no longer necessary to use the oracle mysql repo. I recall a rather nasty fight about licensing and whatnot, but I guess this was resolved at one point.

This means I can choose to statically link the mysql client or not. I like to have options, so that's great.

I'm not sure you can fully statically link a glibc library externally provided, but i could be wrong of course. Also, if you build against the Oracle MySQL and only provide the binary, and someone has the MariaDB client installed, that could cause weird issues.

<!-- gh-comment-id:3490482463 --> @BlackDex commented on GitHub (Nov 5, 2025): > [@weiznich](https://github.com/weiznich) thx for your reply. I made a mistake and it seems that the openssl is not statically linked. > I think it is, and to make it worse, it's statically linked, and dynamically. The MySQL Client library uses the statically linked version, and all other parts of Vaultwarden will use the dynamically linked version. You can verify this by running this command on the resulted binary. ```bash strings ./target/debug/vaultwarden | grep -iE "OpenSSL 3" # Or for release strings ./target/release/vaultwarden | grep -iE "OpenSSL 3" ``` > I also found out that Fedora apparently now has mysql in its default repo as well. I don't know when that happened, but it seems it is no longer necessary to use the oracle mysql repo. I recall a rather nasty fight about licensing and whatnot, but I guess this was resolved at one point. > > This means I can choose to statically link the mysql client or not. I like to have options, so that's great. I'm not sure you can fully statically link a glibc library externally provided, but i could be wrong of course. Also, if you build against the Oracle MySQL and only provide the binary, and someone has the MariaDB client installed, that could cause weird issues.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

I tried to use the OPENSSL_NO_VENDOR=true option, but that is causing race-condition and always fails to build, no matter if i point specifically to the correct libraries. So, probably the only way to fix that is by adding a no-bundled-openssl feature to mysqlclient-sys/src, or make bundled-openssl the default, as Weiznich mentioned

<!-- gh-comment-id:3490835056 --> @BlackDex commented on GitHub (Nov 5, 2025): I tried to use the `OPENSSL_NO_VENDOR=true` option, but that is causing race-condition and always fails to build, no matter if i point specifically to the correct libraries. So, probably the only way to fix that is by adding a `no-bundled-openssl` feature to mysqlclient-sys/src, or make bundled-openssl the default, as Weiznich mentioned
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

I think we need to stop building Debian images, and only use Alpine from now on.
There we (I my self) control which version is used, and i might even be able to switch to Oracle's version, but that is probably not the best idea either.

<!-- gh-comment-id:3491306900 --> @BlackDex commented on GitHub (Nov 5, 2025): I think we need to stop building Debian images, and only use Alpine from now on. There we (I my self) control which version is used, and i might even be able to switch to Oracle's version, but that is probably not the best idea either.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 5, 2025):

Just to mention that as that would be another option to sidestep this mess: Diesel-async doesn't use the c client libraries for mysql/postgres. You could likely use AsyncConnectionWrapper<AsyncMysqlConnection> as drop in replacement of diesel::MysqlConnection.

Switching to diesel_async for "everything" is likely more work as it would break e.g. #[derive(MultiConnection)]

<!-- gh-comment-id:3491324451 --> @weiznich commented on GitHub (Nov 5, 2025): Just to mention that as that would be another option to sidestep this mess: Diesel-async doesn't use the c client libraries for mysql/postgres. You could likely use `AsyncConnectionWrapper<AsyncMysqlConnection>` as drop in replacement of `diesel::MysqlConnection`. Switching to diesel_async for "everything" is likely more work as it would break e.g. `#[derive(MultiConnection)]`
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

Using diesel_async and those libraries also brings in aws-lc or we need to use ring. I'm not sure how that will break all users which have a secure connection. Only using Alpine/Static build libraries will at least work as a drop-in replacement (for the most part). So i think for now, to at least not causes issues with a new version we want to release soon, is stop building Debian for now.

The Async stuff would be nice in the future, but If that now might cause breaking or different way of working for the just recently merged MultiConnection, that would be a pain.

<!-- gh-comment-id:3491397381 --> @BlackDex commented on GitHub (Nov 5, 2025): Using diesel_async and those libraries also brings in aws-lc or we need to use ring. I'm not sure how that will break all users which have a secure connection. Only using Alpine/Static build libraries will at least work as a drop-in replacement (for the most part). So i think for now, to at least not causes issues with a new version we want to release soon, is stop building Debian for now. The Async stuff would be nice in the future, but If that now might cause breaking or different way of working for the just recently merged MultiConnection, that would be a pain.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

I Think i will do something else, ill switch to Ubuntu, that has Oracle's MySQL version in the repo.
Scrap that, Ubuntu doesn't support all architectures we provide currently.

<!-- gh-comment-id:3491556882 --> @BlackDex commented on GitHub (Nov 5, 2025): ~I Think i will do something else, ill switch to Ubuntu, that has Oracle's MySQL version in the repo.~ Scrap that, Ubuntu doesn't support all architectures we provide currently.
kerem commented 2026-03-03 02:18:15 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

FYI: I created a PR to stop building Debian images #6440

<!-- gh-comment-id:3492145420 --> @BlackDex commented on GitHub (Nov 5, 2025): FYI: I created a PR to stop building Debian images #6440
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 5, 2025):

I think it is, and to make it worse, it's statically linked, and dynamically.
The MySQL Client library uses the statically linked version, and all other parts of Vaultwarden will use the dynamically linked version.

I agree, it is not optimal, but in reality not a problem. And unfortunately this happens more often than you might think.

But let's play it through: The statically linked OpenSSL is the same as the one currently installed on the system. (in my case 3.5.4)
So database operations are handled by this version of OpenSSL. Everything works.
The rest of vaultwaden uses the dynamically linked version of OpenSSL, which is currently also 3.5.4. Everyhing works.
In the future, OpenSSL will be updated by the Linux distro. Please note that distros make sure that updates to OpenSSL are ABI compatible. In rare cases when this is not the case, the "old" shared lib is still kept in place. So even though the new version might be 3.5.z or 3.6.z, the binaries using the shared lib will still work. So will the database operations via the statically linked code.

The reason why I am unhappy, is 3-fold: 1) it's a waste of space 2) new features that might be possible with newer versions of OpenSSL would not be available for the database operations 3) security updates. The latter 2 are more or less philosophical, since it takes a while to propagate stuff from OpenSSL, through crates, to vw code. TLS is used by the mysql client for establishing a connection - that's it. No new feature will be that important, especially since a connection will still be established either way. Security updates are important, but by that time I'll have already created a new package.

To circle back, it is not optimal, but it is not an operational showstopper.

Also, if you build against the Oracle MySQL and only provide the binary, and someone has the MariaDB client installed, that could cause weird issues.

No, this wouldn't be the case. There are a bunch of safeguards in place:

The mariadb library has a different name from the mysql library. Even if it were installed on the target system it wouldn't be used.
The Oracle MySQL and Fedora MySQL packages use the same library name, but different package names. However, these packages are pretty much the same - and 100% ABI compatible.

Thus a system could have either one installed and vaultwarden would run just fine.

Adittionally, RPMs allow you to specify dependencies. I could require a specific package (one of the 2), make it conflicting with the other, or I could allow both, or even specify the full path to the library (which is IMO a bad idea).

Thus, if I were to build against Oracle MySQL and allow the target system to use the Fedora MySQL client package, all would be good.

<!-- gh-comment-id:3493802705 --> @tessus commented on GitHub (Nov 5, 2025): > I think it is, and to make it worse, it's statically linked, and dynamically. The MySQL Client library uses the statically linked version, and all other parts of Vaultwarden will use the dynamically linked version. I agree, it is not optimal, but in reality not a problem. And unfortunately this happens more often than you might think. But let's play it through: The statically linked OpenSSL is the same as the one currently installed on the system. (in my case 3.5.4) So database operations are handled by this version of OpenSSL. Everything works. The rest of vaultwaden uses the dynamically linked version of OpenSSL, which is currently also 3.5.4. Everyhing works. In the future, OpenSSL will be updated by the Linux distro. Please note that distros make sure that updates to OpenSSL are ABI compatible. In rare cases when this is not the case, the "old" shared lib is still kept in place. So even though the new version might be 3.5.z or 3.6.z, the binaries using the shared lib will still work. So will the database operations via the statically linked code. The reason why I am unhappy, is 3-fold: 1) it's a waste of space 2) new features that might be possible with newer versions of OpenSSL would not be available for the database operations 3) security updates. The latter 2 are more or less philosophical, since it takes a while to propagate stuff from OpenSSL, through crates, to vw code. TLS is used by the mysql client for establishing a connection - that's it. No new feature will be that important, especially since a connection will still be established either way. Security updates are important, but by that time I'll have already created a new package. To circle back, it is not optimal, but it is not an operational showstopper. > Also, if you build against the Oracle MySQL and only provide the binary, and someone has the MariaDB client installed, that could cause weird issues. No, this wouldn't be the case. There are a bunch of safeguards in place: The mariadb library has a different name from the mysql library. Even if it were installed on the target system it wouldn't be used. The Oracle MySQL and Fedora MySQL packages use the same library name, but different package names. However, these packages are pretty much the same - and 100% ABI compatible. Thus a system could have either one installed and vaultwarden would run just fine. Adittionally, RPMs allow you to specify dependencies. I could require a specific package (one of the 2), make it conflicting with the other, or I could allow both, or even specify the full path to the library (which is IMO a bad idea). Thus, if I were to build against Oracle MySQL and allow the target system to use the Fedora MySQL client package, all would be good.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 5, 2025):

I created a PR to stop building Debian images

@BlackDex why not just use the oracle apt repo? It's quite straightforward to setup. Adding this to the build process should be an easy endeavor.

I am not a fan of Oracle (I was in IBM DB2 development for a long time), but if it is an easy fix, why not use it?

<!-- gh-comment-id:3493827738 --> @tessus commented on GitHub (Nov 5, 2025): > I created a PR to stop building Debian images @BlackDex why not just use the oracle apt repo? It's quite straightforward to [setup](https://dev.mysql.com/doc/refman/8.4/en/linux-installation-apt-repo.html). Adding this to the build process should be an easy endeavor. I am not a fan of Oracle (I was in IBM DB2 development for a long time), but if it is an easy fix, why not use it?
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

I created a PR to stop building Debian images

@BlackDex why not just use the oracle apt repo? It's quite straightforward to setup. Adding this to the build process should be an easy endeavor.

I am not a fan of Oracle (I was in IBM DB2 development for a long time), but if it is an easy fix, why not use it?

Oracle only builds amd64 and arm64, so not all architectures we support are available. Kinda the same as with Ubuntu. Only armhf is available, and we currently also provide arm (no hf).

While I'm not sure if that is still used, but i think it is, older NAS devices run on this.

<!-- gh-comment-id:3493880676 --> @BlackDex commented on GitHub (Nov 5, 2025): > > I created a PR to stop building Debian images > > [@BlackDex](https://github.com/BlackDex) why not just use the oracle apt repo? It's quite straightforward to [setup](https://dev.mysql.com/doc/refman/8.4/en/linux-installation-apt-repo.html). Adding this to the build process should be an easy endeavor. > > I am not a fan of Oracle (I was in IBM DB2 development for a long time), but if it is an easy fix, why not use it? Oracle only builds amd64 and arm64, so not all architectures we support are available. Kinda the same as with Ubuntu. Only armhf is available, and we currently also provide arm (no hf). While I'm not sure if that is still used, but i think it is, older NAS devices run on this.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@tessus commented on GitHub (Nov 5, 2025):

@BlackDex Thanks, this makes sense. I haven't thought of that. On the other hand, it doesn't hurt to just provide what is possible. There is no rule that states you have to provide containers/packages for all supported platforms. ;-)
I'm sure that people who are currently using your Debian containers on {amd,arm}64 will appreciate it.

<!-- gh-comment-id:3493908099 --> @tessus commented on GitHub (Nov 5, 2025): @BlackDex Thanks, this makes sense. I haven't thought of that. On the other hand, it doesn't hurt to just provide what is possible. There is no rule that states you have to provide containers/packages for all supported platforms. ;-) I'm sure that people who are currently using your Debian containers on {amd,arm}64 will appreciate it.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 5, 2025):

There is also no main reason to provide all these different container images if we need to jump through hoops.

The static binaries work fine, Alpine has 0 security issues according to trivy, and Debian, 51 and Ubuntu 11, so that is also a win from my point of view.

<!-- gh-comment-id:3494009871 --> @BlackDex commented on GitHub (Nov 5, 2025): There is also no main reason to provide all these different container images if we need to jump through hoops. The static binaries work fine, Alpine has 0 security issues according to trivy, and Debian, 51 and Ubuntu 11, so that is also a win from my point of view.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 9, 2025):

Ok.. I found something strange, and please if someone can correct me if I'm wrong here.
But i tried ArchLinux version of Vaultwarden, and that seems to work just fine, though is seems to be using the 12.0.2 server version, which uses the 3.4.7 connecter-c version. And there are no issue there.

I see no patches done on the client, so, something most be different?
Maybe @polyzen could help here to clarify this maybe?

<!-- gh-comment-id:3508399380 --> @BlackDex commented on GitHub (Nov 9, 2025): Ok.. I found something strange, and please if someone can correct me if I'm wrong here. But i tried ArchLinux version of Vaultwarden, and that seems to work just fine, though is seems to be using the `12.0.2` server version, which uses the `3.4.7` connecter-c version. And there are no issue there. I see no patches done on the client, so, something most be different? Maybe @polyzen could help here to clarify this maybe?
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 9, 2025):

Ok... So.... I tried the Alpine package of Vaultwarden too, and that seems to work also...
This doesn't make it less strange.

<!-- gh-comment-id:3508440506 --> @BlackDex commented on GitHub (Nov 9, 2025): Ok... So.... I tried the Alpine package of Vaultwarden too, and that seems to work also... This doesn't make it less strange.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 9, 2025):

@weiznich, I'm not sure what exactly has changed in v2.3.x of Diesel which could cause this behavior.

But When testing the Alpine/Arch binaries, they worked just fine, then looking at the dependencies, it was still using Diesel v2.2.12.

Now i reverted Diesel back to v2.2.12 in my testing environment, and i needed to make some changes to get it to work like remove BigDecimal (Because that was fixed in a newer version) and some other small stuff, but it builds fine, and also doesn't cause this bug to happen.

Isn't there still a chance something broke in Diesel which caused a regression to happen?

<!-- gh-comment-id:3508465595 --> @BlackDex commented on GitHub (Nov 9, 2025): @weiznich, I'm not sure what exactly has changed in v2.3.x of Diesel which could cause this behavior. But When testing the Alpine/Arch binaries, they worked just fine, then looking at the dependencies, it was still using Diesel v2.2.12. Now i reverted Diesel back to v2.2.12 in my testing environment, and i needed to make some changes to get it to work like remove BigDecimal (Because that was fixed in a newer version) and some other small stuff, but it builds fine, and also doesn't cause this bug to happen. Isn't there still a chance something broke in Diesel which caused a regression to happen?
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@weiznich commented on GitHub (Nov 9, 2025):

It "works" with older diesel versions because the check that generates this error was only introduced recently with https://github.com/diesel-rs/diesel/pull/4756

These checks were introduced as reaction to a code audit. See the report here.

Without this check the relevant code could and technically does perform a out of bounds read.

Am I 100% sure that this is bug free now? No, but I'm certain that this is now more correct than before.

https://github.com/diesel-rs/diesel/pull/4851 might help to actually address the problem, it still need some time from me to understand if that is sound.

<!-- gh-comment-id:3508822097 --> @weiznich commented on GitHub (Nov 9, 2025): It "works" with older diesel versions because the check that generates this error was only introduced recently with https://github.com/diesel-rs/diesel/pull/4756 These checks were introduced as reaction to a code audit. See the report [here](http://diesel.rs/assets/NGICore%20Diesel%20penetration%20test%20report%202025%201.0.pdf). Without this check the relevant code could and technically does perform a out of bounds read. Am I 100% sure that this is bug free now? No, but I'm certain that this is now more correct than before. https://github.com/diesel-rs/diesel/pull/4851 might help to actually address the problem, it still need some time from me to understand if that is sound.
kerem commented 2026-03-03 02:18:16 +03:00
Author
Owner
Copy link

@BlackDex commented on GitHub (Nov 10, 2025):

It "works" with older diesel versions because the check that generates this error was only introduced recently with diesel-rs/diesel#4756

These checks were introduced as reaction to a code audit. See the report here.

Without this check the relevant code could and technically does perform a out of bounds read.

Am I 100% sure that this is bug free now? No, but I'm certain that this is now more correct than before.

diesel-rs/diesel#4851 might help to actually address the problem, it still need some time from me to understand if that is sound.

Ah cool, thanks for the details.

<!-- gh-comment-id:3511210414 --> @BlackDex commented on GitHub (Nov 10, 2025): > It "works" with older diesel versions because the check that generates this error was only introduced recently with [diesel-rs/diesel#4756](https://github.com/diesel-rs/diesel/pull/4756) > > These checks were introduced as reaction to a code audit. See the report [here](http://diesel.rs/assets/NGICore%20Diesel%20penetration%20test%20report%202025%201.0.pdf). > > Without this check the relevant code could and technically does perform a out of bounds read. > > Am I 100% sure that this is bug free now? No, but I'm certain that this is now more correct than before. > > [diesel-rs/diesel#4851](https://github.com/diesel-rs/diesel/pull/4851) might help to actually address the problem, it still need some time from me to understand if that is sound. Ah cool, thanks for the details.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
revert-7033-patch-1
cached-config-operations
test_dylint
1.35.7
1.35.6
1.35.5
1.35.4
1.35.3
1.35.2
1.35.1
1.35.0
1.34.3
1.34.2
1.34.1
1.34.0
1.33.2
1.33.1
1.33.0
1.32.7
1.32.6
1.32.5
1.32.4
1.32.3
1.32.2
1.32.1
1.32.0
1.31.0
1.30.5
1.30.4
1.30.3
1.30.2
1.30.1
1.30.0
1.29.2
1.29.1
1.29.0
1.28.1
1.28.0
1.27.0
1.26.0
1.25.2
1.25.1
1.25.0
1.24.0
1.23.1
1.23.0
1.22.2
1.22.1
1.22.0
1.21.0
1.20.0
1.19.0
1.18.0
1.17.0
1.16.3
1.16.2
1.16.1
1.16.0
1.15.1
1.15.0
1.14.2
1.14.1
1.14
1.13.1
1.13.0
1.12.0
1.11.0
1.10.0
1.9.1
1.9.0
1.8.0
1.7.0
1.6.1
1.6.0
1.5.0
1.4.0
1.3.0
1.2.0
1.1.0
1.0.0
0.13.0
0.12.0
0.11.0
0.10.0
0.9.0
Labels
Clear labels   
SSO

   
Third party

   
better for forum

   
bug

   
bug

   
documentation

   
duplicate

   
enhancement

   
future Vault

   
future Vault

   
future Vault

   
good first issue

   
help wanted

   
low priority

   
notes

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
troubleshooting

   
wontfix
No labels
SSO
Third party
better for forum
bug
bug
documentation
duplicate
enhancement
future Vault
future Vault
future Vault
good first issue
help wanted
low priority
notes
pull-request
question
troubleshooting
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/vaultwarden#2427
No description provided.