Shopware 5 End Of Life – Interview with safefive
August 2024 – and with it the "end of life" of Shopware 5 – still seems a long way off. However, experience shows that the deadline comes sooner than expected. Co-initiator Carmen Bremen reports in an interview on how the community initiative safefive can support shop operators in terms of security after the EOL of Shopware 5.
Would you like to briefly introduce yourself and the safefive team?
safefive has a total of four founders - three guys and one girl, so to speak the classic gender distribution in e-commerce 😀. We are Fabian Blechschmidt, Rico Neitzel, Tobias Vogt and me, Carmen Bremen. We all come from this e-commerce bubble, originally from the Magento environment.
We have been offering security updates for Magento 1 under the brand Mage One for three years now. When the official support for Magento 1 was discontinued in 2020, we more or less took over the baton and thus also made our first experiences with the long-term support of e-commerce software after the 'end of life'. And soon we'll be doing the same for Shopware 5.
Why did you decide to continue supporting Shopware 5 after the EOL?
Shopware 5 is a well-known German shop system and, along with Magento, also one of the most popular open source solutions. Shopware 5 is incredibly widespread, especially in the DACH region. Against this background, it was obvious for us to also offer long-term support for Shopware 5 after the EOL.
With the EOL of Magento 1, the original impulse at the time was that we ourselves still had customers with Magento 1 shops. We didn't want to leave them alone with this. This gave rise to the idea of simply continuing the support. That's actually how it began.
Because Magento 1 has not been supported for such a long time, we are all already on the road somewhere in other systems. I work a lot with Shopware 6, for example, and in this respect Magento 1 has long since been abandoned, especially from a developer's perspective, and is now only supported with regard to the security aspect.
Much of what we did with Magento 1 is transferable to Shopware 5. And it's actually nice that all this experience we've had with Mage One is not in vain, because long-term support as a project is limited in time. The duration is maybe five to ten years, and then all our knowledge is gone - that is, everything we have learned in this time about finding bugs or checking reported security vulnerabilities. That's a shame, but through safefive we can now continue to use that. I'm totally happy about that.
In fact, we have had many, many experiences that we did not expect. For example, we never thought that PCI would be an issue. And when it came, we didn't have any answers at first. For us, it's great that it's now continuing with the long-term support of Shopware 5, because it basically remains a security issue. And whether you try an SQL injection or whatever on a Magento or a Shopware shop, it doesn't matter in principle because the security holes are all similar or work in the same way.
Which services are your main focus with the LTS of Shopware 5?
With safefive, we continue to offer security updates for the shop system after the official end of support for Shopware 5. For this purpose, we provide a plugin that works according to the same scheme as the existing Shopware security plugin.
However, we will not be making any bug fixes to the system or developing any new features. Shopware 5 will therefore be a system that is being phased out, but which is and will remain secure even after the end of life thanks to safefive. This is exactly what matters to us.
In addition, we want to provide shop operators who use our services with more security information - for example, with regard to passwords: we can explain how often passwords should be changed, what makes a secure password or how long it takes on average to crack a simple password like "Hallowelt". Another example would be explanations of questions like "Why do hacker attacks actually increase so immensely at Christmas and how dangerous is that really?"
As already mentioned, however, security updates for Shopware 5 will be the main focus of our work at safefive. And security vulnerabilities have to be found first, of course. Through our work at Mage One, we already know in principle some common types of security vulnerabilities that we will be looking for specifically.
In addition, we will start a bug bounty programme. Shopware itself, unlike Magento, does not have such a programme. We are announcing this at short notice so that the programme can start in time for the official EOL of Shopware 5. This was also very successful with Magento 1, because many bugs were reported.
Shopware is also already receiving bug reports from agencies and shop operators. You can see this, for example, in the security updates that come from Shopware 5. This is another reason why we start communicating early with our Bug Bounty programme, because these active reporters from the Shopware community should of course be informed in good time.
Do you assume that the migration to Shopware 6 will still be a challenge for many shop operators?
Absolutely. Experience shows that such things always come suddenly, despite being announced ahead of time. It was similar in 2018, for example, with the DSGVO coming into force. And the end of support for Shopware 5 in 2024 will also come as a surprise to many people. That's why we're announcing it now, so that it doesn't come quite so suddenly and merchants can prepare themselves. In principle, anyone who wants to relaunch Shopware 5 in view of the end of support must start planning now in order to be able to do so by mid-2024.
With safefive, we want to support those who cannot implement a migration in time for the EOL of Shopware 5. However, our business model is not designed to necessarily keep people in the old system. That's why the "safe" in safefive is spelled with an "f" and not with a "v": We want to secure, but not keep.
We assume that many will not have migrated by 2024. We know from Shopware itself that many affected shop operators are already actively asking what will happen after the end of support for Shopware 5. Shopware can already give these shop operators the answer that they can receive support from safefive as a third-party provider if required.
Some shop operators, for example, face the challenge that their shop will not have paid for itself by 2024 and they want to keep it longer. Others don't make it due to time constraints on the part of the agency or internal resources. Many agencies are completely overloaded with the amount of orders and some of the people are not yet as practised in handling Shopware 6 as they should be. What was built in ten years of Shopware 5 shops cannot be migrated in three years.
Migrating to Shopware 6 also means moving to a completely different technological system. Shopware 5, for example, has an incredible number of features. That is not the case with Shopware 6. That means it will be a feature downgrade for the time being. So anyone who switches from 5 to 6 will have to add a lot and develop a lot individually or hope for suitable plug-ins. And that's actually similar to moving into a new flat or a new house. You just have to think about what to take with you. And that also costs an insane amount of time and resources - also in the companies that have to decide which features they want to keep and which they want to build.
Therefore, an incredible amount of lead time is needed and I believe that many will not yet be able to realise a relaunch to Shopware 6 in 2024. With the Long-Term Support, safefive offers all those affected security and, above all, more time to tackle the migration in peace.
You are an official Shopware partner for the LTS of Shopware 5. In what way does Shopware AG support you?
I think it's great that we receive a lot of support from Shopware itself. We are extremely grateful for that, especially because Magento did not support us at all during the implementation of Mage One. We receive much more information and assistance through the strategic partnership. This makes working on safefive a lot of fun for us.
It all started in 2018 at a classic beer table conversation with the two Shopware CEOs Stefan and Sebastian Hamann. We've known them for a long time through our work in the community. We then joked around in the direction of "Yes, Shopware 5, we could take over the support there". And they said "Yes, definitely". After the conversation, however, we were left with the question "Yes, were they serious? When we asked again later, we immediately got a clear yes and they assured us of their support.
If we need information or help from marketing or partner management, we can now simply approach the appropriate contact person at Shopware. Also when it comes to measures to make safefive known to Shopware customers. At DMEXCO, for example, we provided information cards that were displayed at the Shopware stand. Their sales team is also briefed with all the information about safefive and can provide customers with comprehensive information if they have any questions. The same applies to the partner managers.
In principle, the cooperation is a win-win situation for us and Shopware itself. I find Shopware to be a very human company that wants to be close to shop operators with its products. With the EOL of Shopware 5, the company faces the challenge of not simply leaving shop operators alone after the end of support. With safefive, we offer them the perfect solution for this, because we are close to the community and have a clear message to take away the shop operators' uncertainty: Shopware 5 remains safe even after the EOL. By supporting our project, Shopware shows that they care about their customers' concerns.
In return, we particularly benefit from Shopware mentioning us by name and providing us with first-hand insider knowledge. For example, we didn't know up to which version of Shopware 5 we should offer retroactive support. When asked, we immediately received a pie chart with the current version distribution. This helped us enormously with orientation. We also have the opportunity to get direct feedback from Shopware regarding questions on technical aspects. It's really great that we get so much help.
Are there already any thoughts about when the LTS support will be offered by safefive? Do you already set a time limit in advance?
We will offer support for Shopware 5 for at least five years. We noticed with the support for Magento 1 that the question about the support duration was one of the most frequently asked questions by shop operators. A clear answer to this question gives people planning security. That's why we decided early on that five years of support is definitely feasible and financially viable. And so we also guarantee five years of support for safefive and will then take stock of whether there is still a need.
What procedure do you recommend to shop operators who are interested in safefive's offer?
My first advice is to find out what it costs. Then you can theoretically book in advance. We are currently building the booking platform, which is estimated to be ready by the end of 2023. But the prices are already fixed and have been published on our website. This also serves the purpose of planning security, which the shop operators should have. After all, the costs are decisive for further action. Do I push ahead with the relaunch now or do I perhaps take on the expensive agency just so that I can finish? Or can I afford to stay on Shopware 5 for another year or two and carry out the relaunch in peace? That's why the prices are there now.
As with Mage One, safefive's prices are also turnover-dependent. The reason for this is that we also want to enable small shops to book this service. It is important that we only refer to the annual turnover of the online shop. If a shop operator also generates turnover in stationary trade, for example, this is of course not taken into account. After all, our service only refers to the online shop. If a shop operator decides to book our service in advance, the first invoice will be sent at the end of life in August 2024.
What is the best way for interested parties to contact you?
The best way to contact us is via our website. There is a contact form that you can simply fill out and send. We will also be on site at the Shopware Community Day on 25 May or at the Shopware Partner Day. You can meet us there in person. And of course we can also be reached via LinkedIn and Twitter.
About the person
Carmen Bremen is a freelancer (neoshops.de), developer for Shopware and Magento, speaker and part of the organising team of the MageUnconference and the Shopware Community UnConference. Carmen is also a co-founder of the LTS projects safefive and Mage One.
Published on 07.03.2023 | DR
You have questions, requests, criticism, suggestions or just want to tell us your opinion about our blog? Here you have the opportunity to contact us directly.Send e-mail