Is pfsense slowly but steadily dying?
-
Okay, well that indicates that perhaps the project is more alive than I thought - which is excellent because i really like pfsense.
But i also agree that maybe there should be some more frequent and less massive releases.
Are we talking a year or two before 2.1 goes stable release?Regarding this forum it was only an observation. I'm certainly in no position to expect anything from the developers and hardcore users.
-
I follow the project looking on github:
https://github.com/pfsense/And I can see that there is development of pfsense and packages 7 days a week. There are changes on saturday and sunday. I don't think that is common on other projects, isn't it ?
And if I remember correct it was intended to implement FreeBSD 9.0 on pfsense 2.0.x but FreeBSD had some problems and it didn't make sense to use it for pfsense. So they went to FreeBSD 8.3 and go the big step to implement IPv6. And it makes no sense to release a product which contains just the half of IPv6 just to get out a new release faster. So functions need more time than others.
-
We're one of the most active open source projects in the world, and the #1 most active open source firewall distro. With a company behind it that's added 3 more full time staff in the last 6 months and continues to grow every year. Far from dying, things in 2013 are moving faster than they ever have.
2.1 is days away from RC1, and if we released it today it would have less open bugs on it than any release we've ever put out in our 8.5 year history. We've had the equivalent of more than one full time person on open source development alone this entire year.
By every measure, we're growing, doing more than we ever have before, and continue to do so. Any impression otherwise just isn't backed up by reality in any way, shape or form.
-
Shouldn't a forum like this be swarming with experts and dev's?
It is.
The bulk of what happens on the project today is done by people on our payroll. I pay people dozens of hours every month to help people here for free. The rest of the time they have to do things people actually pay us to do or we would have died long ago, rather than thriving. As with any open source project, there are more people who need hand holding than we could ever possibly accommodate. Experts are always in high demand on every forum, and newbs who won't even read the FAQ are always in significantly higher supply. This forum is no different than any other similar one, in fact there are a lot of great expert volunteers here who make it better than many in that regard.
Want guaranteed response, all the assistance you want, and a direct line to the experts? See the support link in my sig. Otherwise, you get what people have time for, which on every Internet forum in the world is hit and miss.
-
Hi cmb
Thanks for the pep-talk :-) You have convinced me that nothing is dying. Not that I had that feeling. But after reading this question I did stop up and wonder and has to read the posts in here.BR. Anders
-
That is very good news from the source itself.
I can only express my deepest admiration for the product you have created so far. Kudos
-Keyser
-
What is needed is dedicated dev and test environments. Any changes required first need to be done in dev environment to ensure it works. Not just for the core pfSense build but also for packages that are introduced into pfSense OR being patched/updated. Once the development is done move it to the test environment for at least a few days to undergo rigorous testing before its stamped as good for production.
Today packages are being updated on the fly and pushed to public without undergoing proper testing. Just doing offline testing or testing on the developers machine does not guarantee it will work for everyone.
In my opinion, everyone is doing a great job but pfSense has reached at such global scale now that it is in need of Quality Control for both the core and packages.
-
You should always keep in mind that the package system is an addon. It is not a main part of development.
Of course there are packages which are maintained by the pfsense core team but not all.It could be a possibility to separate the packages which are maintained by the core team and other which are maintained by forum users and/or external developers.
-
@cmb:
This forum is no different than any other similar one
I have to disagree with that, in a positive way.
This is by far the best on-line community I have ever been involved with. Almost everybody here seems to be relatively polite and appreciative. Most other forums seem to degenerate into useless arguing at the drop of a hat. The last complaint thread I read the poster even politely labelled it 'rant'. ;)Steve
-
This is by far the best on-line community I have ever been involved with.
Agreed. Many times I will bring non-pfsense issues to the 'general discussion' forum here even before posting to the appropriate forum. The knowledge, willingness to help and etiquette here are fantastic.
-
cmb already answered most of this, but there are a few things I thought I'd chime in on:
From the outside it could seem coordinated development is slowly stalling - i mean 2.1 release have been a long time coming, and it seems much further away now than it did 6 months ago.
How did you reach that conclusion? There are many commits every day on the repository, and activity in the ticket system - all can be seen at http://redmine.pfsense.org/activity/
We have also released 2.0.2 about three months ago, and 2.0.3 will be out as soon as we can sort out the pending OpenSSL issue. 2.1 is taking a while because IPv6 is no small task, and adding it (and the many other features in 2.1) introduced or exposed other things that need fixed.
We have more contributed pieces of code now than ever as well, since the move to github made it much easier for people to contribute.
I think youre right. The thing that is worrying me is that the core elements like IDS/IPS is not working and causes a lot of issues. Furthermore, it seems like people are mending things all the time instead of doing it right the first time.
Snort is a package, not "core element" – it may be core to you, but it's not core to the project in the sense that it is part of the base system. With a package like snort we can never win. If we keep it up-to-date, people complain that the rules are broken for non-subscribers or that changes introduced something they didn't expect or changed behavior. If we keep it stable, people complain that it isn't up to date. Snort is working right now, but the official rules for non-VRT-subscribers don't work because those rules run on a 30-day delay. That is completely irrelevant to our package, really. It works fine with the Emerging Threats rules.
Maybe its the lack of info from the core team that makes it frustrating, but things are always one or two generations of FreeBSD behind when released.
We have to be a generation or two behind FreeBSD because we desire stability, and our code/patches take time to adapt, test, and stabilize. If we updated whenever FreeBSD released, we'd never have releases since we'd always be working on patches. We tried targeting FreeBSD 9.x for pfSense 2.1 but it just was not viable at the time, and now it's too far long in the release cycle. We might be targeting FreeBSD 10.x for pfSense 2.2 if it's viable.
Also the time it takes for fix'es to get into the binary's is frustrating. Here i am thinking of Snort. Wasting a lot of time at admin level to get it working and when someone like Bmeeks step up to the plate and does it, it can take a week before the package is updated. Not good enough nowadays imho!
Again, snort is a package and has -zero- to do with the base system code or updates. We have submissions for changes to snort from several sources, but the quality of the code isn't always up-to-par. Time does not always allow for us to make regular changes to the packages unless there is an outside force, such as rule formats being obsolete, and that is usually better anyhow because it keeps the package stable. If a community member contributes changes, and the code is good, we happily accept the contribution.
Okay, well that indicates that perhaps the project is more alive than I thought - which is excellent because i really like pfsense.
But i also agree that maybe there should be some more frequent and less massive releases.
Are we talking a year or two before 2.1 goes stable release?Did you miss 2.0.1? 2.0.2? and the pending 2.0.3? We have been putting out fairly regular releases, at least one per year the last few years, and 2.0.3 is only going to be a few months after 2.0.2, and 2.1 will be shortly after since, as cmb mentioned, it will be RC1 very shortly.
What is needed is dedicated dev and test environments. Any changes required first need to be done in dev environment to ensure it works. Not just for the core pfSense build but also for packages that are introduced into pfSense OR being patched/updated. Once the development is done move it to the test environment for at least a few days to undergo rigorous testing before its stamped as good for production.
Today packages are being updated on the fly and pushed to public without undergoing proper testing. Just doing offline testing or testing on the developers machine does not guarantee it will work for everyone.
In my opinion, everyone is doing a great job but pfSense has reached at such global scale now that it is in need of Quality Control for both the core and packages.
That may be a nice thing to have in the long run, but that would take years to develop a testing platform capable of doing unit testing on the system to handle even a majority of common functions. There is no way we can feasibly reproduce every possible configuration combination and test interactions on that scale. We test what we can, and in some cases, it doesn't matter if we ran it in a lab environment for days, we'd be unlikely to find issues that users would spot in seconds just because there are millions of different ways to configure the system and we can't feasibly test them all. I'd love to see some automated testing, and that is definitely on our radar, but it's not a cure-all and will never find every potential issue.
As for the forum, as my post count shows, there are some of us who are on here practically every day helping where we can. If I don't respond to a thread it's usually because (1) others are already handling it, (2) it's a common question answered in the FAQ/docs or something I feel could be handled by others, (3) It's a complex topic that I could answer, but do not have the time to devote to a forum post about, or (4) a general lack of time. For #3/#4, the best choice is to reach out to commercial support, but I don't post that in such threads because I don't want to be too spammy (my signature is enough for that… :-)
And the community we have here is great, no doubt about that!
-
Aren't you supposed to be on holiday Jim? ;)
Steve
-
I was, Mon/Tue. Back now :-)
-
We might be targeting FreeBSD 10.x for pfSense 2.2 if it's viable.
Based on anecdotal evidence from the FreeBSD mailing-lists and forums, it seems that 10.x works pretty well as a router / firewall, e.g.
http://lists.freebsd.org/pipermail/freebsd-net/2013-March/034984.html
carp regression in 9.1 ?
Eugene M. Zheganin emz at norma.perm.ru
Mon Mar 18 11:10:31 UTC 2013On 18.03.2013 14:23, Damien Fleuriot wrote:
I'm afraid I can't afford 10.x, this is for production, although I acknowledge the problems you're faced with.
Regarding 8.x, this is a guest VM running on proxmox 2.3 which doesn't support stock 8.x (need the virtio kernel option, I'll get a thread reference when I hit work).
This is of course up to you to decide, but I feel like I should
encourage you - 10.x isn't that scary as it seems to be. I also run it
on a production (though my production may be not as harsh as yours), -
this is a main router for a LAN consisting of 500+ machines, it also
runs a squid proxy with 200+ active users (AD integrated, winbind,
kerberos and stuff) and a HFSC traffic shaper. Plus, a bunch of routing
protocols - ospf, ospfv3 and a load of network services like
SMTP/HTTP/DHCP. Plus, it's a zfs installation.At least, after upgrade from 9.1-STABLE to a random -CURRENT I didn't
notice any degradation, only improvements. I had all of your fears right
before the upgrade, none of it became real. -
That sounds promising, but then we thought 9.0 was as well but there were issues with some of our patches, and some other things that were introduced. The diversions in pf on 10.x and newcarp and such may make it more difficult to adapt our code to run there, but it will happen in due time. There is a massive amount of work that goes into adjusting everything for a new version. People seem to have a misconception that it's just a matter of changing the compile target and poking at it a bit. If only it were really that easy…
-
But shouldnt you change YOUR code to match the 10.x release and not the other way round? Otherwise we will see things difficult to mend and update??
-
But shouldnt you change YOUR code to match the 10.x release and not the other way round? Otherwise we will see things difficult to mend and update??
That's exactly what I said. We have to change our code (patches, mostly) to work with 10.x. Some things in 10.x will require massive adjustments in our code to let them function.
But that's really a topic for another thread.
-
Sorry mate! I read it the wrong way :D
Enjoy your easter!
-
I love PfSense and I'm telling everyone that I know about it. I'm using it in a lot of applications that prior to the project I would have used a Cisco Router. I will be making a donation today! Thanks PfSense for all the hard work that you do.