Release notes
-
Wow, that's only not helpful but not really up to date. Those github sites only show one change in the last 3 days where there have been at least 8 updates.
How are we to trust a system that has such secrecy. Documentation is most of the job for a professional programmer. I know this project is mostly volunteer, but there should be more to the task than just the 'fun stuff'. How does anyone, except the insiders, know what is done? How do we know there isn't some embedded code that provides security leaks for hackers? Who are these people that keep code changes so secret? Shouldn't we know their backgrounds before trusting our data to them? Are the PFsense coders vetted properly and by whom? Seem like a goldmine for the NSA or Russian hackers to become a coder for PFsense.These are legitimate concerns. After all, we have a firewall for security purposes. Help me to understand what I am getting into here. Where is the documentation?
-
HUH ????
click link look at commits not that hardand this https://doc.pfsense.org/index.php/2.4_New_Features_and_Changes
-
what are you on about?
documentation about what? you can list every commit on every branch if you'd wish. read up on GIT
redmine provides a list op open/pending/closed bugs for yearsrelease notes don't get updated often because there are no releases, just alpha/beta builds that get generated automatically without much human interaction
-
I am on about security. Isn't that why we deploy a firewall.
Click what links. No links found in this thread show what changes have been made per update release. All just general info on what changes have been made. I see 2-3 updates a day. These changes are not reflected in any of these links. How do I know what changes were made today. Where is that info? Am I missing something?
-
If you cannot follow Redmine and the GitHub commits, then perhaps you shouldn't be using unreleased stuff. People have more important things to do than maintaining perpetually changing "release" notes for unreleased alpha/beta stuff.
-
My intention was not adversarial so sarcasm is irrelevant. Nor was my attempt to cast aspersions on any coders working on this project. I can read redmine and github just fine. As an example, there was an update between 10PM last night and 6 AM this morning and there were no new entries in Github or Redmine. So where can I find changes made in this release. That is all I asked.
Also I don't see any comments about the security risks of who's involved in this project. Doesn't that bother anyone or is everyone that trusting. Personally I do not know any of them or their backgrounds. They seem like very intelligent people, but so are the many hackers out there. Is there a list somewhere of the coders for this project with their backgrounds and affiliations? If not, there should be.
-
The code is all either from the FreeBSD base system - source all freely available to look at online, or in the various GitHub repos under pfsense. The build is triggered at intervals, and will run due to any change - so I expect if you were to look through the repos you will find something that changed (maybe stuff in ports?) and the builder noticed that and did its thing.
The pfsense GitHub is managed by ESF and it is their people who have the write access to make changes. People can freely make pull requests, but they are reviewed before being committed. All code changes are in public view, so anyone can review them and point out any security or other issues.
As others have said, the Beta snapshot builds are just that - builds for testing. There are not updated release notes with every build potentially every few hours. Formal release notes are done when an official release is made.
-
Ok then I will ignore the updates until an official release is done. How do I know which build is the 'Official' one? Is the build number posted somewhere as to which is the Official release? Also, when I see an entry in the redmine 'Resolved/Closed' list, how do I know which release that change pertains to? You all make it sound like I am not 'getting it' but where are the build numbers? I have very carefully read all the github and redmine lists but I have no idea what build or release they apply to. It really is not that clear. Then when I see a change that I want to try, how do I get that release, or which release is it? See my point, I hope.
-
Ok, I guess I am making this way more complicated then it needs to be, or no one is understanding my question.
It all boils down to this question for me.
If I see a Resolved/Closed item in Redmine, does that mean the current build will reflect that change?
That means I can wait until I see an issue is resolved that affects me, then update.Also, it slightly bothers me that no one addressed my security concerns. Almost like no one has a clue. That is concerning.
-
What security concerns? All the stuff is on GitHub. WTF. There is no secrecy, people simply do not have time to write your release notes for testing builds not intended for production use. You can perhaps hire someone who's gonna do the legwork for you, follow github 24/7 and write you the relnotes.
:o ::)
-
Your response puzzles me as sarcastic as it was.
So I guess there is no way to tell what fix or feature goes with what. Pretty unprofessional if you ask me.
-
$ cat /etc/version.{buildtime,lastcommit} Fri Dec 02 19:20:25 CST 2016 26be03d73c1e358441ec89ad1e5e4f95d05fdef1
There. Everything up to that commit is there. Now, move and look it up @GitHub/Redmine.
(I'd rather not get into the "unprofessional" debate, since it'd get unprofessional pretty fast, you're starting to piss me off. We need coding/bugfixing and not nightly build changelogs.)
-
Stop…...feeding.......trolz.........
-
ok, let me ask it again.
If I see a Resolved/Closed item in Redmine, does that mean the current build will reflect that change?
Seems I hit a nerve with doktornotor. Let me explain and justify my comments. Unless PFsense is meant as a consumer game, there needs to be some accountability in a business environment. I have placed PFsense Netgate Enterprise products in many businesses that expect a certain level of security. Many of which are financial or medical related and are mandated by government rules to provide such. I only use current stable releases on those systems and test the dev builds on my own test systems. This is why the security issue is important and should be for any commercial application.
-
If I see a Resolved/Closed item in Redmine, does that mean the current build will reflect that change?
IF code is modified that is related to a resolved/closed ticket, then that is picked up, the NEXT time the automated builder runs.
Seems I hit a nerve with doktornotor.
no you haven't … you are on the right path to reach the nerve endings
Enterprise products in many businesses that expect a certain level of security. Many of which are financial or medical related and are mandated by government rules to provide such. I only use current stable releases on those systems and test the dev builds on my own test systems. This is why the security issue is important and should be for any commercial application.
documenting experimental builds does not increase security in ANY way.
Release notes are only there to provide an overview of closed/opened bugs and/or new features. They don't provide security.
-
Thanks. That answers the builds question.
My concern for security was based on who's allowed to make code changes, not anything to do with the dev version.
-
Redmine issues have a "Target version" field. While an issue is awaiting resolution, that is the future version that it is hoped the issue will be resolved in. Once the issue is resolved, the Target Version is set to the actual version that the issue [is|will be] released in.
For example, issues resolved recently have Target Version set to 2.4 - because they will be in the next official release, which will be called 2.4.
2.4 is currently in BETA. The particular snapsht build that an issue resolution appears in is not recorded in Redmine. That is because the snapshot builds are not intended for production use, unless you have a particular need for some fix/feature and also have the in-house resources and know-how to track what is happening in real-time on GitHub, understand the code, do your own testing, make an informed decision about what build to install, and be willing to resolve unexpected stuff.
Formal releases are announced on the blog, and in the Forum (up in the top forum section) and on various social media. Those are typically made every 3 to 6 months (it depends on the need for urgent security patches,…). Those are what is recommended for production, and those have a full set of release notes.
-
Thanks. That answers the builds question.
My concern for security was based on who's allowed to make code changes, not anything to do with the dev version.
Any PR's are first examined and discussed, only then is the PR accepted and pulled. It would not be possible for some unknown security issue to sneak in to the core. I submit a few PR's and mine usually get held up because of format errors! So it is not easy to just get anything accepted.
-
Good to know, thanks
-
More info…
https://www.freebsd.org/doc/en_US.ISO8859-1/books/dev-model/committing.html
Here is where the commits to FreeBSD are listed:
https://freshbsd.org/