Should I consider upgrading via pkg-ng repos?


  • Hello.  Rather noobly with pfsense.  I've been using it for several years, but now I'm seeing that pkg-ng is being used with repos for pfsense.  I'm on pfsense 2.3.2 (latest stable version available).  But from the CLI I get this:

    [2.3.2-RELEASE][root@firewall]/root: pkg upgrade
    Updating pfSense-core repository catalogue…
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    Checking for upgrades (4 candidates): 100%
    Processing candidates (4 candidates): 100%
    The following 4 package(s) will be affected (of 0 checked):

    Installed packages to be UPGRADED:
            pfSense-pkg-openvpn-client-export: 1.3.11 -> 1.4.1 [pfSense]
            pfSense-pkg-RRD_Summary: 1.3.1_2 -> 1.3.2_2 [pfSense]
            openvpn-client-export: 2.3.11 -> 2.4 [pfSense]

    Installed packages to be REINSTALLED:
            scponly-4.8.20110526_2 [pfSense] (options changed)

    Number of packages to be upgraded: 3
    Number of packages to be reinstalled: 1

    The process will require 4 MiB more space.
    10 MiB to be downloaded.

    Proceed with this action? [y/N]:

    So is it expected that we do updates from pkg-ng between updates of pfsense itself?

    If a package that pfsense uses had a serious security flaw, would we see a revision of pfsense itself just for that one package, or are we supposed to maintain pfsense from the GUI and pkg-ng?

    I can't seem to find these answers from the FAQ or searching the forums…


  • Security and other updates to pfSense base and the ports that it uses are all made available through the update system that appears in the GUI or option 13 of the console. So when there is a security patch, it gets pulled into the relevant part of the FreeBSD-ports etc repo for pfSense and appears as an update.

    There should be no need (and it will mess up the normal process) to do "side-loading" of updates from other places.


  • As far as I know the GUI update is using the pkg-ng update/upgrade functionality and there is hardly anything else it does other than show the status of updates and offer to update/upgrade. Using 'pkg update; pkg upgrade' should be equivalent to using the GUI update function unless I'm missing something.


  • @kpa:

    As far as I know the GUI update is using the pkg-ng update/upgrade functionality and there is hardly anything else it does other than show the status of updates and offer to update/upgrade. Using 'pkg update; pkg upgrade' should be equivalent to using the GUI update function unless I'm missing something.

    So I thought that what you said is exactly how it would work.  Except from the CLI with 'pkg update; pkg upgrade' it is asking me to allow some updates, from the GUI it says I'm running the latest version (2.3.2-RELEASE-p1).  That's why I asked the question.  It is not as trivial as I thought it would be.

    Since pfsense is effectively an "appliance like" OS, I'd expect the OS to maintain itself and tell me when updates come out (i.e. 2.3.2-p2, 2.3.3, etc.) but the pkg-ng aspect kind of adds a layer of uncertainty to it.  Even more so because this is a security device.  If this weren't used in a security appliance, I'd be totally fine ignoring pkg-ng updates and letting the GUI handle it all.  I just wanted to be sure I'm covering all of the bases.

    Thanks!


  • Version upgrades such as 2.3.2 to 2.3.3 are not going to be done with 'pkg update; pkg upgrade' as far as I know because pkg doesn't quite know how to update its own repository configurations. The pkg updates are for minor updates, security fixes etc.