Time to modernize core?



  • Hi, everybody.
    I'm relatively new to pfSense, so I'm grateful for it being free and supported. Yet, I'm quite surprised that core pfSense is using so ancient core packages such as php 5.6!
    When talking about security the usual mantra is as alway "keep up to date"! The why is pfSense stuck to such an old PHP version? According to php.net, V 5.6 will reach its end-of-life on December 2018.
    By then will, Netgate/pfSense hurry up and catch pace with a more reasonable PHP version?
    Same argument for FreeRadius! Abandoning support, for example, for FreeRadius Version 2, and still stuck to MySQL 5.6???

    Thanks everybody


  • Galactic Empire

    @caraffandee said in Time to modernize core?:

    Hi, everybody.
    I’m relatively new to pfSense, so I’m grateful for it being free and supported. Yet, I’m quite surprised that core pfSense is using so ancient core packages such as php 5.6!
    When talking about security the usual mantra is as alway “keep up to date”! The why is pfSense stuck to such an old PHP version? According to php.net, V 5.6 will reach its end-of-life on December 2018.

    Freeradius 3 is available as a package



  • Well, yes, I know. Nevertheless, FreeRadius is an "official" pfSense package (while, for example, MySQL is not). And FreeRadius3 is supporting (only???) MySQL 5.6 (latest stable 8.0!) and PostgreSQL 9.5 (with version 11.0 about to become latest stable!).
    Or maybe, there is a way to use such latest versions which I'm not aware of? Then, why not integrate them into core?
    Anyway, as already said, thanks every body for the great job!


  • Rebel Alliance Developer Netgate

    We are hard at work upgrading PHP to 7.2 for pfSense 2.4.4. Even a cursory glance of the commit log would show that if someone looked. There are lots of issues with syntax changes and deprecated things we have to work through. Some packages are making that more difficult as well.

    It isn't as easy as flipping switches or changing version dependencies. These changes have impact and must be carefully handled and tested.

    As for dependencies like mysql and postgres, they aren't officially supported so we don't go out of our way to build them. They get whatever the latest version of the client is in FreeBSD ports that has been marked as stable/default.



  • Yes, yes, Jimp. Let's make it clear. I really do appreciate your hard work. I'm not complaining.
    I'm just wondering, that's all.
    I know that pfSense doesn't support packages like mysql or postgres and if somone wants to use them, he/she should go the "FreeBSD" way. I know. But FreeRadius3, which is pfSense package and claims SQL support, is still stuck at old SQL servers versions.
    Anyway and biside that, well done, Guys! Thanks!


  • Rebel Alliance Developer Netgate

    @caraffandee said in Time to modernize core?:

    FreeRadius3, which is pfSense package and claims SQL support, is still stuck at old SQL servers versions.

    It gets whatever the current quarterly FreeBSD ports tree decides is default/stable. If you don't agree with what FreeBSD has as the default versions, you can raise that upstream. We don't support those aspects of the package officially, so there is no incentive for us to go out of our way to force the package to use a newer version.

    What MySQL or Postgres claim is their most current "stable" version does not always translate to "stable" in practice for all users, so FreeBSD tends to be conservative there.



  • @jimp said in Time to modernize core?:

    Even a cursory glance of the commit log would show that if someone looked.

    Jim, caraffandee opened his first post with "I'm relatively new to pfSense" and 6 posts so far don't make him a "board general".
    It might seem old-school but sometimes a question is just a question and not meant to blame. ;-)



  • @jahonix
    Thanks, Jahonix. That's the point, you've got me correctly. I didn't mean to blame anyone, I've said it from the very beginning, I was just asking:

    @caraffandee said in Time to modernize core?:

    Or maybe, there is a way to use such latest versions which I’m not aware of?

    Sorry if I may have give the impression of blaming anyone, but IMHO even newbees like me should be allowed to ask if they have doubts.

    Thank you again for your work.


  • Galactic Empire

    @jahonix said in Time to modernize core?:

    Jim, caraffandee opened his first post with “I’m relatively new to pfSense” and 6 posts so far don’t make him a “board general”.
    It might seem old-school but sometimes a question is just a question and not meant to blame.

    I'm not sure what's wrong with JimP's response?

    However, here's what I noticed. Asking a question is fine. But OP's approach is call to action with statements like:

    When talking about security the usual mantra is as alway “keep up to date”! The why is pfSense stuck to such an old PHP version?

    By then will, Netgate/pfSense hurry up and catch pace with a more reasonable PHP version?

    Time to modernize core?

    So that's not really just a question. Asking what's the plan with PHP version update is good, but please do it in less inflated way.

    @caraffandee said in Time to modernize core?:

    Sorry if I may have give the impression of blaming anyone, but IMHO even newbees like me should be allowed to ask if they have doubts.

    I'm not sure why are you implying that you somehow weren't allowed to ask questions.



  • @ivor said in Time to modernize core?:

    I’m not sure what’s wrong with JimP’s response?

    To everyone not in the development loop of pfSense (aka a newbie) this reads as: "Look in the repository, idiot, we're working on it."

    Not blaming, only trying to translate perspectives.


  • Galactic Empire

    Disagree, I suggest you re-read @jimp's responses.


  • Rebel Alliance Developer Netgate

    @jahonix said in Time to modernize core?:

    To everyone not in the development loop of pfSense (aka a newbie) this reads as: “Look in the repository, idiot, we’re working on it.”
    Not blaming, only trying to translate perspectives.

    That wasn't exactly my intention. I was drawing attention to the fact that development of the project was being criticized by someone who did not take any time to look at the development of the project.

    Everyone is free to rant about whatever they like or dislike, but you can't expect to phrase a post in a critical way with zero supporting evidence and not receive a defensive response when the major point(s) are easily refuted with even basic research.


Log in to reply