Time keeps on slipping into the future.

techpro2004

I understand that there is a lot to do for the 2.5 release but I am relatively new to pfsense (got onboard at 2.4.2) and am wondering if major updates like this one usually take this long. Also will there be another 2.4.x release while they are getting 2.5 ready. 2.4.4p3 was released in May and there have to have been new threats since then. 308 tickets seems like a lot are some of the minor ones going to be delayed for 2.5.1 or 2.5.2 Thanks.

Gertjan

@techpro2004 said in Time keeps on slipping into the future.:

... this one usually take this long

Oh, yes.

@techpro2004 said in Time keeps on slipping into the future.:

.... new threats since then

that impacts pfSense in a way security of your LAN's or pfSense was compromised ?
Well, ok, yes, there was that video from a month or so ago that stated that if you had the login and password, and attacking with them from a LAN, you could gain access ... (no yoke).

Such issues would be addressed right away, and a p4 would show up.

Understand that 2.5.0 should have to work for the majority of the more then 100 000 thousand of installs. With all the new features and the thousands of configuration differences.
Netgate will not gain much when 2.5.0 is perfect .... and loose everything when it isn't.

Btw : been here since 1.x .... and believe me, you don't want to upgrade your firewall with every (minor) change.

There is a way to speed up things : use 2.5.0 dev yourself, and feedback any issues and comments.

techpro2004

I hate to be one of those "Are we there yet?" people but when is a realistic time frame for release of 2.5.0. Thanks.

jimp

No ETA still. We have a bit of work ahead of us as we need to move from 12.0 to 12.1, and a number of OS-level bugs to address that were issues still on 12.0 (which hopefully 12.1 addresses some of them...). There are 116 issues waiting on feedback for 2.5.0, which also doesn't help.

techpro2004

Thanks Jimp. While I understand you can not give an exact eta, how about a rough idea ie: q4 2019, q1 2020, q2 2020, etc. thanks

kiokoman

I start collecting bets, i say q4 2020 / q1 2021

techpro2004

I just realized that the current build of pfsense is based on freebsd 11.2 (https://docs.netgate.com/pfsense/en/latest/releases/versions-of-pfsense-and-freebsd.html#id1). According to (https://www.freebsd.org/releases/) 11.2 reached it's eol in June of 2018. We are all running obsolete software. Jimp that rough Idea sure would be helpful right about now. Thanks.

jimp

We are aware, but it's only as unsupported as we let it be. We can backport anything we need if we have to.

We're not making any promises on dates, that only leads to trouble. Even rough estimates.

KOM

@techpro2004 EOL doesn't mean it's going to explode. It means no new patches. If something big happens before the release of 2.5.0, they will likely issue a 2.4.4-p4 with backported fixes as JimP already mentioned. JimP has already told you what he can about release dates. Being pushy about it won't get you any farther.

techpro2004

So who decides what is important enough to get backported? No one knows my network and what it needs like I do and I am sure the same goes for anyone with a router out there as well.

KOM

How is your network special as compared to the thousands of others that pfSense services? To answer your question, Netgate themselves would determine that based on the severity of any reported issue.

techpro2004

Every network is special as they all have different hardware and uses running on them. Who determines what is most severe as every threat impacts every network differently ie: threat a acts on program/service b. I run program b but you use program c.

jimp

Netgate makes that determination based on what parts of FreeBSD are present and used on pfSense. There are frequently SA/EN announcements for things which have no possible relationship to pfSense (kernel drivers we do not include or build, modules we do not build, base system components we do not build or ship, components which cannot be enabled in any way in pfSense, etc).

Most things you hear about are not relevant to a firewall/appliance type role, but only endpoints. People still kick and scream about some of them, so they get patched, even if they aren't relevant for most (e.g. PTI, MDS)

techpro2004

I see, you backport everything for components that are actually in pfsense. that makes me feel better then picking and choosing ie: rejecting patches that apply to the system but are deemed not important enough.

KOM

Netgate isn't going to pump out 2.4.4-p4 just because there was an update to the man page for the tar command, for example. Only issues that affect the security of the system would be considered for backporting.

techpro2004

Right, issues that affect security but all issues that affect security no matter how minor they are deemed