Please provide info on 'NetGate Development Path'

louis2 · Sep 20, 2023, 6:44 PM

Up to recently it was clear to me. There was the:

CE-edition;
the licensed edition;
the CE-development edition and
perhaps, for a short moment, a licensed development edition

Development and testing was concentrated around the "CE-development edition".

However the development path seems to have changed (my impression), from "CE-development edition" as the leading development path to "licensed development edition" as leading development path.

What ever, I would highly appreciate if NetGate could explain there actual development strategy and related which snapshots we can expect when. Related it would be nice to know why there are snapshots or why there are no snapshots :)

If my feeling that the "licensed development edition" is from now on the primary development line, I may want to switch from CE2.8x to Plus 23.09 ......

michmoor · Sep 20, 2023, 7:46 PM

@louis2 devils advocate..
Private company doesn’t need to release any details about their development cycle and/or product details.
That said. I would appreciate a more open communication approach from the company but that’s not something they do well if at all.
Don’t think you will get answers but I hope you do

SteveITS · Sep 21, 2023, 2:08 AM

@louis2 2.7/23.x was thrown off a bit because they changed PHP and FreeBSD versions at the same time. 22.09->22.11 was skipped. Otherwise they target 3 Plus releases per year (1, 5, 9). Like with 2.7 and 23.05.1 I’d expect a pair to release fairly closely. Otherwise I don’t think CE has a specific target(?).

JeGr · Oct 4, 2023, 9:16 AM

@louis2 Don't exactly understand popping a question without just having a look at the blog where we already had the posts to how Plus and CE differ, will have different release cycles etc.

Also wondering about a few takes here:

@louis2 said in Please provide info on 'NetGate Development Path':

Development and testing was concentrated around the "CE-development edition".

That already changed with Factory Edition becoming Plus years ago and was communicated widely.
Plus will be rapid release with 3 release targeted per year as Steve already said.

@louis2 said in Please provide info on 'NetGate Development Path':

perhaps, for a short moment, a licensed development edition

Wheres your problem in getting a plus-dev? Take a VM, test machine, whatever, install CE, upgrade to plus and switch on dev like on CE - tada you have Plus-Dev. We are running a dozen VMs of different pfSense versions and dev versions in the lab of our company to provide better support and insights, it's not exactly hard.

@louis2 said in Please provide info on 'NetGate Development Path':

What ever, I would highly appreciate if NetGate could explain there actual development strategy and related which snapshots we can expect when. Related it would be nice to know why there are snapshots or why there are no snapshots :)

Plans change and if dev-problems happen with certain components, drivers etc. you'll perhaps miss a month. The target for plus was 23.09 - but September is over so perhaps it will get early October but better then to release it on 09/30 and then have to ship multiple hotfixes and patches afterwards :)

@michmoor said in Please provide info on 'NetGate Development Path':

Private company doesn’t need to release any details about their development cycle and/or product details.

Maybe, but they have done so multiple times. If you don't read their newsletters, blogs, forum entries etc. I'm sorry but where else would those infos be posted? :)

@SteveITS said in Please provide info on 'NetGate Development Path':

@louis2 2.7/23.x was thrown off a bit because they changed PHP and FreeBSD versions at the same time. 22.09->22.11 was skipped. Otherwise they target 3 Plus releases per year (1, 5, 9). Like with 2.7 and 23.05.1 I’d expect a pair to release fairly closely. Otherwise I don’t think CE has a specific target(?).

It was a bit more complicated but yeah. 22.09 got delayed to 22.11 first as the switch to OS and PHP was too large. Then too many errors kept popping up even back in Oct/Nov last year so they made the decision to scrap the 3rd release and concentrate on 23.01 which they delivered. With multiple fixes you could say 23.05(.01) was the then final version of the OS switch to FBSD14 and CURRENT tree and as that release was ready, CE was brought up to the same versions so cross updates could again work smoothly.

So no hidden/dark magic happening here.

@michmoor said in Please provide info on 'NetGate Development Path':

I would appreciate a more open communication approach from the company but that’s not something they do well if at all.

I support that sentiment. Communication was a bit better ~2y ago but then it got a bit more silent. But nonetheless, you can get all those informations by reading forum, newsletters and blog posts they do, it would only be nice if they communicated a few things more "pro-actively" and open. That would indeed be very nice :)

Cheers

michmoor · Oct 4, 2023, 7:25 PM

@JeGr said in Please provide info on 'NetGate Development Path':

Maybe, but they have done so multiple times. If you don't read their newsletters, blogs, forum entries etc. I'm sorry but where else would those infos be posted? :)

Its not just about the way you communicate its also about what you communicate. For example, I am also a Palo Alto customer. Every now and then they will release a security advisory about some aspect of their system where there is a high-numbered CVE. The latest example is CVE-2023-38802 which is a vulnerability in the FRR daemon that Palo Alto firewalls use.
Why cant Netgate release security bulletins about this in either blogs, newsletters or forums? If a package is available in your repo and there is a CVE attached to it then its your job as a security company to alert your customers. This is a pretty clear example of the failure to communicate which shouldn't be an issue but it is for some reason.
Its obvious that Netgate views the "pf" as its main responsibility which is fair. If that's the case then either educate your customers about security problems in freebsd ports or dont offer them at all. This is a binary decision to make.

SteveITS · Oct 4, 2023, 7:32 PM

@michmoor There is a mailing list signup at
https://www.netgate.com/security
which links to page
https://docs.netgate.com/advisories/index.html

I don't speak for Netgate obviously, but I seem to recall cases where something has been brought up in forum and it doesn't functionally apply to pfSense for one reason or another, such as the attacker needs to be authenticated on the router or something along those lines (i.e., it's not like 5 people run programs on it).

michmoor · Oct 4, 2023, 7:45 PM

@SteveITS Hey Steve,
Im aware of those links provided.
In the specific case that i mentioned, its a problem with FRR not specifically with the firewall itself.
It's a problem that impacts any security appliance that is running FRR hence the Palo Alto security bulletin i mentioned.
Nevertheless, this is about outreach - communication to customers. A better job needs to be done. Not only will this address the OPs concerns but it helps overall in the awareness for your customers.

edit: Its also possible that other vendors are on a different version of an FRR port that may be vulnerable and pfSense is totally safe.
Still doesnt take away that a bit more of a proactive approach to positive engagement is certainly welcomed.