Is CE really slower with (security) updates compared to plus ?
-
@chrcoluk said in Is CE really slower with (security) updates compared to plus ?:
If I was a paid customer on plus, I would want free users to test the code for at least a few months first
This will become increasingly not possible as the feature sets in Plus and CE diverge. If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.
-
@bmeeks Oh I never said that, I am talking about code that is shared between the two.
-
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
That is exactly what Proxmox and OPNsense do.
-
@Patch said in Is CE really slower with (security) updates compared to plus ?:
That is exactly what Proxmox and OPNsense do.
Not sure I am understanding the connection to the current topic in your statement.
Neither Proxmox nor OPNsense are pfSense. In my mind, that's like saying McDonald's puts a toy in their Happy Meal; therefore every vendor should put a toy in whatever they are selling .
Each vendor has their own reasons for doing what they do. Netgate has decided how they want to develop and market pfSense CE and pfSense Plus. They have apparently chosen to add some features to just Plus only in what I assume is an attempt to make purchasing the Plus license more desirable (or buying a Netgate appliance that automatically comes with a Plus license).
Obviously they will benefit financially more from a Plus license purchase than they would from someone downloading and using a free copy of CE with the exact same features as Plus. If CE and Plus were exactly the same, then only an idiot would buy Plus . Therefore I expect Plus and CE to continue to diverge in fairly significant ways. Already one has Boot Environments while the other does not. I assume the new Multi-Instance Management will be a Plus-only feature. There are also certain crypto driver acceleration enhancements in Plus that do not exist in CE. I expect these differences to continue to expand over time.
-
I subscribe to Proxmox because it's the right thing to do. But also because it's an easy value proposition for me. I use it continually, the cost is reasonable.
-
You guys are having a real hard time staying on topic.
Security updates are not 'behind'. Done.Feature/Release updates ... that is an entirely different discussion. One that is even more useless when you start talking about what proxmox, microsoft, red hat, or anybody else is doing.
Plus - promising some centralized management of multiple devices, maybe some 2 factor someday, ... actual guy to call/ticket to get assistance...
CE - normy home lab without enterprise multi-device management, probably no extra special auth options, no support tickets.
There is a page for this.It really isn't that hard...but it is wildly off topic. I only add this additional off topic post because we as a community are wildly making things up in here.
-
@skogs said in Is CE really slower with (security) updates compared to plus ?:
Security updates are not 'behind'. Done.
Some security updates are not behind
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
Not necessarily. Some updates require new kernel code and that can only happen with an update to pfSense itself (such as a full version or sub-version upgrade).
Others not so up to date.
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
If you are going to put everything in Plus in CE first, then as Netgate why would you even offer Plus?
Because home lab CE can be used as a test bed for the enterprise version. That is a viable option
@Patch said in Is CE really slower with (security) updates compared to plus ?:
That is exactly what Proxmox and OPNsense do.
@bmeeks said in Is CE really slower with (security) updates compared to plus ?:
The whole idea is to offer different and more desirable features in Plus to encourage folks to pay for that option. Thus it stands to reason that over time less and less code will be shared between CE and Plus, so CE users can't be the test bed for Plus.
Which is why pfsense CE is EOL. Using the model Negate have chosen, open source pfsense is not maintainable and will die as that is what Negate actions indicate.
-
so light off topic answer regarding the usual (Proxmox) vs the Pfsense Model.
the original question regarding the updates was asked due to me considering switching from opnsense to pfsense which i decided to do now.
Mainly because the faster security updates to pfsense compared to opnsense and the code pushed upstream by netgate.and while the ui and ux of pfsense is one of the worst i have had yet to use and especially compared to opnsense is just hard to grasp i have a conspiracy theory why they to a "revers model".
from a newbies perspective opnsense is pfsense with most of its premium features for free and a far far better ui and therefore a uncomparable ux.
this is mostly possible due to pfsense pushing so much of its development upstream. and when it lands there opnsense can "just use it".
so if pfsense would use the normal (proxmox) model they would loose a hughe part of the appeal.
since opnsense would be for many users the same features but with a far better experience.
and while i think the facet that pfsense is faster with security fixes and i also think it is really really nice that pfsense ui is also covered by their security patches it not the deciding factor for most.
tl;dr: pfsense does it reverse to 'combat' opnsense (:
PS: i dont get why Stuff is where it is in the pfsnese UI XD
i dont need fancy looks on a firewall gui but it has to be intuitive and legibile.
the reason why i still not finished my migration is that i always need to search for everything in pfsense where es in other products i can "just find it".-> so suggestion @netgate maybe offer an alternate menue layout with a more mainstream/traditional sorting?
-
@DS_DV said in Is CE really slower with (security) updates compared to plus ?:
Hello lovely Community,
Backgroundstory:
i am in the process of upgrading my old Zotac ZBOX CI323 to a Protectli V1410 with coreboot.
Even tho my ZBOX started with IPFire i migrated to OPNsense due to a few Features i needed.
And even tho i find OPNsense GUI far more intuitive and easy to use i also don't have my firewall behind a router anymore and directly connect it to my ISP via PPPoE.
Tom from Lawrence Systems made a point that pfsense is much faster when it comes to CVE fixes and patches.
Which now brought me to the point where i want to switch to pfsense with the new Hardware (:
But i often read on various (seo/llm) Blog posts that CE is much slower when it comes to updates and patches.
Essentially you need pfsense plus if you need fast security updates and zfs (which i use on all of my systems).tl;dr: is the CE really that much slower than the plus subscription?
with kind regards
+DS_DV+It's almost been one year since that latest pfSense CE 2.7.2 was released on Dec 6, 2023... It would be nice to see the next CE release for the free/open source software users of pfSense.
-
More than just general questions about pfSense this thread is starting to look like spam for the other product.
The people that I work for will not apply a "patch" to any device in our system until things are fully vetted. Its that kind of policy that has kept the 30k + employees from showing up to work only to be presented by that blue screen thing that happened recently..
Auto updates to a router are a bad idea in my book. The kind of thing I would fire people for if they instituted it into our equipment on their own accord. And I would be fired for allowing it. Of coarse you are free to your opinion on that matter and free to do what you want.. as long as you don't work under my employ..
I chose to use + here at my home shop because I want to help fund the work being done. The cost per year is trivial.. Most people in my state spend more than that a month on their lattes.. The $10 cost (paid annually) month is worth it to me. (that's the cost of a single 20oz latte at the bikini drive up down in town BTW.. )
I tried early on to help out on their forums over there but one of the primary's chose to publish the email address of another user for questioning the way they were at the time stealing code. The guys question wasn't even accusatory in as much as he was questioning some things that had been brought up. Gave me instant heartburn for their project. I called the primary out on it and never went back. -full disclosure.
Off my soapbox now to do some really exciting boring stuff.
As always.. YMMV
-
If it not broke don’t fix it. Right ? Maybe it doesn’t need a update unless it is an emergency and with that said the patches area has more of the fixes for that
-
@JonathanLee said in Is CE really slower with (security) updates compared to plus ?:
If it not broke don’t fix it. Right ? Maybe it doesn’t need a update unless it is an emergency and with that said the patches area has more of the fixes for that
pfSense Plus has had two releases this past year, 24.11 and 24.03, meanwhile the pfSense CE users have been left in the dust since December 6, 2023 with the last 2.7.2-RELEASE.
It does look like CE 2.8.0 is 89% "complete" towards it's release per it's roadmap, so maybe we will see it come out before the end of the year.
-
@joshgreyz said in Is CE really slower with (security) updates compared to plus ?:
It does look like CE 2.8.0 is 89% "complete" towards it's release per it's roadmap, so maybe we will see it come out before the end of the year.
That’s optimistic imo redmine 2.8 & 25.1 search which can be contrasted with not 25.1 then target version 25.1 only
The pessimistic outlook is even more pronounced if you look at historical availability of snapshots.
-
@joshgreyz
Again we're off topic. Security updates. Period.The other releases are mostly unrelated to what CE wants and needs. Only thing I can really think of is moving to new dhcp service...and that isn't exactly a severe security related thing just moving a very slight piece of the stack.
A large quantity of built in bsd vulns (of which there are few) don't exist here because they're compiled out - remember this is primarily a firewall/router that is designed to live in a hostile environment.
We're like 33 posts in and whining about release quantity. Specific patches are available when necessary, and they're available very quickly. Period.
@Patch yeah...development work is happening in areas that corp customers have been stating that are stoppers for a decade. Again...CE is not behind on security. You're measuring commits that include UI typos and saying that something that is completely unrelated to that is dead.
Moderators can we please lock this thread as it is literally just wandering in the desert complaining.