Patching/Upgrading OpenSSL
-
I replied on the ticket but it's better here:
We're looking into a way to do that but the version numbers are controlled by the FreeBSD port versions and not directly by us. Unless the FreeBSD port gets bumped, then we'd have to maintain our own copies of the port with our own custom version numbers and so on (a nightmare to keep synchronized). That is, unless there's another mechanism in the PBI build process that lets us set an additional number to signify a change.
The version number of the pfSense packages did change.
The problem is that the version of (for example) haproxy didn't change.
-
I must be missing something about PBI. The entire idea of "lets bundle separate libraries for each package so that they are self-contained" simply goes beyond me. This is not what you should do for exactly the reasons like this - instead of a simple single system library update you now go and need to recompile tons of packages. Where's the benefit in pretending that runtime dependencies don't exist? Exactly the same reason why bundling (either untouched or modified versions) of libraries in the source code - instead of compiling against the system ones - sucks from security POV. Coming from the Linux world - this is just on par with Windows. I seriously don't get it.
-
Not a topic for this thread, but see the mess that was 2.0.x and before packages for reasons why PBIs are better. The problem is primarily packages stomping all over each other with different versions of things like perl, openldap, etc. Uninstalling one package could render another one (or the base system) broken. There haven't been any such problems with PBIs, the only drawback is the extra space and sometimes duplicated files. If you want to open a new debate on that, start a fresh thread.
-
Well, frankly said, stuff that cannot be compiled against and run with what's shipped with the base system, well… either needs to be fixed or - failing that - simply should not be packaged and distributed. That's pretty much it. (Simplified, but that basically is the deal. People do not want to end up with 3 versions of openldap, 5 versions of perl and 7 versions of openssl just because some package has bugs and noone wants to fix it. Cannot see how's this beneficial to maintainers either - look at what happened now...
(And yeah, debating PBI would be worth its own topic.)
-
It's not that simple or easy, but may get better in the future after 2.2. Back seat driving is easy, actual solutions not so much. Still off topic for this thread.
-
Packages should be OK now
What is the easiest way to verify that the version of 2.1.1 that we get from mirror sites contains the updates?
make sure to uninstall and then reinstall (not update) to ensure that it obtains the latest binaries.
"Uninstall"? Is that best done by wiping out the pfSense partition? (…after backing up the configuration, of course...)
-
Well, that "back seat driving" is with some 10+ years of hands-on experience with source-based distros, such as Gentoo. Meanwhile, to get back on topic - so what's up with the upgrade/reinstall? So, the ports version has not changed, so the package manager just ignores the changed PBI even though you bump the version in the XML? ??? :o
What is the easiest way to verify that the version of 2.1.1 that we get from mirror sites contains the updates?
"Uninstall"? Is that best done by wiping out the pfSense partition? (…after backing up the configuration, of course...)A total misunderstanding - you need (the not yet available) 2.1.2 to get the OS itself fixed! We've been just debating the optional packages.
-
Packages should be OK now
What is the easiest way to verify that the version of 2.1.1 that we get from mirror sites contains the updates?
make sure to uninstall and then reinstall (not update) to ensure that it obtains the latest binaries.
"Uninstall"? Is that best done by wiping out the pfSense partition? (…after backing up the configuration, of course...)
That is for packages, not the base system. The base system requires an update to 2.1.2 (coming momentarily)
-
Well, that "back seat driving" is with some 10+ years of hands-on experience with source-based distros, such as Gentoo. Meanwhile, to get back on topic - so what's up with the upgrade/reinstall? So, the ports version has not changed, so the package manager just ignores the changed PBI even though you bump the version in the XML? ??? :o
I don't recall the specific logic of the reinstall but the safest way to always ensure you have the correct version is to uninstall/reinstall the package. It's not worth splitting hairs over for something this important.
-
I don't recall the specific logic of the reinstall but the safest way to always ensure you have the correct version is to uninstall/reinstall the package. It's not worth splitting hairs over for something this important.
Just to be sure: If an update for the package is offered, I can install this directly. Or do I need to uninstall every package first?
-
-
Just to be sure: If an update for the package is offered, I can install this directly. Or do I need to uninstall every package first?
You need only uninstall the affected package and reinstall that one affected package. No need to reinstall all. Or just do a firmware upgrade in a bit when 2.1.2 rolls out and the packages will reinstall themselves.
Apparently the former is not safe (as in, it produces completely invalid results, like here).
That guy's invalid results aren't the fault of anything but his broken "testing" methodology.
-
Maybe the "Reinstall all Packages" Button should move to the Packages Section. So one can easily find it, push it if advised to and go for a beverage of choice afterwards…
-
That is for packages, not the base system. The base system requires an update to 2.1.2 (coming momentarily)
Oops. Sorry to waste time with that question. I know everyone there must be busy.
-
Maybe the "Reinstall all Packages" Button should move to the Packages Section. So one can easily find it, push it if advised to and go for a beverage of choice afterwards…
I'm not even sure whether the reinstall does really reinstall or what it does ATM and how that differs from uninstall/install and/or upgrade… Altogether, feeling highly uncomfortable with a package manager that seems to produce totally unpredictable results.
(The placement of the button goes totally beyond me and makes simply no sense.)
-
Hmm, am I missing something? The button is right there in the installed packages screen next to the package listing.
Steve
-
Hmm, am I missing something?
Talking about the Reinstall Packages button in Diagnostics - Backup/Restore
Click this button to reinstall all system packages. This may take a while.
-
Ah, I am missing something. ::)
Steve
-
Diagnostics: Backup/restore has a button to reinstall all installed packages.
-
Looks like 2.1.2 is up?