Closed Arnavion closed 1 year ago
fichtner
commented
1 year ago You can build yourself if you need it. This is open source. 😊
the usual target for such things is the next stable, so 23.1.2. There is no faster timeline and it isn’t slow either.
Arnavion
commented
1 year ago There is no faster timeline and it isn’t slow either.
Does this mean that in general CVEs will not be resolved until the next stable release?
fichtner
commented
1 year ago I'm not sure what you are asking? When will be the next release of a software release?
Arnavion
commented
1 year ago Linux distributions update packages without needing a new release of the whole distro. Therefore even if I'm on Linux Distro version x that was originall released with HAProxy v2.6.8, I nevertheless have HAProxy v2.6.9 now because the distro updated the package repos of version x to have HAProxy v2.6.9, because the Linux distro values fixing CVEs in the packages it maintains in its package repos.
It sounds like you're saying that OPNsense will not update packages in its releases even for CVEs, and only the next OPNsense release will have updated packages. I'm asking you to confirm or deny that.
AdSchellevis
commented
1 year ago Linux distributions update packages without needing a new release of the whole distro. Therefore even if I'm on Linux Distro version x that was originall released with HAProxy v2.6.8, I nevertheless have HAProxy v2.6.9 now because the distro updated the package repos of version x to have HAProxy v2.6.9, because the Linux distro values fixing CVEs in the packages it maintains in its package repos.
Most do their own release engineering including backporting to some degree (depending on what the last supported major release is).
It sounds like you're saying that OPNsense will not update packages in its releases even for CVEs, and only the next OPNsense release will have updated packages. I'm asking you to confirm or deny that.
Just check our change logs and you know how this works for minor releases https://docs.opnsense.org/CE_releases.html , it's considered a bit rude pointing to how others work with seemingly missing the details of that operation.
Arnavion
commented
1 year ago Just check our change logs and you know how this works for minor releases https://docs.opnsense.org/CE_releases.html
I already read the changelogs of every update when I install them. In any case, I don't see anything in that link or the links for the series inside it that is the answer to my question. Again, my question is:
It sounds like you're saying that OPNsense will not update packages in its releases even for CVEs, and only the next OPNsense release will have updated packages. I'm asking you to confirm or deny that.
I just want a simple Yes/No answer to my question.
it's considered a bit rude pointing to how others work with seemingly missing the details of that operation.
There was no rudeness anywhere in my posts.
fichtner
commented
1 year ago I would like to know what time to ship you find acceptable. The approach here baffles me a little.
Arnavion
commented
1 year ago I myself find it baffling that:
a) The OS maintainers don't care about CVEs in the packages that they ship for their OS.
b) The OS maintainers refuse to answer a simple yes/no question about how they handle CVEs in their OS packages, despite being asked multiple times.
c) The OS maintainers counter-attack the question-asker by calling them "rude".
I hope you treat your paying customers better than this.
Anyway, I'll assume the answer to my question is "Yes." And this discussion doesn't seem productive so I'm going to bow out.
fichtner
commented
1 year ago You can answer my question or let me wish you a great weekend. But you can’t have both. 😉
fichtner
commented
1 year ago It's all pretty simple: I said 23.1.2 and a release date hasn't been set. It's being discussed on Monday. But today we did decide to do this in 22.10.2 for Monday already so I'm not sure what the expectation is here... miracles on a weekend and blaming the middleman for being too slow or careless.
https://github.com/opnsense/ports/commit/e047a71176ceadddf4e4d711cfb549f5ae17e788 happened two days ago and 23.1.1_2 has been released today, but the haproxy26 package in the repo is still v2.6.8. I just wanted to make sure you're aware that v2.6.9 is needed because it has the fix for CVE-2023-25725. Could you please build and upload v2.6.9 to the 23.1 package repo?
In general how long does it take between when the package definition is updated here in the ports repo and when the updated package is uploaded to the package repo?