Feature #9389
closed
More frequent package repo updates needed
0%
Description
I've been noticing that the release package repo lags far behind the quarterly ports tree releases and the official ports tree.
For example, on 2.4.4 release the Telegraf package is stuck at version 1.6.3 from the 2018Q3 branch and is almost a year old. The port was upgraded to 1.7.4 in the 2018Q4 quarterly and 1.9.0 in the 2019Q1 quarterly, yet it still lags behind the current 1.9.3 from the official ports tree.
This means that without significant manual effort to track and pull bug fixes and security patches into the release tree, vulnerabilities in older less popular software can languish for a significant amount of time between official pfSense releases. A year between updates is simply too long a release cycle in today's environment.
IMO it would be a substantial improvement to both feature availability and vulnerability management to either track the quarterly ports tree updates in release deployments or provide an option for the administrator to select which quarterly ports tree release they wish to use.
I realize that one can switch to the devel branch, but because this tracks changes to the base system it isn't necessarily appropriate for more stable environments. This forces administrators to choose between stability and currency, and there is no middle ground.
Tracking the quarterly ports tree releases offers a middle ground between stability and currency that doesn't exist today.
Updated by Jim Pingle about 5 years ago
- Status changed from New to Closed
- Priority changed from High to Normal
Sounds good on paper, but doesn't work in practice.
We can't automatically track a branch because a base system package could get upgraded and potentially break due to an upstream change. We have to manage it manually.