FreeBSD / Update / Security / Compatibility / Effort

MrX86

MrX86

I noticed

As an example:

The FreeBSD kernel 12.2

From October 10.2020 I could patch until
March 2022 (FreeBSD 12.2-RELEASE-p14 )

So about 1.5 years without updating it to
FreeBSD 12.3-RELEASE kernel.

(This version FreeBSD 12.2-RELEASE got leases so 1.5 years).


This means I must update the kernel about 1x per year
or min. after 1.5 years because otherwise nothing new can be patched ?

It would be ideal that min 3-5 years the same kernel patches would receive for me.

Are my observations correct ?


If I had only 1 PC it would not matter
from 10-500 no more.





START:
FreeBSD 12.2-RELEASE Release Notes 12.2 (October 27, 2020) <


END:
WARNING: FreeBSD 12.2-RELEASE-p14 HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Thu Mar 31 02:00:00 CEST 2022
will not have been corrected.
 
You should patch your Kernels (custom?) asap if they are affected by FreeBSD Security Advisories and latest at EOL. No matter how many these may be.

www.freebsd.org

FreeBSD Security Advisories

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
www.freebsd.org www.freebsd.org
 
getopt said:
You should patch your Kernels (custom?) asap if they are affected by FreeBSD Security Advisories and latest at EOL. No matter how many these may be.

www.freebsd.org

FreeBSD Security Advisories

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
www.freebsd.org www.freebsd.org
Click to expand...

Thanks for the hint.

It depends on various parameters

Devices without internet probably less affected
or why the hurry?
 
Otherwise, the note when installing the software should be:

The product has expired after 1.5 years
 
MrX86 said:
Devices without internet probably less affected
or why the hurry?
Click to expand...
If you have a device that is TRULY not vulnerable to being hacked ...
And those devices do exist, typically in the embedded world, for example the controller in your dishwasher (refrigerators and ovens are commonly internet connected today) ...

Then why upgrade at all, ever? You build the embedded device software, test it, ship it, and then leave it alone. Forever. And if there really is a software upgrade needed (for example because customers are demanding a new wash cycle), then the developers are free to also upgrade the underlying kernel if it is advantageous. For example, I would not be surprised if my dishwasher were running FreeBSD version 4 right now, and that when the maintenance person comes by to fix something, it gets updated to version 7. It has no need to run 12.x or 13.x.

Now, for a general use machine (where someone is running a user interface, whether CLI or GUI), there is a real reason to upgrade: Namely to get new features, improve performance, or fix bugs. Again, the intelligent user can make a conscious choice whether to stay on an old version or to upgrade. There is nothing wrong with staying on an ancient version, if it satisfies the requirements of the user (obviously only if the machine is absolutely airgapped).

In practice, this is a completely theoretical argument anyway. In reality, I think very few machines that are not embedded are truly disconnected from the internet, and their vulnerability to hacking is a question of degree, not an absolute. Look at the Iranian centrifuges that were used for uranium enrichment: they got hacked. And in practice, any machine that has a human user will also have a network connection.

I think the real question is one of strategy: Is it easier to perform one great big upgrade every few years? Or many small upgrades every few weeks? My preference is for the latter. This is one of the strongest arguments in favor of FreeBSD: The process of upgrading is so easy and painless, and you end up with a system configuration that is close or identical to what a real distribution would be. It saves a lot of work not having to reinstall and reconfigure. I think my current main server was last installed with FreeBSD 9.X, and just got to 12.4 last weekend.
 
ralphbsz said:
If you have a device that is TRULY not vulnerable to being hacked ...
And those devices do exist, typically in the embedded world, for example the controller in your dishwasher (refrigerators and ovens are commonly internet connected today) ...

Then why upgrade at all, ever? You build the embedded device software, test it, ship it, and then leave it alone. Forever. And if there really is a software upgrade needed (for example because customers are demanding a new wash cycle), then the developers are free to also upgrade the underlying kernel if it is advantageous. For example, I would not be surprised if my dishwasher were running FreeBSD version 4 right now, and that when the maintenance person comes by to fix something, it gets updated to version 7. It has no need to run 12.x or 13.x.

Now, for a general use machine (where someone is running a user interface, whether CLI or GUI), there is a real reason to upgrade: Namely to get new features, improve performance, or fix bugs. Again, the intelligent user can make a conscious choice whether to stay on an old version or to upgrade. There is nothing wrong with staying on an ancient version, if it satisfies the requirements of the user (obviously only if the machine is absolutely airgapped).

In practice, this is a completely theoretical argument anyway. In reality, I think very few machines that are not embedded are truly disconnected from the internet, and their vulnerability to hacking is a question of degree, not an absolute. Look at the Iranian centrifuges that were used for uranium enrichment: they got hacked. And in practice, any machine that has a human user will also have a network connection.

I think the real question is one of strategy: Is it easier to perform one great big upgrade every few years? Or many small upgrades every few weeks? My preference is for the latter. This is one of the strongest arguments in favor of FreeBSD: The process of upgrading is so easy and painless, and you end up with a system configuration that is close or identical to what a real distribution would be. It saves a lot of work not having to reinstall and reconfigure. I think my current main server was last installed with FreeBSD 9.X, and just got to 12.4 last weekend.
Click to expand...
Very good explanation. Thanks.
 
FreeBSD's support / lifecycle is briefly explained here, directly linked on the homepage btw: https://www.freebsd.org/security/#sup

In a nutshell, minor releases don't have a predefined lifespan, they just go EOL 3 months after release of the next one. And they don't need to, because the ABI is kept stable, so upgrades to a new minor release are just as painless as applying new patches. What does have a guaranteed lifetime of at least 5 years is any stable branch, IOW, a major version.
 
You must log in or register to reply here.
Back
Top