Messages

The core version is shown 2 times in the health audit already. And the base/kernel don't follow it. That's what opnsense-update is for. And there are complications when people lock the core package or opnsense-update that would make this more wrong than it is now: it's correct from locally installed opnsense-update's version perspective.


Cheers,
Franco

If you have the same set of rules in the new GUI, yes. If not you need to put all of them there first.


Cheers,
Franco

Both work, but with 26.7 the legacy rules management GUI will be available as a plugin only. You can still use it but it won't receive any more feature updates and will eventually be removed although that could be 2-3 years from now.

So long story short: use Rules [new].


Cheers,
Franco

Incidentally, "Version x.y.z is correct." was added to the health audit to avoid this particular question, but it seems that this hint doesn't always work as intended.  :)


Cheers,
Franco

Well at least if it's locked this works ;)

# opnsense-revert pkg

Ironically the segfault is from libcurl for which we have a workaround. And pkg already abandoned libcurl to go back to libfetch in more recent 2.x.


Cheers,
Franco

Orphaned means it coundn't load the remote repository for whatever reason. The check for update log would be much more conclusive.


Cheers,
Franco

Hi Silke,

No problem at all. If the problem reappears let me know. Reordering the options wouldn't be an issue although in practice their order shouldn't matter since they are accessed by the boot code as needed.


Cheers,
Franco

It was never needed and I recall no reports that it would have. It's the FreeBSD default we try to follow.

If it fixes your issue I'd appreciate a GitHub ticket and I can see how to offer this. It's not great to micro-manage this but if it fixes a real world issue that's ok.

https://github.com/opnsense/core/issues/new?template=feature_request.md


Cheers,
Franco

I'd agree that USB serial consoles are fringe and reserved to actual serial over USB bus and definitely not emulated by Proxmox.

If the serial isn't working the settings for it are likely wrong.  For VMs one mostly starts with a VGA image which doesn't have serial enabled.


Cheers,
Franco

The issue isn't the versioning scheme per se. The issue is that releasing a proper version takes a lot longer than issuing a hotfix. Doing less hotfixes in business increases the release rate, but also slows the release timing down.

In the past we've done internal patch levels for the packages sets we're publishing in business, but if core isn't patched there's nothing to attach a patch level to as a visible marker (also because git doesn't allow multiple tags on the same commit).

It's a luxury problem that needs some work to push through in order to avoid far worse alternatives like the one mentioned above.

Cheers,
Franco

The whole CRL part of certificates is lackluster in design. OpenSSL even tries to verify a CRL for a certificate that doesn't have a CRLDP, because it doesn't have to be public. I get the trust aspect, but this an impossible situation by design amongst other weirdness.

For OpenVPN it's better to roll local certificates from  your own CA and use the revocation feature locally as well. It works like a charm. No cost, no extra management interface, no third party.


Cheers,
Franco

There was https://github.com/opnsense/core/commit/8e80bf6c2007c1 but it doesn't change the behaviour as far as I can tell. The code is still the same.


Cheers,
Franco

Reason TIMEOUT + FAIL is pretty fatal. I'm not sure why it would be failing, but it might be out of your immediate control. The information given in between (like a valid IP address) is bogus.


Cheers,
Franco

The changelog for the plugin is always available from the firmware GUI plugins tab (and it does show the latest changelog before the update is carried out). Typically, minor plugin changes are not pushed to the normal (core-bound) changelogs.

We have some ideas to structure release versioning better in the future. The traditional model of releases isn't working so well anymore with weekly security issues and some reliability fixes especially on the business version.


Cheers,
Franco

2.8.3 is not the latest version.