Messages

I mean, that's not what a straw man is? It is an implication though, and I think a fair one. It's a large project that people are trusting at their edge. It is good practice to have a mechanism to notify people of important security updates. I don't think this is controversial. And here we are met with "just subscribe to the announcement forum" which simply does not work predictably. I have provided multiple examples of email notifications failing to work on the forum -- and I have offered to help track them down. Yes, I and many others are capable of building my own tools to check for updates but the right thing to do is for the project to offer this, or at least have an official mailing list that works reliably. As I already posted before what are you going to do when there's a 0day? Hope people notice it on reddit? Hope they refresh their dashboard every day? You need a way to reach out in an official capacity besides posting on the forums. I'm not sure how GDPR is relevant here, it can still be opt-in.

Anyway regarding the announcement forum and email, I think the issue with forum subscription is that there is a backoff on topic notifications. If you do not actually click through and re-open the forum it will not send new email notifications for new topics past the one it already sent. So it may actually be that instead of spam filters. It would be better if the announcement forum didn't have this behavior probably.

For what it's worth, 24.7.6 also did not deliver email via the forum. I'd love to see the mailing list brought back.

Well each OPNsense uses this API for the Announcement Widget:

/api/core/dashboard/product_info_feed

It uses this link:

https://github.com/opnsense/core/blob/bd037cc6555b5953241760553cb72e6d6147d3da/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php#L219

https://forum.opnsense.org/index.php?board=11.0&action=.xml;limit=5;type=rss2

Any tool that turns RSS into an Email for you could be used here. Even Outlook can subscribe to them.

Thanks -- that is useful to get something going for myself.

But the long term situation is scary. When (not if) OPNSense has a 0day, there is no way to even alert people running it. A notification engine should be a core feature of OPNsense. Monit is the closest thing we have to that right now. But in the absence of that there should at the very least be an official mailing list. That's how so many other projects work. To rely on the forum software for this is demonstrably not workable -- it doesn't even send emails properly half the time.

I really think security updates should be taken much more seriously. OPNsense needs a way to mass notify about security updates. This can be opt-in but it needs to be put clearly in front of admins when they install or first-run.

Email was delivered for 24.7.3, but not for 24.7.4. I wish there were a better mechanism than depending on forum software delivering email. I don't feel comfortable getting hotfix notifications this way. Surely there is a better method -- I would think security hotfixes and notifications would be very high priority

I think that's good evidence for email via the forum to not be the best way to deliver update notifications to admins. Is there a better method besides refreshing the dashboard all the time? Maybe a plugin that is more aggressive? Do critical security hotfixes get auto-applied?

Maybe since we already have monit, it can be an event in monit? I'm just spitballing here -- I'm honestly surprised the best we have is "subscribe to the forum but it may not arrive". I want security updates as quickly as possible.

Regarding the email itself, this would be the first and only time I had an expected email not delivered at all since I migrated to Fastmail. So maybe there is something fixable here that would benefit many others.

I did actually get the email for 24.7.1 just now. But the posts in the same thread for the other 24.7 releases never delivered one. Maybe something was changed?

I am subscribed to the announcements subforum. I got an email for 24.1.10, but never got any emails for anything in the 24.7 series. I am using Fastmail as my provider which has no issues with anyone that I know of -- this would be the very first. There is no evidence of it hitting my spam folder. If anyone at OPNsense is aware of deliverability issues to Fastmail I'd like to report it. If you're using O365 it should not be an issue.

I think it would be cool to have a better mechanism to notify users of updates, especially critical security updates, than to depend on the forum software. Maybe just a plain old mailing list? Or the system itself could email or notify the admin when it sees updates? I really want to know when hotfixes are released so I can apply them.