Force/limit core version during pakfire upgrade

I wonder, is it possible or maybe a new feature to limit core number during pakfire upgrade runs?

Call me over carefully, but I would prefer to stay 1 or 2 core numbers behind.

Yes i know core updates offer security improvement. But I prefer a stable system rather than the latest bleeding edge core.

Don’t get me wrong, i am very thankful for all the hard work.

Greetz

I understanding staying a core update behind. I usually update my system right away but I’ll wait a Core Update to update family firewalls.

I am not sure I understand your feature request. Could you give an example or offer additional details??

Thanks for your reply.

I am looking for something like a pakfire option to force a core level.

For example I am running core 170 and the latest core is 181.

I would like to upgrade the system only to 179 to stay 2 versions behind.

I am asking because I schedule a half year update on some remote sites. This include driving, imaging and updating.

Because I have to manage the remote sites, it may be a desaster if I had to drive back for error fixing.

This is the security reason for my setup to stay some core numbers behind. Because I hope this are well tested versions to guarantee the quality of service in my setup.

Greetz

I understand your strategy of staying a few core versions behind in your IPFire setup for increased security and stability. However, I’d like to address a critical point regarding updates when multiple versions behind: Pakfire upgrades each version sequentially. This increases the risk of software issues during the process.

For instance, upgrading from core 170 to 181 involves Pakfire sequentially processing each version in between. This procedure is automatic, moving from one version to the next. While you might be aware of this, I’m sharing it for the broader audience who might benefit from this information.

To update to a specific, slightly outdated core version, I think the following console commands could be used:

pakfire update
pakfire status # Outputs a summary about available core upgrades, updates and a required reboot
pakfire install -y core-upgrade-XXX
pakfire status

In this command, XXX should be replaced with the target core version number. The -y option facilitates a non-interactive installation.

This doesn’t work. Option install is for paks. Option status shows installable upgrades only.

I was not sure about this. I had a look at the source code but I could not figure it out. Thanks for clarifying my wrong suggestion.

So any geeky hackish ideas?

Greetz

Hacky ideas - yes we have those! But a hacky way is not necessary an easy way!

1) Do backup:

• https://wiki.ipfire.org/configuration/system/backup
• copy backup to separate external drive (e.g., USB thumb drive)

2) Download preferred Core Update:

• https://mirror1.ipfire.org/releases/ipfire-2.x/

For you this is CU 179 near the bottom of the downloads page.

3) Rebuild your IPFire device

4) Restore the backup

• https://wiki.ipfire.org/configuration/system/backup#restore
• using the separate external usb drive

Done!

Well well, this is some kind of hackish. Thank you!

For family firewalls I delay my updates instead of staying a version or two behind.

Using the current update as an example:

• Core Update 181 was release on Nov 23
• I did not update family firewalls (yet)
  • I just watched the comments and concerns
  • if something I feel is bad happens, then I may skip a release
  • for me this has only happened twice in 50 core updates
• Core Update 182 had a testing release on Dec 5.
• Around Dec 12 I finally updated family firewalls to CU 181.

Note: the above is not the best example since there was a fast turn around between CU 181 and CU 182.

So I delay the current update until the next test version is released.

Hope this helps!

EDIT: Just for the record. I update my own firewall the day of release (but sometimes a day later).

For what it’s worth, after a bad experience I second the approach of @jon.

Releases sometimes go wrong. Sometimes, catastrophically wrong, and not only in IPFire.

Update often update soon means to be aware and take the necessary time to update… themselves, before update devices.

exactly, that’s why I always mirror the current disk on a second hard disk before doing the update. It is too painful to fix the firewall if something goes wrong. I prefer to do the extra work and be able to downgrade just swapping the hard disk.

It looks like there is no common solution.

What do you think of this:

The ipfire team is scheduling a fixed calender when a new core will be realesed. At best for one year ahead.

This would give me the possibility to plan my updates to achieve what i am looking for.

Greetz

I personally don’t think that this is viable.

There are too many variables for decide a schedule to deliver updates. Sometimes a gamebreaking vulnerability appears, sometime the bugfix needs… more cooking time to be well done (pun intended).

The only thing I can suggest you is to wait at least two/three weeks before install any update, and to a manual install, not a scheduled one. You can download the file at release, but upload it manually only when you’re “done” about stability safety and issue-free release.

The ipcop team doesn’t work on IPFire_

Does IPCop team still working? I have no trace of that.
If anyone is willing to share a link…

I would say, no.

With all due respect… Michael is not the primary source.
https://sourceforge.net/p/ipcop/mailman/ipcop-announce/
Last announcement was in 2015.

of course. Based on the authoritative source you have referenced, the project is dead. As Michael said.

Now the status of IPop is clear ;). Can we return to the topic, please?