The problem appears to be that updates to packages are put in a repository which is used by the released software which includes the tools for updating packages just like on almost every similar platform, creating a POLA violation.
This is made worse by the fact that most packages can be safely updated. I've been updating packages for years and only recently found one to be problematic (netifd).
Even worserer is that the idea of not updating packages only occurred to me when I came here and -after jumping all the hoops to find the forums, sign up, navigate to the right place, browse, find the relevant thread, find the relevant posts, try to check the authority of the poster, etc. - read a thread or two on the subject.
The best solution is not obvious, but as currently released and documented, it should be expected that all good admins will find out how to update and do so (and probably fix any problems they encounter while doing so). Some relevant discussion in Okpg upgrade safeguards?
I'm trying (really hard) to make sense of what is written in this thread and might need some help from those of you more knowledgeable.
I have a D-Link DIR-860L-B1 that is currently running 18.06.1 and was about to upgrade it to 18.06.2, but I do have a few extra packages installed:
(during the initial installation I added)
Or, should I backup my actual config, flash the new 18.06.2 by removing everything, then install all the packages again, as new, and put the configuration back? I hope this won't be the case, it'll be overkill and I'll need to bring down the network, get the router, prepare it and install it back (it's not in my possession ATM)
Assuming that the packages are "well behaved" (and your list appears to be), the configuration (if any) will be preserved by sysupgrade. You can check what is preserved with sysupgrade -l and add to it, if needed, by editing /etc/sysupgrade.conf
During a ROM upgrade, any packages you previously installed after flashing are wiped out when the overlay is reset. While the saved config is restored, the "binary" packages are not.
After you upgrade, you can install new versions of the packages you added using okpg, if they are not already present in the ROM you flashed. If there's already a version in the ROM, it is not recommended to upgrade it.
As with any upgrade, preserving your config in a safe place (off the router) is highly recommended.
Or custom assemble or build your own ROM with the packages you need. (I'm guessing you have only have 3G connectivity to the router, so without those packages, no Internet access to the device.)
I'll get the the router and prepare it, I just need to understand first (need to go through the detailed changelog) what are the exact vulnerabilities (if any) I'll close with 18.06.2 and if it's worth/urgent enough.
No, the 3G is just configured for failover, no modem inserted in the USB socket for now. Accessing it it's actually worse, I only can get to it through openvpn, which obviously runs on it
I am guilty of upgrading packages. I now want clean 18.06.2 install.
I checked my config files for 18.06.1. I need following files. My plan is do sysupgrade with clean config then copy over my old pertinent files that I need manually (not to restore entire backup config) OR hand edit the files to incorporate previous changes. What will happen to my opkg upgraded packages? Will this work or do I need factory install?
/etc/config files
dropbear
openvpn
firewall
wireless
ddns
dhcp
network
system
Files for openvpn
option ca '/etc/easy-rsa/keys/ca.crt'
option cert '/etc/easy-rsa/keys/myrouter.crt'
option key '/etc/easy-rsa/keys/myrouter.key'
option dh '/etc/easy-rsa/keys/dh2048.pem'
Your backup files look fine. Most of them will be backed up by default (no need to specify files in /etc/config).
You don’t need to re-flash the router if you’re already on 18.06.2. You can simply run firstboot on the command line. This will erase all files and restore the configuration to that of the original image in ROM. Then restore your backup and you should be good to go. You’ll need to use opkg install to add any packages that are not part of your original image (such as OpenVPN, unless you have a custom image that includes that and other packages of interest). Just don’t use the opkg upgrade for anything and you’ll be golden.
This script writes out the set of installed packages (to /etc/config/opkg.installed), then a different option can read that list back in after upgrading your firmware to restore your previous packages.
Assume that I install 18.06.2 and run it for a while. A couple of months later I decide that I really do need to be using TLS encryption with luci, so I install the luci-ssl package, but that package almost certainly won't match the version of the other luci packages that were included in the original installation. As pointed out upthread, it's a crapshoot whether such a version mismatch will cause problems or not.
You can see that the installed luci packages are version 19.020.41695.
What version of luci-ssl is available in the repo?
root@OpenWrt:~# opkg update
(...)
root@OpenWrt:~# opkg list luci-ssl
luci-ssl - git-19.046.40869-30d9bc0-1 - LuCI with HTTPS support (mbedTLS as SSL backend)
If I install luci-ssl, I will get version 19.046.40869, which is a later version than the rest of the luci packages.
I've updated the packages many timeswithout issues. Maybe I'm lucky and don't have any problematic package?
Is there a list of packages known to break stuff if they get updated?
EDIT: I'm running 18.06.2 right now but I've updated stuff on older releases too (always on releases, not on snapshot builds)
@fgimenezm - it seems that you have been lucky to date.
I cannot stress enough that opkg upgrade is a bad idea for all the reasons that have been discussed in this and other threads.
To my knowledge, there is no known list of 'safe' packages. There are no automatic compatibility checks, it would be purely manual. And there is nobody (to my knowledge) who is attempting to create a list like this (automated or manual). If one were to manually review the code changes for each package that might be upgraded, it may be possible to figure out if there are changes in the dependencies (and if so, those must also be reviewed) and/or kernel version to then guess at the compatibility. But that would be a lot of work and is incumbent on the person doing the upgrade to do themselves.
By now, you should know from reading these threads that there is a risk of seriously messing up your OpenWrt setup in unpredictable ways, some subtle, some major.
Although this cannot be guaranteed, the good news is that presumably failsafe should still work most of the time -- from there you can always 'firstboot' which will restore your router back to the ROM contents (i.e. the image most recently flashed onto the router).
Unless there is a very specific reason that you want/need to upgrade a given package, it would just seem like a lot of work to audit the code and/or unwise to blindly try the upgrade given the warnings here, unless you don't mind the risk (at which point, it is really a gamble). To each their own, of course. Good luck!
