Advise on automatic upgrades

Hello, I would like to ask for an advise regarding automatic updates / upgrades.

In my opinion, regular updates are very important for the security of a system. If one has several systems under control but does not want to invest much time maintaining them, automatic updates become crucial. While this is probably a bad idea for (business or the like) critical systems, it's usually perfectly fine for not that important private infrastructure.

Now in OpenWrt, I read that automatically calling opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade is not advised and people don't get tired explaining that one should not do this. Because of broken updates, wearing out flash, and so on. (Flash capacity is no issue in my case.)

Instead, one is told to flash a more recent image. (Which also isn't performed automatically. Stock firmware is capable doing this but okay, if you consider this like a distribution release upgrade it's fine. I also don't do this automatically.)

So I'm wondering how I should proceed. I got the impression it's best to not update via opkg and subscribe to OpenWrt's GitHub releases so I can flash a new image when it comes available.

But is this sufficient for a reasonable security level? What if a major flaw in a package becomes known? Is a new image released short after? On the other hand, reflashing too often would bother me...

What are you doing?

Installing a new ROM and packages if updates are required, rather than just "available", period.

Edit: Yes, if/when a significant security issue is surfaced and resolved, there should be a new release, or, perhaps, a clear instruction to upgrade a single package.

1 Like

Thanks for your answer.

In the scenario I outlined above, the challenge is to be aware when something is required. I don't know of a streamlined process for this and I intentionally pushed my phrasing a bit towards userfriendlyness. Subscribing to a bunch of mailinglists is explicitly not what I have in mind.

Thanks, that helps a bit.

Probably I really stick with subscribing to releases on GitHub and reflash occasionally.

I assume that in absence of any clear direction from the lead developers here, or a new release, that nothing is "required" to keep my OpenWrt instance reasonably secure.

See, for one example related to the wireless vulnerabilities (just the first thread on the topic I found)

3 Likes