Opkg and security - when to update?

Hello

I understand that it's not good practice to blindly update all packages with opkg, and I think I understand the reasons. However, what I'm not clear about is:

  1. When should a package be upgraded? Presumably the new ones are being made available for a reason!
  2. How do I stay secure? Presumably some of the updated packages fix security problems so I would want to install those. How do I know which ones?

I've reviewed other answers on this forum, including some previous answers to my own questions, but still haven't found a clear answer to these questions.

Thanks

Andy

NEVER! do not use opkg upgrade ever unless you know exactly what you are doing and you are willing to take the risk that it will cause serious problems. Look around in these forums and you will find lots of threads on this issue, including many where the user had to reset everything to defaults to repair issues.

Keep up to date with the latest official stable releases and you should be good. Or if you need/want to use snapshots, update periodically to get relevant security and feature updates.

1 Like

Take a look at https://openwrt.org/advisory/start

If a package has security issues, it should be mentioned here, together with instructions how to mitigate the issue.

1 Like

Thanks psherman and tmomas. I hope you'll forgive me asking a few more questions as I want to be sure I'm clear on this.

psherman - you appear to suggest that the best practice is simply to periodically flash new firmware. I'd prefer to stick to stable releases - I'm wary of using "snapshots" - as I imagine that these are development releases and thus potentially less stable - is that correct? Are the stable releases updated regularly when security issues are found?

tmomas - thank you for that link - it looks useful. Some of the mitigations do suggest using opkg, which psherman is generally suggesting I should avoid. Do I take it then that the advice would be to avoid it unless it's mentioned in these advisories?

More generally - this may be a silly question, but if opkg is best avoided, what's it's purpose? Who is it aimed at - just developers?

Thanks

Andy

Yes. But I recommend stable releases For the vast majority of users unless they want/need to run snapshots (I.e device not supported in official stable, new features, kernel versions, or security needs they are not currently part of stable, or desire to be on the bleeding edge). Snapshots can be less stable and installing packages can be annoying because the snapshots are a moving target.

Opkg is fine to use. Opkg install is how you get new packages and functionality onto your device. It is opkg upgrade that should be avoided. It is there because there are times that it can be useful for very specific purposes, but it should always be assumed to be risky and is generally best to only use if you know what you are doing and why. I’ve never ever used it, personally.

The issue you mentioned has been fixed for OpenWrt 19.07.1, the current version would be 19.07.2 (which is the one you should be running at this point, and obviously it does include the fix as well).

--
Yes, this issue is also fixed in the current 18.06.x release.

You keep giving these replies, but you never give any deeper reasoning beyond vague things about ABI incompatibility. I can see that being a risk, if the kernel is updated in a point release and one tries to use new drivers (intended for the new kernel) with an old kernel. But that should never happen unless the developers mess up and according to my experience they don't. You on the other hand, by your own admission, do not have any experience with opkg upgrade.

Beyond ABI incompatiblity (and the usual risk of regression with newer packages) I can see two mayor risks with upgrading packages. 1) The disk fill up and 2) The flash wears out. For people with good hardware, the latter points are not problems. For people with bad hardware, it may indeed brick/destroy their devices. The risks simply have to be weighted against the benefits and I'd like to hear more details about exactly what the risks may be.

@Andy1: I have written on the forum before that I do opkg upgrade nightly. I have done that between June 2018 and November 2019 with 17.01 and between November 2019 and now with 18.06. This is on an APU2 with 16GB of flash. Works for me. YMMV.

@KAD - nobody is stopping you from upgrading packages. We are just strongly advising you not to because there have been many cases where doing so has hosed the installation and required starting over from scratch.

opkg upgrade can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.

While it does appear to have worked for you without issues, it would not surprise me if you do end up with problems at some point. And when that happens, just know you were warned.

One thing I will ask, though, is that you do not advise other forum users that it is safe to upgrade - their situation and configuration details may be sufficiently different as to cause major instabilities and/or soft-bricking of their router. The warnings are there to save people the frustration, but there are no technical measures to prevent the upgrade process - those who are knowledgeable and informed of the risks will decide if it is worth attempting. After all, everybody has a different level of risk tolerance, knowledge, and time to deal with potential problems.

@Andy1 - please follow the advice in the warnings and do not upgrade packages unless you are willing to take the risk.

Maybe we should collect real life examples of things gone wrong during package upgrades. The forum has certainly several examples in store.

Here's one that just happened....