Recommended update strategy?


What's the recommended strategy for keeping LEDE/OpenWRT routers up to date? I don't want to update or upgrade a working router just for the sake of it, but I'd like to make sure that I don't leave myself and my users vulnerable to security issues through running outdated software with known vulnerabilities.

With PC based distros the package managers will update the entire system to the latest state, but I have read on this forum and elsewhere that it's not recommended to blindly update all possible packages with opkg as some of the newer packages can conflict with the base system. Also, it's not clear if this would update everything anyway.

Any suggestions?

I believe the best example is the Krack and Spectre vulnerabilities. 17.01.4 fixed those; but the relevant packages could be updated once released...if there was space on the person's flash!!!

The main difference in this distro is:

  • Some flashes are compressed, meaning disk space is not accurate in uncompressed terms
  • In OpenWRT theres a read-only portion, only edits are noted, the files remain
  • This means that you don't uninstall the previous package, you simply mark it "gone" on the read-only portion.
  • So, in this case (OpenWRT), upgrading certain packages could certainly be dangerous
  • These "upgrades" disappear if you reset the device to default.

If you cannot wait for the next release, build a custom firmware from snapshot...that's probably the easiest solution. Please note that Snapshot is developmental.

OK - thanks. I do understand the flash space issues and how the main image is read-only. I have also read elsewhere that blindly upgrading packages can result in packages which conflict with the base system, though I have seen some people say on the forum that they have done this without issue.

I'd like to understand what the recommended strategy is for "production" use. Are we generally expected to stick with the released image until the next one for our router comes along? Or is there a list of "critical" package upgrades published anywhere? What do most people do when using OpenWRT/LEDE in an environment where reliability and efficient management are important?