Hi
what are the OpenWRT maintenance tasks beside "Upgrading OpenWrt firmware" when new release announced?
I prefer LuCI and thats a simple procedure documented in https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
When security fix comes out, it also bumps the release? I installed only "official" OpenWRT packages.
OpenWrt Upgrade procedure
Web interface
what do you mean? what should you do regularly to keep "up-to-date"?
You could issue
opkg update && opkg list-upgradable
now and then. If this reports packages that have received updates, do
opkg upgrade $(opkg list-upgradable | sed -e 's/ - .*//')
to install these updates.
Updates can also be done from LuCI, but only for one package at a time. Look under Software.
That seems to conflict with this page https://openwrt.org/docs/guide-user/additional-software/show_upgradable_packages_after_ssh_login
Blindly upgrading packages (manually or via script) can lead you into all sorts of trouble.
Just because there is an updated version of a given package does not mean it should be installed or that it will function properly. Inform yourself before doing any upgrades to determine if it is safe to upgrade. Avoid upgrading core packages,,
https://forum.openwrt.org/t/upgrade-the-packages-on-snapshot/53158/2?u=tmomas
I agree with @sandude. I learned the hard way not to just blindly upgrade any upgraded packages. It ended up making things not work anymore. Personally, if the firmware is working just as it is, leave it be and get the updated packages when a new release has been made. (That way, there are no kernel conflicts, incompatibility issues, etc.)
there is a huge list of update
luci-proto-wireguard - git-20.150.62258-217d331-1 - git-20.167.61968-87da00a-1
luci-app-adblock - git-20.150.62258-217d331-1 - git-20.167.61968-87da00a-1
luci-app-opkg - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
wpad-basic - 2019-08-08-ca8c2bd2-3 - 2019-08-08-ca8c2bd2-4
rpcd - 2019-12-10-aaa08366-2 - 2020-05-26-67c8a3fd-1
luci-lib-ip - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci-mod-system - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci-theme-bootstrap - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
adblock - 4.0.5-3 - 4.0.6-1
libuclient20160123 - 2019-05-30-3b3e368d-1 - 2020-06-17-51e16ebf-1
luci-mod-status - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci-app-firewall - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
libgnutls - 3.6.13-1 - 3.6.14-1
uclient-fetch - 2019-05-30-3b3e368d-1 - 2020-06-17-51e16ebf-1
libubox20191228 - 2020-02-27-7da66430-1 - 2020-05-25-66195aee-1
luci-compat - git-20.155.55664-f35803e-1 - git-20.167.61968-87da00a-1
rpcd-mod-file - 2019-12-10-aaa08366-2 - 2020-05-26-67c8a3fd-1
luci-proto-ppp - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci-mod-admin-full - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci-base - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
libjson-script - 2020-02-27-7da66430-1 - 2020-05-25-66195aee-1
luci-proto-ipv6 - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
libblobmsg-json - 2020-02-27-7da66430-1 - 2020-05-25-66195aee-1
jshn - 2020-02-27-7da66430-1 - 2020-05-25-66195aee-1
ca-certificates - 20190110-2 - 20200601-1
usign - 2019-08-06-5a52b379-1 - 2020-05-23-f1f65026-1
luci-lib-nixio - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
ca-bundle - 20190110-2 - 20200601-1
luci-lib-jsonc - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
luci - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
rpcd-mod-iwinfo - 2019-12-10-aaa08366-2 - 2020-05-26-67c8a3fd-1
luci-mod-network - git-20.136.49537-fb2f363-1 - git-20.167.61968-87da00a-1
hostapd-common - 2019-08-08-ca8c2bd2-3 - 2019-08-08-ca8c2bd2-4
what I need to do exactly? What are the steps?
Never touch a running system 
I worry that I get owned because of a unpatched security vulnability
Operations tasks 
as a OpenWRT user
Upgrade when there's a new firmware release. That's it.
So true! 
I hear you; but, IMHO, the OpenWRT developers and community are very prompt to patch any vulnerabilities and send out a release update. I will those more technical than me to discuss the possibilities of "getting owned because of an unpatched security vulnerability" but as long as your setup is good (i.e. allow outgoing traffic, block incoming connections except for those you define, etc.), it shouldn't be an issue.
Also, as far as I can tell, these git changes may related to different kernel versions or files that are WIP. I used to build my own builds off of Master and would sometimes run into issues where something might not work properly and cause the router to have problems. Or, I'd run into kernel compatibility issues. (Mind you, I'm using an Archer C7 V2 which is a problem in itself... but that's a longer story. 
). Stable builds are rock solid; and, when we pull different software into our firmware (either through LuCI or CLI), then the correct version of that software is pulled in.
Again, I will let those who are more technical than me talk to the possibility of "getting owned" due to security vulnerabilities, but I think you'll be fine as is.
Hopefully there aren't any changes that affects bootup which may happen in master branch and/or going between major versions but such changes aren't usually all that well documented. Due to the design of OpenWrt in most cases you cannot reclaim used space, you can delete (hide) files but you're not able to re-use the space which makes it very easy to run out of space on devices with limited flash. If you're using master you more or less need to carefully follow commit log and have a look at the code otherwise a "stable" branch should be fine however the package tree usually lags quite a bit behind master.