Daily security run wants updates

[teema]

Every night I get this email:

Checking for packages with security vulnerabilities:
Database fetched: Mon Apr 18 03:15:05 EEST 2016
samba43-4.3.6_100313
pcre-8.38

-- End of security output --

I've got only one jail where I've done a "pkg update && pkg upgrade" that seemed to update pcre, but not SMB. As a root user I get this:

[root@archive] ~# pkg update
Updating local repository catalogue...
pkg: file:///usr/ports/packages/meta.txz: No such file or directory
repository local has no meta file, using default settings
pkg: file:///usr/ports/packages/packagesite.txz: No such file or directory
Unable to update repository local


The errors lead me to believe I'm not supposed to do pkg upgrades on my own(?) So my question is how can I upgrade these packages and/or why doesn't FreeNAS do it independently? I'm running 9.10 with the latest update (FreeNAS-9.10-STABLE-201604181743 (74ef270) to be precise).

 

[dlavigne]

No. The dev team is currently testing the pkg updates to the OS, and once complete, they will be available in a system update.

 

[teema]

Alright, thanks.

 

[jgreco]

The errors lead me to believe I'm not supposed to do pkg upgrades on my own(?) So my question is how can I upgrade these packages and/or why doesn't FreeNAS do it independently? I'm running 9.10 with the latest update (FreeNAS-9.10-STABLE-201604181743 (74ef270) to be precise).

Correct. FreeNAS is an appliance. You're not supposed to tinker under the hood. Package upgrades would assume that the package system installed the software in the first place, which might or might not be true, and that there aren't any "local mods" to the packages, which might or might not be true. FreeNAS also will not update packages, because the system image is generally treated as a whole thing.

Otherwise, when you say "FreeNAS-9.10-STABLE-201604181743" this is entirely meaningless. You'd need to say "FreeNAS-9.10-STABLE-201604181743 with Samba updated to 1.2.3-pl5 and Netatalk 6.7.8-pl7 and nginx 9.10.11 with local mods and ...."

Well, perhaps you get the point here. FreeNAS is tested as a whole thing and is not expected to be treated as a bunch of individual things, even if under the hood all those bits are individual things.

So to update FreeNAS, you need to wait for the next FreeNAS update, which will probably integrate in whatever package updates might be suitable or needed.

 

[jgreco]

No. The dev team is currently testing the pkg updates to the OS, and once complete, they will be available in a system update.

I've really got to stop this stuff where I go and open tabs for everything I want to reply to. Inevitably other replies seem to sneak in and I always forget to refresh. Sheesh.

 

[anodos]

I've really got to stop this stuff where I go and open tabs for everything I want to reply to. Inevitably other replies seem to sneak in and I always forget to refresh. Sheesh. :)

But we love your posts so much. You are so awesome and super cool that we hang on your every keystroke. It is an unbearable day when we do not get the pleasure of your bonus messages! Please don't leave us hanging :D

 

[jgreco]

But we love your posts so much. You are so awesome and super cool that we hang on your every keystroke. It is an unbearable day when we do not get the pleasure of your bonus messages! Please don't leave us hanging :D

Yeah, well, okay.

Maybe next time you decide to encourage bad behaviour, you'll remember that mods can edit posts too. ;-)

 

[BigDave]

The power of the mighty MODERATOR strikes again! Bahhahahaha!

 

[anodos]

Yeah, well, okay.

Maybe next time you decide to encourage bad behaviour, you'll remember that mods can edit posts too. ;-)

Touché.

 

[jixam]

Correct. FreeNAS is an appliance. You're not supposed to tinker under the hood.

So, is it not a bug that these mails are sent every night?

It started with FreeNAS 9.10 and it is really annoying me because it tells me that something is wrong, but there is nothing I can do about it. FreeNAS has its own update system that will tell me when actual updates are available, so why not just turn these new messages off?

 

[jgreco]

Feel free to make a bug report and make that argument with the devs.

No. The dev team is currently testing the pkg updates to the OS, and once complete, they will be available in a system update.

This seems to be the thing to do though.

 

[jixam]

Feel free to make a bug report and make that argument with the devs.

I was planning to, after testing the waters here. Now created: https://bugs.freenas.org/issues/14879

This seems to be the thing to do though.

Sorry, can you rephrase that?

 

[jgreco]

Sorry, can you rephrase that?

I'd just wait for the update. Which is what you'll have to do anyways. The notification that there's an issue is nice, but it is kinda like getting a security notice that something needs attention. It doesn't guarantee that a fix is actually available. Yet.

 

[jixam]

I'd just wait for the update. Which is what you'll have to do anyways. The notification that there's an issue is nice, but it is kinda like getting a security notice that something needs attention. It doesn't guarantee that a fix is actually available. Yet.

All right, now I understand, but I do not agree that it is nice. It's a notification that something may or may not be an issue with FreeNAS and it may or may not be corrected at some unknown time.

I think it is useless and I predict that threads like this one will keep popping up until the notification is disabled.

 

[TheDubiousDubber]

All right, now I understand, but I do not agree that it is nice. It's a notification that something may or may not be an issue with FreeNAS and it may or may not be corrected at some unknown time.

I think it is useless and I predict that threads like this one will keep popping up until the notification is disabled.

I totally agree. I wasn't sure what to do about it either, which is how I came across this thread. I like getting email updates for certain things, but it's beginning to get really annoying having to clear these emails on a daily basis. Its old news by now, and there is still nothing I can do to fix it. At the very least it would be nice if this particular alert had the option of being switched off.