FreeBSD 11 update lag on the example of pms

mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
While I was investigating why my plexmediaserver wasn't runnning the newest version (FOMO!) I came across this thread over at the freebsd forums: https://forums.freebsd.org/threads/pkg-build-lag-schedule.67503/

Even though I'm on the latest branch, pkg is not fetching the newest pms package. Freshports reports an update is available since May 12th: https://svnweb.freebsd.org/ports?view=revision&revision=534995
but pkg search plexmediaserver reports an older version.

Using pkg -d update shows me that pkg is fetching the FreeBSD 11 versions of packages. Cross-checking with my nearest pkg mirror confirmed, that the plexmediaserver pkg for FreeBSD 11 and 12 is still an older version than the one for FreeBSD 13.

Bildschirmfoto 2020-05-16 um 10.46.08.png


Bildschirmfoto 2020-05-16 um 10.45.28.png


This got me confused. Why is a recent update pushed to a release that isn't even available yet? (FreeBSD 13 doesn't even appear in the release list)
Referring to the link posted at the top, package building takes some time, so why would they build packages for an unreleased version first?
 
SweetAndLow

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
After more than 80 hours the build is finished. Now it takes some time to transfer it over to the mirrors I guess.
Never realized all the work involved to push a release to clients.
Still quite some time to get an update, imagine this would contain critical security vulnerabilities.

Guess the only way to speed things up is donating to the FreeBSD Foundation.
 
Yorick

Yorick

Wizard
Joined
Nov 4, 2018
Messages
1,912
> imagine this would contain critical security vulnerabilities

Let’s! There’s a terrible vuln in Plex, port 32400 can be used to take over the instance Plex runs in.

That jail is now compromised. What might happen? Who knows. All my movies are encrypted. Someone uploads pornographic material of minors to my server and tells all their buddies. My jail starts mining some obscure crypto token.

Presumably I’ll become aware of that activity at some point. Hopefully sooner rather than later. The jail itself won’t be escaped.

If the activity occurred in the past N days, where N equal or less to snapshot retention:
- Save logs, close access on firewall, roll back snapshot, patch, re-open access

If it occurred earlier:
- same thing but blow away jail and media dataset entirely, reinstall jail and restore media from backup

Assume compromise. Plan for it, and how to get back from it.

Or with more pathos:

“Meditation on inevitable death should be performed daily. Every day when one's body and mind are at peace, one should meditate upon being ripped apart by arrows, rifles, spears and swords, being carried away by surging waves, being thrown into the midst of a great fire, being struck by lightning, being shaken to death by a great earthquake, falling from thousand-foot cliffs, dying of disease or committing seppuku (ritual suicide) at the death of one's master. And every day without fail one should consider himself as dead.

There is a saying of the elders that goes, "Step from under the eaves and you're a dead man. Leave the gate and the enemy is waiting." This is not a matter of being careful. It is to consider oneself as dead beforehand.”
 
mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
Yorick said:
> imagine this would contain critical security vulnerabilities

Let’s! There’s a terrible vuln in Plex, port 32400 can be used to take over the instance Plex runs in.

That jail is now compromised. What might happen? Who knows. All my movies are encrypted. Someone uploads pornographic material of minors to my server and tells all their buddies. My jail starts mining some obscure crypto token.

Presumably I’ll become aware of that activity at some point. Hopefully sooner rather than later. The jail itself won’t be escaped.

If the activity occurred in the past N days, where N equal or less to snapshot retention:
- Save logs, close access on firewall, roll back snapshot, patch, re-open access

If it occurred earlier:
- same thing but blow away jail and media dataset entirely, reinstall jail and restore media from backup

Assume compromise. Plan for it, and how to get back from it.

Or with more pathos:

“Meditation on inevitable death should be performed daily. Every day when one's body and mind are at peace, one should meditate upon being ripped apart by arrows, rifles, spears and swords, being carried away by surging waves, being thrown into the midst of a great fire, being struck by lightning, being shaken to death by a great earthquake, falling from thousand-foot cliffs, dying of disease or committing seppuku (ritual suicide) at the death of one's master. And every day without fail one should consider himself as dead.

There is a saying of the elders that goes, "Step from under the eaves and you're a dead man. Leave the gate and the enemy is waiting." This is not a matter of being careful. It is to consider oneself as dead beforehand.”
Click to expand...
I feel like we've evolved from being a ninja is as necessary as it used to be. I sleep better without a knife under my pillow.
 
You must log in or register to reply here.

Similar threads

itsryan
Growing problem with PKG
Replies
2
Views
689
itsryan
itsryan
J
Plex wont update
Replies
8
Views
609
johnism
J
B
  • Locked
Plex pkg updating
Replies
3
Views
6K
bed
B
X
Can't update pkg in Iocage
2
Replies
23
Views
8K
Patrick M. Hausen
Patrick M. Hausen
M
  • Locked
pkg error updating a Plex jail
Replies
7
Views
3K
Jailer
Jailer
Top