I have a working server running on version 2.1.10 I just saw that there is version 2.2.0 and i would like to ask if an upgrade is a must and where can i fined the documentation about how to do such a thing? My FR us running on Ubuntu 12.04. Thank you -- ____ Sometimes you just glow in the dark...
Hi Am 27.01.2013 14:00, schrieb Tzvika Gelber:
I have a working server running on version 2.1.10 I just saw that there is version 2.2.0 and i would like to ask if an upgrade is a must and where can i fined the documentation about how to do such a thing?
My FR us running on Ubuntu 12.04. 2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine.
You could move to 2.2.0, but that requires more work like: - building from source - look around for backported DEB packages (or build your own one) - moving to a newer (non-LTS version) of Ubuntu (will give you 2.1.12 right now) As long as you're not missing specific features or bugfixes only found after 2.1.10 was released, you can safely stay on that version. There are however circumstances where building from source gives the extra flexibility and bleeding edge code for your special use case, but that's not always outweighing the invested time to build and maintain it on your own. -- Mathieu
Hi,
2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine.
why? why do that? why not simple release 2.2.0 - you are CONFUSING your users and CONFUSING those people who support them. if it says 2.1.10 then one can only ASSUME that its 2.1.10 alan
Am 27.01.2013 21:52, schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine. why? why do that? why not simple release 2.2.0 - you are CONFUSING your users and CONFUSING those people who support them.
if it says 2.1.10 then one can only ASSUME that its 2.1.10 Yes, somewhat true, but that's how a couple of distribution consider 'stable' releases: Stick with a version of a software and backport (bug and) security updates to this version. (and only update the version of a package at new distro release)
Enterprise distributions or commercial unix often do much heavier backporting than what Debian/Ubuntu do, just to deliver the very same version during the period of time the package is bundled with a release of their distro/software. You have to outweight the advantages vs. disadvantages like breaking support from your distributor, in this case Canonical. But I agree that asking on this list is likely yield the answer "upgrade first" in case of problems. A Ubuntu PPA can be a very good thing - but you have to trust a third party. That said, I really like PPAs when the packagers do good work and care about updating the packages - thanks Fajar for maintaining this repository! -- Mathieu
Hi,
I have a working server running on version 2.1.10 I just saw that there is version 2.2.0 and i would like to ask if an upgrade is a must and where can i fined the documentation about how to do such a thing?
self-build or installed via the distro? the answer to the initial question is YES. the new version has many security holes fixed and bugs fixed. regarding updating...i believe that 2.1.10 and 2.2.0 are almost 99.99% configuration compatible...so, if you built from source then a simple ./configure --with-whatever-options-you-used, make, make install will work - providing you check the docs to see which small configuration option is not compatible. if you got your 2.1.10 from distribution...then you have to wait for your distro to catch up - perhaps ask their support people when they will be making that version available for your distro (they will then, I hope, check your config doesnt have the offending line (if it does, I guess their installed will copy the old config file into a safe backup location and drop a copy with offending line removed back into place) alan
On Sun, Jan 27, 2013 at 08:51:28PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
I have a working server running on version 2.1.10
if you got your 2.1.10 from distribution...then you have to wait for your distro to catch up
Actually, with Debian and Ubuntu, building new local packages of the latest version is trivially easy, and the way I would recommend upgrading. http://wiki.freeradius.org/building/Build#Building-Debian-packages But of course if you roll your own packages you've got to watch for security issues when they crop up, and rebuild yourself. With distro supported packages they tend to patch up the security issues, though you might be left with older non-security related bugs unpatched. Like Alan wrote: if it says 2.1.10, you have no easy way of guaranteeing all latest security patches have been applied. Popping up on this list and saying you're using an old version is also likely to get you a lot of 'go away and upgrade' responses, rather than answers to your question... Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
On Mon, Jan 28, 2013 at 8:42 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Sun, Jan 27, 2013 at 08:51:28PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
I have a working server running on version 2.1.10
if you got your 2.1.10 from distribution...then you have to wait for your distro to catch up
Actually, with Debian and Ubuntu, building new local packages of the latest version is trivially easy, and the way I would recommend upgrading.
http://wiki.freeradius.org/building/Build#Building-Debian-packages
Debian packages generated from FR source is mostly compatible with current Debian/Ubuntu packages. It's great for when used for new servers. There's a catch though: if you have upgrade current installation, there might be some things that needed manual tweaking (IIRC it was certificate-related). FR's debian recipe is based on some old version in Debian. Current Debian package has diverged somewhat, so you might see some minor differences (configuration, init script, pre/post install script, etc). If we ported ALL Debian/Ubuntu changes, it would mean build failure on some older systems. So for the 2.2.0 FR release I only backported ones that were essential and wouldn't break things. If you currently have an Ubuntu system running with 2.1.10, you might find my PPA to be more seamless for upgrading: https://launchpad.net/~freeradius/+archive/stable (yes, it's also mentioned in the wiki: http://wiki.freeradius.org/building/Packages ). It takes a different approach, in that it takes current Debian/Ubuntu packages, and make necessary modification so that you can put 2.2.0 sources and have it build. Some of the changes were too intrusive to be included in the official source (for example, there are different recipes for Hardy/Lucid), but if you're just an end user that have no experience with building packages, you might find this one easier to use.
But of course if you roll your own packages you've got to watch for security issues when they crop up, and rebuild yourself. With distro supported packages they tend to patch up the security issues, though you might be left with older non-security related bugs unpatched.
Like Alan wrote: if it says 2.1.10, you have no easy way of guaranteeing all latest security patches have been applied.
Popping up on this list and saying you're using an old version is also likely to get you a lot of 'go away and upgrade' responses, rather than answers to your question...
If you have support from the Ubuntu, it might be better to stick with the provided version. But yes, when asking to this list, the most likely answer would be "upgrade". If one wants to stick to Ubuntu's provided version and wants to ask for security backports, better ask Canonical. -- Fajar
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Fajar A. Nugraha -
Mathieu Simon -
Matthew Newton -
Tzvika Gelber