From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Fireinfo reports 41.68% of all reporting installations running on Core Update 134 Date: Mon, 05 Aug 2019 17:18:53 +0100 Message-ID: <0F0106CF-50E0-4A92-BDE1-3FADF0E1BA2F@ipfire.org> In-Reply-To: <0fb162e4-ac35-3f5d-2e02-6b45543ada93@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4033006359410640987==" List-Id: --===============4033006359410640987== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 4 Aug 2019, at 09:42, Peter M=C3=BCller wro= te: >=20 > Hello Michael, hello *, >=20 > sorry for the late reply. >=20 >> Lol, yeah I know why this is. >>=20 >> We have probably the same problem with dns.lightningwirelabs.com where Dan= iel contacted me yesterday that a system with Core Update 125 was unable to u= pdate its DNS record. > That is interesting as Fireinfo reports 2.28% of reporting installations > running on this Core Update. Do you have more information why these might > be unable to report? Did those maybe submit an update before the 14 days deadline? >>=20 >> Those systems simply use an outdated version of OpenSSL and we require TLS= 1.2 or better with all the bells and whistles. We might have to downgrade th= at to catch all fireinfo profiles. > Even OpenSSL 1.0.x is capable of TLS 1.2, and I think Core Update 125 is > using that version branch. Either way, this would mean all installations are > able to report, or none is. But ~ 2.3% is somewhat in between... :-| The profiles will only go away when they have not been updated in 14 days. >>=20 >> Some really old systems will send via HTTP and we won=E2=80=99t upgrade th= em to HTTPS because the whole profile has of course already been transmitted. >>=20 >> Suggestions on what to do? > Actually, we never had reliable data in Fireinfo. Partial due to reporting > being a opt-in function (and I know a lot of people leaving this disabled), > partial due to outdated installations being unable to report anymore. >=20 > Needless to say, I think Fireinfo is valuable, and it should be an opt-in, > anyway. But we have to bear in mind its only a fraction we talk about, > and perhaps there is a chance to enumerate how large it is. >=20 > I do not see any need for technical changes here, i.e. allowing TLS 1.0 or > something. Is it the ECSDA certificate? Or that we do not support anything but an ECC ke= y exchange? PFS? >=20 > Thanks, and best regards, > Peter M=C3=BCller >>=20 >> -Michael >>=20 >>> On 30 Jul 2019, at 17:59, Peter M=C3=BCller = wrote: >>>=20 >>> Hello *, >>>=20 >>> having a look at the Fireinfo statistics every now and then >>> (https://fireinfo.ipfire.org/), I just noticed 41.68% of all >>> reporting installations are running on the latest Core Update. >>>=20 >>> As far as I am concerned, that number is pleasing, but we >>> used to have fractions of ~ 33.00% here. So, people are either >>> installing updates faster than they did in the past (I rather >>> doubt it) or many (heavily) outdated installations disappeared. >>>=20 >>> On the other hand, due to datacenter migration issues, we >>> are behind the normal release schedule - thus giving admins >>> more time to update to the current version. >>>=20 >>> Just thought you might find this interesting. >>>=20 >>> Thanks, and best regards, >>> Peter M=C3=BCller >>> --=20 >>> The road to Hades is easy to travel. >>> -- Bion of Borysthenes >>=20 >=20 > --=20 > The road to Hades is easy to travel. > -- Bion of Borysthenes --===============4033006359410640987==--