[PATCH] index.cgi: Display a warning if the last Core Update was installed more than 90 days ago
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime; + +if ( "$core_update_age" > "7776000" ) { + $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>"; +} + # EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall',
Acked-by: Bernhard Bitsch bbitsch@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org
Am 15.01.2022 um 10:15 schrieb Peter Müller:
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime;
+if ( "$core_update_age" > "7776000" ) {
- $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
- # EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) {
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall',
Hello,
On 15 Jan 2022, at 09:15, Peter Müller peter.mueller@ipfire.org wrote:
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
Hey, we just wanted to let you know that a new update is available.
And:
Dude, you really need to make sure your system is up to date.
I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime;
+if ( "$core_update_age" > "7776000" ) {
- $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
# EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall', -- 2.31.1
Hello Michael,
thanks for your reply.
Yes, differentiating the update message is a good idea - in terms of UX, it is probably the better one.
And yes, 90 days are fine for me. On the one hand, this nudges us to release updates faster, and on the other hand, we can expect users to respond to a new update within a month. Sure, there are maintenance windows and things like that in corporate environments, but if they cannot react to a security-relevant update within 30 days, perhaps they should ask themselves if their internal procedures are still suited for today's threat landscape.
Thanks, and best regards, Peter Müller
Hello,
On 15 Jan 2022, at 09:15, Peter Müller peter.mueller@ipfire.org wrote:
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
Hey, we just wanted to let you know that a new update is available.
And:
Dude, you really need to make sure your system is up to date.
I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime;
+if ( "$core_update_age" > "7776000" ) {
- $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
# EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall', -- 2.31.1
Hello,
On 18 Jan 2022, at 21:21, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
Yes, differentiating the update message is a good idea - in terms of UX, it is probably the better one.
And yes, 90 days are fine for me. On the one hand, this nudges us to release updates faster,
I am not against this, but I am afraid that we will create false panic here for some users.
We might send the message “IPFire is not secure any more” which is not what I would want. It isn’t strictly true.
Then there is this disaster that clamav does when they have a message that starts with the words “DON’T PANIC”. People *of course* do panic because of that. It probably creates the opposite of what you want: It destroys trust in the software.
For that reason I would like to be very very *very* careful about this.
and on the other hand, we can expect users to respond to a new update within a month. Sure, there are maintenance windows and things like that in corporate environments, but if they cannot react to a security-relevant update within 30 days, perhaps they should ask themselves if their internal procedures are still suited for today's threat landscape.
We do not “market” every update as an urgent security release. We have lots of them leading with the words “bug fixes and feature enhancements”.
I know that many people do a tick-tock kind of upgrade policy. Install an update, skip the next one. That is just to keep labour time down which I wouldn’t totally disagree with.
-Michael
Thanks, and best regards, Peter Müller
Hello,
On 15 Jan 2022, at 09:15, Peter Müller peter.mueller@ipfire.org wrote:
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
Hey, we just wanted to let you know that a new update is available.
And:
Dude, you really need to make sure your system is up to date.
I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime;
+if ( "$core_update_age" > "7776000" ) {
- $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
# EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall', -- 2.31.1
-
Bernhard Bitsch -
Michael Tremer -
Peter Müller