index.cgi: Display a warning if the last Core Update was installed more than 90 days ago

  At the time of writing, Fireinfo reports more 51.67% of all
installations reporting back to us are running at least two Core Updates
older than the latest one.

While I doubt we can expect our userbase to patch their systems within
24 hours (which is the recommended timespan given for critical
infrastructures by multiple CERTs), if they the last Core Update was
installed more than 90 days ago, we can safely consider the system in
question being outdated and insecure.

Therefore, this patch displays a warning on index.cgi, in addition to
the "an update is available" message - in the hope to nudge people to
keep their IPFire machines up to date.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 html/cgi-bin/index.cgi | 10 +++++++++-
 langs/de/cgi-bin/de.pl |  1 +
 langs/en/cgi-bin/en.pl |  1 +
 3 files changed, 11 insertions(+), 1 deletion(-)
  

Acked-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>


Am 15.01.2022 um 10:15 schrieb Peter Müller:
> At the time of writing, Fireinfo reports more 51.67% of all
> installations reporting back to us are running at least two Core Updates
> older than the latest one.
> 
> While I doubt we can expect our userbase to patch their systems within
> 24 hours (which is the recommended timespan given for critical
> infrastructures by multiple CERTs), if they the last Core Update was
> installed more than 90 days ago, we can safely consider the system in
> question being outdated and insecure.
> 
> Therefore, this patch displays a warning on index.cgi, in addition to
> the "an update is available" message - in the hope to nudge people to
> keep their IPFire machines up to date.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
>   html/cgi-bin/index.cgi | 10 +++++++++-
>   langs/de/cgi-bin/de.pl |  1 +
>   langs/en/cgi-bin/en.pl |  1 +
>   3 files changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
> index 2b7ccdb0f..fbd656988 100644
> --- a/html/cgi-bin/index.cgi
> +++ b/html/cgi-bin/index.cgi
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") {
>   	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
>   }
>   
> +# Running on likely outdated Core Update (last update was more than 90 days ago)
> +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine";
> +my $core_update_age = time() - $mtime;
> +
> +if ( "$core_update_age" > "7776000" ) {
> +	$warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
> +}
> +
>   # EOL architecture
>   my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname();
>   if ($machine =~ m/^i.86$/) {
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index c81b28fea..2ae0f948c 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1878,6 +1878,7 @@
>   'otherport' => 'Anderer Port',
>   'our donors' => 'Unsere Unterstützer',
>   'out' => 'Aus',
> +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.',
>   'outgoing' => 'ausgehend',
>   'outgoing compression in bytes per second' => 'Abgehende Kompression',
>   'outgoing firewall' => 'Ausgehende Firewall',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 2f7038fb1..8d1eb3e2d 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1914,6 +1914,7 @@
>   'otherport' => 'other Port',
>   'our donors' => 'Our donors',
>   'out' => 'Out',
> +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.',
>   'outgoing' => 'outgoing',
>   'outgoing compression in bytes per second' => 'Outgoing compression',
>   'outgoing firewall' => 'Outgoing Firewall',
  

Hello,

> On 15 Jan 2022, at 09:15, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> At the time of writing, Fireinfo reports more 51.67% of all
> installations reporting back to us are running at least two Core Updates
> older than the latest one.
> 
> While I doubt we can expect our userbase to patch their systems within
> 24 hours (which is the recommended timespan given for critical
> infrastructures by multiple CERTs), if they the last Core Update was
> installed more than 90 days ago, we can safely consider the system in
> question being outdated and insecure.
> 
> Therefore, this patch displays a warning on index.cgi, in addition to
> the "an update is available" message - in the hope to nudge people to
> keep their IPFire machines up to date.

I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:

  Hey, we just wanted to let you know that a new update is available.

And:

  Dude, you really need to make sure your system is up to date.

I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?

-Michael

> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> html/cgi-bin/index.cgi | 10 +++++++++-
> langs/de/cgi-bin/de.pl |  1 +
> langs/en/cgi-bin/en.pl |  1 +
> 3 files changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
> index 2b7ccdb0f..fbd656988 100644
> --- a/html/cgi-bin/index.cgi
> +++ b/html/cgi-bin/index.cgi
> @@ -2,7 +2,7 @@
> ###############################################################################
> #                                                                             #
> # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
> #                                                                             #
> # This program is free software: you can redistribute it and/or modify        #
> # it under the terms of the GNU General Public License as published by        #
> @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") {
> 	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
> }
> 
> +# Running on likely outdated Core Update (last update was more than 90 days ago)
> +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine";
> +my $core_update_age = time() - $mtime;
> +
> +if ( "$core_update_age" > "7776000" ) {
> +	$warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
> +}
> +
> # EOL architecture
> my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname();
> if ($machine =~ m/^i.86$/) {
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index c81b28fea..2ae0f948c 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1878,6 +1878,7 @@
> 'otherport' => 'Anderer Port',
> 'our donors' => 'Unsere Unterstützer',
> 'out' => 'Aus',
> +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.',
> 'outgoing' => 'ausgehend',
> 'outgoing compression in bytes per second' => 'Abgehende Kompression',
> 'outgoing firewall' => 'Ausgehende Firewall',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 2f7038fb1..8d1eb3e2d 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1914,6 +1914,7 @@
> 'otherport' => 'other Port',
> 'our donors' => 'Our donors',
> 'out' => 'Out',
> +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.',
> 'outgoing' => 'outgoing',
> 'outgoing compression in bytes per second' => 'Outgoing compression',
> 'outgoing firewall' => 'Outgoing Firewall',
> -- 
> 2.31.1
  

Hello Michael,

thanks for your reply.

Yes, differentiating the update message is a good idea - in terms of UX, it is probably
the better one.

And yes, 90 days are fine for me. On the one hand, this nudges us to release updates faster,
and on the other hand, we can expect users to respond to a new update within a month. Sure,
there are maintenance windows and things like that in corporate environments, but if they
cannot react to a security-relevant update within 30 days, perhaps they should ask themselves
if their internal procedures are still suited for today's threat landscape.

Thanks, and best regards,
Peter Müller


> Hello,
> 
>> On 15 Jan 2022, at 09:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> At the time of writing, Fireinfo reports more 51.67% of all
>> installations reporting back to us are running at least two Core Updates
>> older than the latest one.
>>
>> While I doubt we can expect our userbase to patch their systems within
>> 24 hours (which is the recommended timespan given for critical
>> infrastructures by multiple CERTs), if they the last Core Update was
>> installed more than 90 days ago, we can safely consider the system in
>> question being outdated and insecure.
>>
>> Therefore, this patch displays a warning on index.cgi, in addition to
>> the "an update is available" message - in the hope to nudge people to
>> keep their IPFire machines up to date.
> 
> I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
> 
>   Hey, we just wanted to let you know that a new update is available.
> 
> And:
> 
>   Dude, you really need to make sure your system is up to date.
> 
> I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
> 
> -Michael
> 
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> html/cgi-bin/index.cgi | 10 +++++++++-
>> langs/de/cgi-bin/de.pl |  1 +
>> langs/en/cgi-bin/en.pl |  1 +
>> 3 files changed, 11 insertions(+), 1 deletion(-)
>>
>> diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
>> index 2b7ccdb0f..fbd656988 100644
>> --- a/html/cgi-bin/index.cgi
>> +++ b/html/cgi-bin/index.cgi
>> @@ -2,7 +2,7 @@
>> ###############################################################################
>> #                                                                             #
>> # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>> #                                                                             #
>> # This program is free software: you can redistribute it and/or modify        #
>> # it under the terms of the GNU General Public License as published by        #
>> @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") {
>> 	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
>> }
>>
>> +# Running on likely outdated Core Update (last update was more than 90 days ago)
>> +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine";
>> +my $core_update_age = time() - $mtime;
>> +
>> +if ( "$core_update_age" > "7776000" ) {
>> +	$warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
>> +}
>> +
>> # EOL architecture
>> my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname();
>> if ($machine =~ m/^i.86$/) {
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index c81b28fea..2ae0f948c 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -1878,6 +1878,7 @@
>> 'otherport' => 'Anderer Port',
>> 'our donors' => 'Unsere Unterstützer',
>> 'out' => 'Aus',
>> +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.',
>> 'outgoing' => 'ausgehend',
>> 'outgoing compression in bytes per second' => 'Abgehende Kompression',
>> 'outgoing firewall' => 'Ausgehende Firewall',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 2f7038fb1..8d1eb3e2d 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -1914,6 +1914,7 @@
>> 'otherport' => 'other Port',
>> 'our donors' => 'Our donors',
>> 'out' => 'Out',
>> +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.',
>> 'outgoing' => 'outgoing',
>> 'outgoing compression in bytes per second' => 'Outgoing compression',
>> 'outgoing firewall' => 'Outgoing Firewall',
>> -- 
>> 2.31.1
>
  

Hello,

> On 18 Jan 2022, at 21:21, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for your reply.
> 
> Yes, differentiating the update message is a good idea - in terms of UX, it is probably
> the better one.
> 
> And yes, 90 days are fine for me. On the one hand, this nudges us to release updates faster,

I am not against this, but I am afraid that we will create false panic here for some users.

We might send the message “IPFire is not secure any more” which is not what I would want. It isn’t strictly true.

Then there is this disaster that clamav does when they have a message that starts with the words “DON’T PANIC”. People *of course* do panic because of that. It probably creates the opposite of what you want: It destroys trust in the software.

For that reason I would like to be very very *very* careful about this.

> and on the other hand, we can expect users to respond to a new update within a month. Sure,
> there are maintenance windows and things like that in corporate environments, but if they
> cannot react to a security-relevant update within 30 days, perhaps they should ask themselves
> if their internal procedures are still suited for today's threat landscape.

We do not “market” every update as an urgent security release. We have lots of them leading with the words “bug fixes and feature enhancements”.

I know that many people do a tick-tock kind of upgrade policy. Install an update, skip the next one. That is just to keep labour time down which I wouldn’t totally disagree with.

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
> 
>> Hello,
>> 
>>> On 15 Jan 2022, at 09:15, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> At the time of writing, Fireinfo reports more 51.67% of all
>>> installations reporting back to us are running at least two Core Updates
>>> older than the latest one.
>>> 
>>> While I doubt we can expect our userbase to patch their systems within
>>> 24 hours (which is the recommended timespan given for critical
>>> infrastructures by multiple CERTs), if they the last Core Update was
>>> installed more than 90 days ago, we can safely consider the system in
>>> question being outdated and insecure.
>>> 
>>> Therefore, this patch displays a warning on index.cgi, in addition to
>>> the "an update is available" message - in the hope to nudge people to
>>> keep their IPFire machines up to date.
>> 
>> I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
>> 
>>  Hey, we just wanted to let you know that a new update is available.
>> 
>> And:
>> 
>>  Dude, you really need to make sure your system is up to date.
>> 
>> I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
>> 
>> -Michael
>> 
>>> 
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> html/cgi-bin/index.cgi | 10 +++++++++-
>>> langs/de/cgi-bin/de.pl |  1 +
>>> langs/en/cgi-bin/en.pl |  1 +
>>> 3 files changed, 11 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
>>> index 2b7ccdb0f..fbd656988 100644
>>> --- a/html/cgi-bin/index.cgi
>>> +++ b/html/cgi-bin/index.cgi
>>> @@ -2,7 +2,7 @@
>>> ###############################################################################
>>> #                                                                             #
>>> # IPFire.org - A linux based firewall                                         #
>>> -# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
>>> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>>> #                                                                             #
>>> # This program is free software: you can redistribute it and/or modify        #
>>> # it under the terms of the GNU General Public License as published by        #
>>> @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") {
>>> 	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
>>> }
>>> 
>>> +# Running on likely outdated Core Update (last update was more than 90 days ago)
>>> +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine";
>>> +my $core_update_age = time() - $mtime;
>>> +
>>> +if ( "$core_update_age" > "7776000" ) {
>>> +	$warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
>>> +}
>>> +
>>> # EOL architecture
>>> my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname();
>>> if ($machine =~ m/^i.86$/) {
>>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>>> index c81b28fea..2ae0f948c 100644
>>> --- a/langs/de/cgi-bin/de.pl
>>> +++ b/langs/de/cgi-bin/de.pl
>>> @@ -1878,6 +1878,7 @@
>>> 'otherport' => 'Anderer Port',
>>> 'our donors' => 'Unsere Unterstützer',
>>> 'out' => 'Aus',
>>> +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.',
>>> 'outgoing' => 'ausgehend',
>>> 'outgoing compression in bytes per second' => 'Abgehende Kompression',
>>> 'outgoing firewall' => 'Ausgehende Firewall',
>>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>>> index 2f7038fb1..8d1eb3e2d 100644
>>> --- a/langs/en/cgi-bin/en.pl
>>> +++ b/langs/en/cgi-bin/en.pl
>>> @@ -1914,6 +1914,7 @@
>>> 'otherport' => 'other Port',
>>> 'our donors' => 'Our donors',
>>> 'out' => 'Out',
>>> +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.',
>>> 'outgoing' => 'outgoing',
>>> 'outgoing compression in bytes per second' => 'Outgoing compression',
>>> 'outgoing firewall' => 'Outgoing Firewall',
>>> -- 
>>> 2.31.1
>>