Generally: Outdated Package Repos. Specifically: syncthing

Rexcellent · 2024-04-05T19:01:46.424Z

Hello GL.iNet Forum,

Rexcellent here. New to the GL.iNet community but not new to OpenWRT. This is probably not a new topic, and I know that many package repositories suffer from outdated package versions, but I was wondering if GL.iNet has a way of marking packages that need to be updated?

Specifically, I’m a big fan of syncthing and it worked wonderfully on my new GL-MT3000 Beryl AX while on vacation. I wanted to update syncthing to the latest version 1.27 in order to address CVE-2022-46165. After downloading the package list from an “opkg update” command, I noticed that syncthing was at version 1.18.

The good news is, I was able to get syncthing 1.27 working on my Beryl AX, but it was not as “elegant” as enabling it through the GL.iNet Admin Panel (btw: I upgraded to firmware 4.6 just to try it out)

For a company that uses OpenWRT and sells products based on the notion of open-source software and security, I think it would be a nice touch to be able to identify out of date packages.

In any event, I am very satisfied with my Beryl AX, and I look forward to discovering the different things I can do with this handy device. Please keep up the good work.

Thank you for your attention.

snoopy · 2024-04-07T06:51:02.518Z

I’d love to see a focus more on security by making it simple to update out of date packages, especially ones with known vunlerabilities.

admon · 2024-04-07T09:48:00.722Z

The main problem is that OpenWrt 21.x is EOL, so there are no new packages - if nobody backport them. You can always try to install newer packages, but this will often fail because the main OS version changed.

So I don’t think this problem can be resolved soon, at least not as long as the base OS isn’t the newest OpenWrt.