Is it safe to use the Debian internal update mechanism, i.e. aptitude to update the system or should I wait for the offcial OS6 releases? Some packets are updated much faster by Debian than by Netgear which can be critical in case of security issues. Is there any Netgear stand on that?
If you break things you may be denied support. Though I can understand if you forward ports to your NAS why you might want to install fixes for security issues ASAP.
We do have beta releases sometimes and from time to time will add some security fixes to our repo before providing firmware updates.
I know if I screw things up using ssh I'll be left on my own. Fair enough. On the other hand, I don't think beta releases are solutions to security issues. Beta is by definition a (still) buggy piece of software and usually comes late. As for the repo, what repo are you reffereing to? I've found in /etc/apt/sources.list a link to
deb http://apt.readynas.com/packages/readynasos 6.2.2 updates apps main
so it seems there's indeed a repo with Netgear's updates. They aren't installed automatically so I need to use aptitude. But if I break anything with aptitude I'll be denied support. Conclusion: the repo is useless. There's of course a total solution to any security issue: to not expose a nas to internet. But what's the point in having it and not being able to access it from WAN? I intentionally skip the VPN (which I actually use to access my nas) because it's a solution for a very limited number of users (I mean people wanting to connect to nas, not nas owners) - it's not possible to generate keys for everyone and share them in a secure way. My point is: Netgear should address the security issues in OS releases as it does now, but in case of emergency the updated packages should be in the Netgear's repo and people should be acually encouraged to use it to keep their nases as safe as possible. It could be via ssh or - if Netgear doesn't want ordinary users to use ssh - via web interface, e.g. two buttons: search for the os new release and search for the updates. The former would search for what it says, the latter would search for updated packages in the repo and install them.
Jarkod, I think that beta releases have been an effective way to push security updates, since many users here don't have any linux skills, and would have trouble manually installing security patches. Though the idea of pushing targeted security patches (similar to windows update) would be a good alternative - and many users do shy away from betas.
I also think that adding packages quickly to the repo, and posting commands needed to install security updates quickly would also be good.
I'd also like to see some faster way for Netgear to publish CVEs rapidaly - identifying the specific firmware versions that are vulnerable - even if there is no fix yet. Perhaps via this forum, or perhaps an email push.
I agree many people here aren't familiar with linux, especially its command line and that's why I suggested those two buttons in the web UI. But I can't agree betas can be considered as security updates. They aren't meant to be ones.
Using commands to install updates would require ssh or a special field in the web UI to enter them and execute, i.e. something similar to what the alternative routers firmware - ddwrt or tomato - have: an input filed where one can enter a command and an 'execute' button to send them for execution. In my opinion, it'd be too confusing for unexperienced users. The simple 'check for updates' button would do; then a pop-up window listing the available updates and 'yes' and 'no' buttons to answer the question whether to install the updates or not.
My point was that rapid deployment of a fix for a new attack is critical. A Netgear wrapper for a security fix delays the process, and some people don't need it. So Netgear should do both - provide instructions for advanced users to fix it immediately, and when the update package is ready release the fix for general use.
Also, free support should always be provided when a security patch fails to install properly.
