Thanks NTGR. Not.

2022-04-02

ntgr , oss , broken

So there we have it. NTGR released ReadyNAS OS 6.10.7. In case you’re interested what’s in there abandon all hope. No mentions of any specific fixes except an ominous reference about “fixed security vulnerabilities”.

Now that’s what I call customer support. Not. But it gets worse. As you may recall the package repositories for the ReadyNAS systems haven been broken for months. But if you were hoping that NTGR would fix the repo along with the new release you were hoping in vain. Granted, the new firmware includes fixed samba packages a can be easily verified:

root@rnultra6:~# dpkg -l | grep samba
ii  samba               2:4.8.0-12.netgear5       amd64     (...)
ii  samba-common        2:4.8.0-12.netgear5       all       (...)
ii  samba-common-bin    2:4.8.0-12.netgear5       amd64     (...)
ii  samba-libs:amd64    2:4.8.0-12.netgear5       amd64     (...)
ii  samba-vfs-modules   2:4.8.0-12.netgear5       amd64     (...)
ii  samba4-clients      2:4.8.0-12.netgear5       amd64     (...)

But checking the online repository I was shocked to find this:

root@rnultra6:~# apt policy samba-common
samba-common:
  Installed: 2:4.8.0-12.netgear5
  Candidate: 2:4.8.0-12.netgear5
  Version table:
 *** 2:4.8.0-12.netgear5 100
        100 /var/lib/dpkg/status
     2:4.8.0-12.netgear4 900
        900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages
     2:4.8.0-12.netgear3 900
        900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages
     2:4.8.0-12.netgear2 900
        900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages
     2:4.2.14+dfsg-0+deb8u13 500
        500 http://security.debian.org jessie/updates/main amd64 Packages
     2:4.2.14+dfsg-0+deb8u9 500
        500 http://mirrors.kernel.org/debian jessie/main amd64 Packages

Would you believe it? They still have the broken versions in the repo although they obviously built new ones for the 6.10.7 release. Something’s definitely amiss at NTGR’s quality assurance.

What also didn’t make it

Also not included in the new firmware are

a fix for the problem with newer LetsEncrypt certificates
an updated version of OpenSSH to finally support EDD25519 keys
an updated version of OpenSSL to allow for TLSv1.3 usage in Apache
and finally an updated version of Apache as well

And of course the base OS is still stuck at Debian Jessie. That’s version 8 while Debian is already at 11 (Bullseye), preparing 12. Considerung how easy it would be to upgrade the reduced set of packages to make the base OS use a newer release of Debian this is pure neglect.

To sum it up: It’s more than time that NTGR releases the missing parts of the ReadyNAS OS to the Open Source community. They’re not making any notable profit off the hardware anymore anyway. But they could ensure that the existing boxes can live on for another decade or so. It’s not like they’d be cannibalizing their own market by handing over the firmware to the community.