So there we have it. NTGR released ReadyNAS OS 6.10.7. In case you’re interested what’s in there abandon all hope. No mentions of any specific fixes except an ominous reference about “fixed security vulnerabilities”.
Now that’s what I call customer support. Not. But it gets worse. As you may recall the package repositories for the ReadyNAS systems haven been broken for months. But if you were hoping that NTGR would fix the repo along with the new release you were hoping in vain. Granted, the new firmware includes fixed samba packages a can be easily verified:
root@rnultra6:~# dpkg -l | grep samba ii samba 2:4.8.0-12.netgear5 amd64 (...) ii samba-common 2:4.8.0-12.netgear5 all (...) ii samba-common-bin 2:4.8.0-12.netgear5 amd64 (...) ii samba-libs:amd64 2:4.8.0-12.netgear5 amd64 (...) ii samba-vfs-modules 2:4.8.0-12.netgear5 amd64 (...) ii samba4-clients 2:4.8.0-12.netgear5 amd64 (...)
But checking the online repository I was shocked to find this:
root@rnultra6:~# apt policy samba-common samba-common: Installed: 2:4.8.0-12.netgear5 Candidate: 2:4.8.0-12.netgear5 Version table: *** 2:4.8.0-12.netgear5 100 100 /var/lib/dpkg/status 2:4.8.0-12.netgear4 900 900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages 2:4.8.0-12.netgear3 900 900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages 2:4.8.0-12.netgear2 900 900 https://apt.readynas.com/packages/readynasos 6.10.7/main amd64 Packages 2:4.2.14+dfsg-0+deb8u13 500 500 http://security.debian.org jessie/updates/main amd64 Packages 2:4.2.14+dfsg-0+deb8u9 500 500 http://mirrors.kernel.org/debian jessie/main amd64 Packages
Would you believe it? They still have the broken versions in the repo although they obviously built new ones for the 6.10.7 release. Something’s definitely amiss at NTGR’s quality assurance.
What also didn’t make it
Also not included in the new firmware are
- a fix for the problem with newer LetsEncrypt certificates
- an updated version of OpenSSH to finally support EDD25519 keys
- an updated version of OpenSSL to allow for TLSv1.3 usage in Apache
- and finally an updated version of Apache as well
And of course the base OS is still stuck at Debian Jessie. That’s version 8 while Debian is already at 11 (Bullseye), preparing 12. Considerung how easy it would be to upgrade the reduced set of packages to make the base OS use a newer release of Debian this is pure neglect.
To sum it up: It’s more than time that NTGR releases the missing parts of the ReadyNAS OS to the Open Source community. They’re not making any notable profit off the hardware anymore anyway. But they could ensure that the existing boxes can live on for another decade or so. It’s not like they’d be cannibalizing their own market by handing over the firmware to the community.