Re: Keeping up with security fixes

Hi

On Wed, 18 Oct 2023 at 23:07, Karl O. Pinc <kop(at)karlpinc(dot)com> wrote:

> Hi,
>
> What is the expected method for keeping PgAdmin4 up-to-date?
>

It depends on the platform and where you get your packages from. For
packages from pgadmin.org (which are actually downloaded from postgresql.org)
there is a "nag message" that is displayed upon startup/login if a new
version is available. This can be reconfigured/overridden by other package
maintainers using the three config.py options below (they would typically
be overridden in config_distro.py):

# Check for new versions of the application?UPGRADE_CHECK_ENABLED = True
# Where should we get the data from?UPGRADE_CHECK_URL =
'https://www.pgadmin.org/versions.json'
# What key should we look at in the upgrade data
file?UPGRADE_CHECK_KEY = 'pgadmin4'

Additionally, the package managers for RPM/DEB packages should also be able
to tell you when a new version is available, e.g. using "yum check-update"
or GUI tools that do the same.

>
> I very much like the idea of using a package repo and automatically
> periodically installing from the repo. But will the repo for
> whatever OS contain the latest release until the OS is out of
> support? And will this automatically break things because
> of a backwards-incompatible new PgAdmin4 release?
>

The pgadmin.org repos will be updated with the latest versions of pgAdmin
for as long as the OS version is in support. Once it's out of support, we
generally do one final release, before freezing that repo. Releases should
always be forwards-compatible, and we aim (but do not guarantee) to keep
them backwards compatible as well. However, the configuration database is
backed up prior to being updated in modern releases, so you should always
be able to roll back to an earlier release.

On very rare occasions we are forced to drop support for very long-lived OS
releases before they go EOL. This is usually because they have a very old
version of Python, and required libraries in the Python ecosystem have
dropped support for that version of Python. We try very hard not to do
this, but sometimes it's just not feasible for us to continue. IIRC, this
happened with RHEL/CentOS 7, and Ubuntu 16.04 and 18.04.

>
> I'm not finding any statements of policy anywhere.
>

Yes, I will try to find some time to correct that.

>
> Another approach would be a method that pushes just PgAdmin4 security
> announcements (or whatever else I need to know to keep up-to-date).
> I'm sure this list does that, but also contains lots of other
> unrelated information. Having to sift through messages means
> I might make a mistake and miss something important.
>

We do send all release notices to this list (and the -hackers list). They
also go to pgsql-announce(at)postgresql(dot)org which may be easier for you as
it's pretty low traffic, and you can select what categories of
announcements you want to see to further limit it.

Another option (if you want to get low-level and build something yourself)
is to write a simple script that pulls https://www.pgadmin.org/versions.json
every day or so. The 'pgadmin4' key lists the current version of pgAdmin
that has been released on pgadmin.org. You could then take the version
number to generate the release notes URL on the website, e.g.
https://www.pgadmin.org/docs/pgadmin4/7.8/release_notes_7_8.html (replacing
the 7.8 and 7_8 as needed).

--
Dave Page
pgAdmin: https://www.pgadmin.org
PostgreSQL: https://www.postgresql.org
EDB: https://www.enterprisedb.com