Thread: Keeping up with security fixes

Keeping up with security fixes

"Karl O. Pinc"

What is the expected method for keeping PgAdmin4 up-to-date?

I very much like the idea of using a package repo and automatically
periodically installing from the repo.  But will the repo for
whatever OS contain the latest release until the OS is out of
support?  And will this automatically break things because
of a backwards-incompatible new PgAdmin4 release?

I'm not finding any statements of policy anywhere.

Another approach would be a method that pushes just PgAdmin4 security
announcements (or whatever else I need to know to keep up-to-date).
I'm sure this list does that, but also contains lots of other
unrelated information.  Having to sift through messages means
I might make a mistake and miss something important.

Thanks for the help.


Karl <>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

Re: Keeping up with security fixes

Dave Page

On Wed, 18 Oct 2023 at 23:07, Karl O. Pinc <> wrote:

What is the expected method for keeping PgAdmin4 up-to-date?

It depends on the platform and where you get your packages from. For packages from (which are actually downloaded from, there is a "nag message" that is displayed upon startup/login if a new version is available. This can be reconfigured/overridden by other package maintainers using the three options below (they would typically be overridden in

# Check for new versions of the application?

# Where should we get the data from?

# What key should we look at in the upgrade data file?
UPGRADE_CHECK_KEY = 'pgadmin4'

Additionally, the package managers for RPM/DEB packages should also be able to tell you when a new version is available, e.g. using "yum check-update" or GUI tools that do the same.

I very much like the idea of using a package repo and automatically
periodically installing from the repo.  But will the repo for
whatever OS contain the latest release until the OS is out of
support?  And will this automatically break things because
of a backwards-incompatible new PgAdmin4 release?

The repos will be updated with the latest versions of pgAdmin for as long as the OS version is in support. Once it's out of support, we generally do one final release, before freezing that repo. Releases should always be forwards-compatible, and we aim (but do not guarantee) to keep them backwards compatible as well. However, the configuration database is backed up prior to being updated in modern releases, so you should always be able to roll back to an earlier release.

On very rare occasions we are forced to drop support for very long-lived OS releases before they go EOL. This is usually because they have a very old version of Python, and required libraries in the Python ecosystem have dropped support for that version of Python. We try very hard not to do this, but sometimes it's just not feasible for us to continue. IIRC, this happened with RHEL/CentOS 7, and Ubuntu 16.04 and 18.04.

I'm not finding any statements of policy anywhere.

Yes, I will try to find some time to correct that.

Another approach would be a method that pushes just PgAdmin4 security
announcements (or whatever else I need to know to keep up-to-date).
I'm sure this list does that, but also contains lots of other
unrelated information.  Having to sift through messages means
I might make a mistake and miss something important.

We do send all release notices to this list (and the -hackers list). They also go to which may be easier for you as it's pretty low traffic, and you can select what categories of announcements you want to see to further limit it.

Another option (if you want to get low-level and build something yourself) is to write a simple script that pulls every day or so. The 'pgadmin4' key lists the current version of pgAdmin that has been released on You could then take the version number to generate the release notes URL on the website, e.g. (replacing the 7.8 and 7_8 as needed).


Re: Keeping up with security fixes

"Karl O. Pinc"
On Mon, 23 Oct 2023 10:43:05 +0100
Dave Page <> wrote:
> On Wed, 18 Oct 2023 at 23:07, Karl O. Pinc <> wrote:
> > What is the expected method for keeping PgAdmin4 up-to-date?
> >  
> It depends on the platform and where you get your packages from.

Thank you very much for your through reply.

I decided to not use the OS-level packages because, at
least for my platform, the package requires apache.  That
overly constrains me.

So I used with Python packaging and virtual environments.

I test for updates by comparing the installed package version
with the version available at pypi.  Basically (korn shell):

  [ "$(curl -s \
         | jq --raw-output .info.version)" \
     = "$(/srv/venvs/pgadmin4/bin/pip list \
            | awk '{if ($1 == "pgadmin4") print $2;}')" ]

If you see any flaws in this approach I'd appreciate your comments.
(I'm not entirely sure how the pypi API deals with reporting development
versions.  And there might be other problems as well.)

Thanks again for the help.


Karl <>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein