OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

Packages can't be removed?

packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released

This makes no sense. Why can't they be removed? Is no one responsible for administrating the server that the Ubuntu repositories are served from? The article doesn't say.

Re:Packages can't be removed?

Why would they be removed? Why wouldn't the motherfucking DEVELOPER of the motherfucking PACKAGE back-port a newer version to 12.04 and 14.04, in order to get an updated version of the software into the repository?

Jesus christ, what a bunch of bitch-ass whiners. Instead of spending the probably 45 minutes it would take to backport the package to Trusty and Precise, this tard wants Ubuntu to break the repo? Fuck him.

Re: Packages can't be removed?

The developer has fixed the code. They're not responsible for maintaining the repositories of every single distribution or there, that's the job of the package maintainer of the distribution. Problem is, the package maintainer hasn't done their job, the developer has raised concerns, and has asked for it to be pulled until they do their job. It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

Re: Packages can't be removed?

They're not responsible for maintaining the repositories of every single distribution or there

No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

They can't pull it. Anybody running owncloud can update it through numerous other methods. Somebody else in the Ubuntu community (including the developer) can go fix it and upload a backported, patched version to Ubuntu if they like. This is ridiculous whining by the ownCloud dev, nothing more.

Re: Packages can't be removed?

[Gaygirlie]

No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

They do: http://software.opensuse.org/d...

They're not the ones maintaining the packages in Ubuntu's repos, that's Ubuntu-folks' own doing.

Re:Packages can't be removed?

[HJED]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Re: Packages can't be removed?

[pinkushun]

Even if they did remove it, it will only prevent new installations of that package, it will _not_ remove all those instances already running.

Think ahead, folks.

Re:Packages can't be removed?

[Waffle+Iron]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Do they allow packages to be ranamed? Then changing only 5 bits woudl rectify the situation.

If they just leave the code as-is, but change the name from "ownCloud" to "pwnCloud", then the actual functionality of the package would be clear to everyone.

Re: Packages can't be removed?

[pavon]

[quote]It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".[/quote]
The package maintainers didn't say that. This package is in the universe repository. The entire purpose of this repository is that volunteers can upload packages that Canonical has decided they aren't going to support. So Canonical isn't the package maintainer and you can't really blame them for not supporting packages that they said they aren't going to support.

Furthermore, it sounds like the ownCloud developers want Ubuntu to either use the latest & greatest release, or remove the package entirely. If that is correct, then I think it is irresponsible on the developer's part. Version 7 only came out 3 months ago, so they really ought to be providing security patches for version 6.

Re: Packages can't be removed?

[silfen]

There are lots of things they can do, however: they can upgrade to an empty package, upgrade to a package that requires positive confirmation from the user upon upgrade, or upgrade to a package with a non-existent dependency.

Re: Packages can't be removed?

[jrumney]

The last option would result in the current version remaining on user's machines. If a dependency for an update is not available, apt will hold the package back.

Re: Packages can't be removed?

[smash]

It is up to the package maintainer to backport security fixes if they want them. If they don't want to remove the package fair enough, but they should be popping up copious warnings, and maybe push a package update that alerts via script (even if it doesn't secure the package) that "THIS PACKAGE IS INSECURE AND UNMAINTAINED - it is recommended you deinstall and upgrade via original sources" or similar. This is similar to how FreeBSD ports work.

Re:Packages can't be removed?

[smash]

As I understand it, this package is not part of the official ubuntu distribution, but part of the third party not officially supported packages, so that should not preclude it from being updated.

Re:Packages can't be removed?

[GPLHost-Thomas]

Of course it makes sense: this is Ubuntu. When they say "it's from universe", you should understand: "we synced from Debian, and we wont do any more work on the package, as we don't give a shit about what we ship".

I think it's more than time that everyone understand Ubuntu is not a good fit for running a server, unless you remove nearly all software from it (that is: everything that is "synced from Debian"). So then, why not using Debian in the first place?

Re:Packages can't be removed?

[kthreadd]

The reasons that I often hear is more reliable release cycle and supported hardware enabledment kernels during the first two years of and LTS. But yes, most Ubuntu users do not understand the security ramifications of using packages from the Universe component.

Re:Packages can't be removed?

[dbraden]

That's correct. It's in the "universe" repo, which is community maintained, so it's not Canonical's responsibility to keep it updated. It's up to the package maintainer(s) to back-port security fixes, and I don't think anyone has volunteered to take that on.

Re: Packages can't be removed?

[Kjella]

The universe repository is not supported by Ubuntu. There are four sections:

Main - Officially supported software.
Restricted - Supported software that is not available under a completely free license.
Universe - Community maintained software, i.e. not officially supported software.
Multiverse - Software that is not free.

So someone in the "community" once made an ownCloud package, got it in universe and isn't maintaining it. Ubuntu is saying "that's not ours, you fix it" while the developers are saying "that's not ours, you fix it" and they're both making valid arguments. Ubuntu is saying the quality of the universe packages is what the community makes of it, if it's broken or vulnerable it stays that way until the community provides a fixed version. Otherwise they'd get overrun by lazy packagers who get it into the release repository then orphan it and ditch the maintenance responsibility on Ubuntu. If the developers won't jump through the hoops to fix it then it can't be that important to them.

The developers of course see it differently, they never asked for their software to be put in this repository. They never broke it, why should they fix it? Clearly they're a victim here. Still, just because you're a victim there might still be a process. If you send an angry mail to YouTube saying "Hey you bastards, stop sharing my video kthxbye" they might redirect you to say here's the report copyright violation form, fill this out and we'll process it and you go "Nuh uh, too much work and I already told you stop so stop already." you won't get far. And Ubuntu is legally in the clear here, if they want to keep shipping that package they can. It's a request, not a demand.

Re: Packages can't be removed?

You are really don't have a clue on how ubuntu package development works. OwnCloud is the upstream. Some lame ubuntu developer took it, packaged it and placed it into the universe repository. Owncloud didn't place it there and they are not responsible for it. Somebody else did. Normally a package maintainer tracks changes from upstream and applies them to the package. In this case the package maintainer is a lazy irresponsible POS and isn't doing it.

How do you make the conclusion that Owncloud is responsible for maintaining the package when someone completely unrelated to owncloud made the decision to place it into the respository and then abandoned it?

The package maintainer for Owncloud on Ubuntu really shouldn't be packaging internet facing apps if he isn't going to do security updates on them.

Re:Packages can't be removed?

[dissy]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

I'm less familiar with Ubuntu specifically but have extensive Debian experience, so can't comment on the Ubuntu policy, but I suspect Ubuntu views this more as removing a package is them breaking package management on existing systems, vs leaving it as is would still be breaking the system due to the vulnerabilities but not Ubuntu's fault (which I still find arguable, but again it's also just my guess)

Debian stable will also out right refuse to break apt by removing a package, however Debian has a large security patch repo plus a huge backports repo and community - which typically spends their own time back porting patches for newer app versions from the original developers back to older versions the devs stopped patching.

Many years ago at least Ubuntu still did not have the infrastructure for this nor dedicated any man power to the task. Sounds like that is still at least partially the case there.

This is also why ownCloud distributes their stuff in their own repo, which is the best way to go about it (so props to ownCloud there)
That way it is completely up to them how "stable" they want their software to be viewed.
They can either force people to upgrade to a new major version, breaking all existing installs until configs can be updated - or they can try to be stable and backport patches - or anything in between.

It's just mind boggling some dip decided that despite the fact ownCloud has their own maintained packages and even a repo for them, that it would at all be necessary to claim "now i'm the package maintainer!" and put it in Ubuntus repo...

Was this Ubuntus direct doing?
In Debian only the core system is packaged by their own team. 3rd party stuff however anyone can step up and decide to be the package maintainer, compiling from src to debian standards and releasing debs. But it's usually easier to see who to point the finger at in that case.

Re:Packages can't be removed?

This is the great problem with all Linux Distro's. If there is no maintainer of that package FOR THAT SPECIFIC DISTRO AND VERSION, this kind of security theater happens.

With the OS's that build from source (eg BSD's (FreeBSD/NetBSD/OpenBSD) and Gentoo) as the original and preferred solution, you don't have this problem necessarily, because if it doesn't build, there's no binary package that will work. OS distros like Ubunto, Debian, RHEL/CentOS rely on binary packages first, and thus often ship with obsolete packages in order to have an out-of-the-box version that works, but seldom update the packages to current versions during the lifetime of the OS. Take a look at what version of Kernel is being used by RHEL/CentOS: https://access.redhat.com/articles/3078 RHEL 4 5 and 6 all use 2.6 , no version of RHEL ever updates the Kernel version, but updates the build number (assuming for backported fixes.)

Compare this with MacOS and Windows, where amazingly the OS updates behave exactly the same way. No "Kernel" updates in between version numbers, all the fixes tend to be for first-party software, not third party software. What third party software that ships with the OS tends to be "obsolete" at release.

So really there's nothing new to see here. If you really care about security and being on top of the bleeding edge updates and fixes, one would run FreeBSD/OpenBSD/NetBSD or Gentoo, otherwise they would build all the software from source to begin with.

Once again, I must repeat... Linux is a poor desktop OS, it's great at being a server (particularly a Virtualized server, or an embedded server) because of it's inherent ability to have the kernel trimmed down, and have the OS trimmed down to just what is needed. Linux is simply "the kernel" and not userland tools like BSD, or entire GUI filled "one-OS-does-all" like MacOS X or Windows. Mixing and matching parts is what gives Linux it's flexibilty, at the cost of being inherently abusive to those that use it.

If MacOS X is the Loving parent, Linux is the abusive drunken parent, and Windows is the helicopter parent. That's how much effort "it feels like" to deal with fixing problems in the OS. MacOS X hides everything and isn't forthcoming about problems without going behind their back. Linux is completely unhelpful and anything you do you have to do carefully or it gets violent on you. Windows keeps trying to keep you from hurting yourself by doing "everything" for you when you don't want it to, thus you have to put up with it's "way" even when you want to do something your way.

There's plenty of analogies, but Linux, really is a pain to deal with, much more so than FreeBSD. There's a lot of group-think among BSD and GNU OSS people, where "nobody should run obsolete software" by making their cog in the machine "more important" than it needs to be. I'll give you a few examples. Updating most of the userland, should break nothing, but on most linux builds, it does because of over-reliance on shared libraries. On BSD there's often system libraries AND user installed libraries, which makes things a bit more obnoxious when something builds and you realize that it used the shared library that some other package depends on, and then fail to update it because of package creep.

Perl, PHP, Python are notorious for package creep. Install one utility that relies on anything in Perl, and often you end up having to install 20-some-odd Perl packages, that now must be maintained or the package you just installed will break at the drop of a hat should you have any other Perl tool on the system that wants a later version of some library.

My least favorite package creep problem comes from Apache software. You know how HTTPD depends on APR? Well you get infinite loops from APR if certain dependencies aren't met. Yet it doesn't actually tell you this.

Another Package creep problem comes from integrating zlib, or lzma into one package (LZMA seems to have started a series of clusterf*cks on some OS/Distro's of Linux and BSD) and then removing the package from userland.

Re: Packages can't be removed?

If "universe" is "not officially supported software" then why is it officially part of the stable release? Once ubuntu decided that universe was part of the release they also assumed ownership of these specific packages.

"universe is non-official and therefore it's possible things will get removed" and they could be done.

Re:Packages can't be removed?

as long as ubuntu's name is on it it's ubuntu's responsibility, at least if they want their brand to not be recognized as "you will be pwned if you install it".

Re: Packages can't be removed?

[BronsCon]

why is it officially part of the stable release?

It's not. The stable release consists of the repos that are enabled by default, a list which does not include universe. The universe repository also comes with the following warning:

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

There are similar, but stronger, warnings on multiverse and backports, as well. It's not like they don't tell you what you're getting yourself into when you choose to enable those sources.

Re: Packages can't be removed?

[BronsCon]

You mean warnings like this comment above the disabled by default universe repository (where owncloud exists)?

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

That covers the entire repository, including its contents, which would include owncloud, if installed from Ubuntu's repository. If installed from elsewhere, it's not Ubuntu's responsibility, anyway.

Re:Packages can't be removed?

[x_t0ken_407]

Lol!!!! Where are my mod points...

Re:Packages can't be removed?

Why would they be removed? Why wouldn't the motherfucking DEVELOPER of the motherfucking PACKAGE back-port a newer version to 12.04 and 14.04, in order to get an updated version of the software into the repository?

Jesus christ, what a bunch of bitch-ass whiners. Instead of spending the probably 45 minutes it would take to backport the package to Trusty and Precise, this tard wants Ubuntu to break the repo? Fuck him.

I really hate IT-ers that think using "fucking" and "motherfucking" repeatedly makes them sound important and clever. I've no general problem with swearing, but when people in my industry do it like this, I just think they come across as twats.

Why not allow the update into the repos?

[saloomy]

That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

This is why Linux is not desktop ready... to many stubborn minds pushing their way.

Re:Why not allow the update into the repos?

And they want you to run their junk on a phone. LOL.

Re:Why not allow the update into the repos?

So.. either shut up or fork it!

Yes... it's hard, see?

Re: Why not allow the update into the repos?

The developer should provide and maintain a PPA (or equivalent) for every distribution out there? They'll never have time to actually develop the software itself.

Re:Why not allow the update into the repos?

[Gaygirlie]

They *DO* provide repos for multiple distros: http://software.opensuse.org/d...

Providing repos, however, does not fix this. If Ubuntu decides to carry packages for ownCloud on their on repos then keeping those packages up-to-date and secure is their responsibility.

Re:Why not allow the update into the repos?

[iYk6]

Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?

"multiple critical security bugs for which no fixes have been backported,"

The summary answers your question. There are no patches that address the known security vulnerabilities.

it's up to someone from the Ubuntu community to step up and fix it.

If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.

Re:Why not allow the update into the repos?

But it is Ubuntu's responsibility to make sure they don't have shitty ports. FreeBSD and PC-BSD backport fixes all the time. That's part of what the "Ports Team" does.

Maybe Ubuntu should grow up a bit like FreeBSD.

"Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. Therefore security vulnerabilities found in ports are recorded in the FreeBSD VuXML database. The Security Officer Team members also monitor it for issues requiring their intervention. ... exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the FreeBSD Security Information page."

Re:Why not allow the update into the repos?

What should be done is that there should be an "upgrade" for the ownCloud packages... and have it be an executable replacement which does nothing other than tell the user to uninstall it, and fetch the ownCloud client from the official, maintained repository. Yes, this is not a nice thing to do, similar to what the TrueCrypt devs did... but it will "fix" security issues.

Re: Why not allow the update into the repos?

[grcumb]

Why shouldn't they? If you want it included in the distro, why is it the distro's responsibility for maintaining the package?

Because that's what fucking distros do. Maintain the fucking package.

Re:Why not allow the update into the repos?

[NotInHere]

The problem is that once released, all packages on an ubuntu distro don't get updates for features anymore. This is because ubuntu isn't rolling release like arch or other distros. There are only very few exceptions like firefox.
Ubuntu relies on upstream maintaining that current branch, or canonical does if it is in the 'main' repository, and upstream doesn't do it. For packages outside 'main', the community has to provide patches, or they go unpatched.

This isn't being stubborn, this is just simply to keep something feature stable. This is neccessary for some people, and also something that microsoft does. But unlike microsoft, ubuntu also tries to keep almost all applications feature stable. This is harder than "just" a basic platform. And the basic platform is already in the 'main' repo, which gets patches.

But still I don't understand why Owncloud has been included in the first place if nobody wanted to provide patches for it. If nobody can do that, its not part of Ubuntu, simple as that. There is a ppa for ownloud for those who want to install it.

Re:Why not allow the update into the repos?

The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

Re:Why not allow the update into the repos?

Explain for me why the developers cannot simply upload their EXISTING 12.04 and 14.04 backports to Ubuntu, again?

Re:Why not allow the update into the repos?

It may be that the maintainer just quit working on it and it became orphaned.

Re: Why not allow the update into the repos?

Yeah, they could if they wanted to. A contributing developer for owncloud is also a maintainter for Debian so I don't know why he couldn't also upload to Ubuntu.

Re: Why not allow the update into the repos?

[fnj]

I don't think our AC(s) have the slightest idea how real life works. Developers don't "want their packages included" in any specific distro. Developers develop. They put the stuff out there and continually modernize it. Distros pick and choose what versions of what packages they include in any given release at the time of release. That's when all major revs are frozen for the duration of use of that distro release. The whole rat's nest of apps and libraries has to work together, You can't just update one piece of it.

The alternative is a rolling release like Arch, where every package is continually updated to the latest. The downside to that is when, for example, Apache 2.2 gets updated to 2.4 your website stops working because they changed the details of the config file. Rolling is the way to go for desktop where you don't want million year old obsolete packages preventing you from getting anything done, but not so much for servers.

This is to help the clueless understand. Obviously you know how it works.

Re: Why not allow the update into the repos?

[pinkushun]

Excellent point! I never knew they provided these repos...

Either way, the version jump is too large to demand an automatic update, so the next natural step would be a security update, which is supposed to be supported by 12.04[1] and 14.04.

These usually enter the stream as patches, so it is likely that nobody has submitted a patch to fix these holes.

[1]: https://help.ubuntu.com/commun...

Re:Why not allow the update into the repos?

[ChunderDownunder]

Ubuntu does have backports - does this not handle 'Universe'? If it does then the dev just needs to add their package, surely.

Re:Why not allow the update into the repos?

Well they could if they want to provide backports and not patch the older versions in Universe. However the owncloud devs said they don't even want to that even though that would probably be the easiest route to get their updated versions in Ubuntu.

Re:Why not allow the update into the repos?

Yes Ubuntu has a separate backports repo for every release, but I don't think its automatically enabled. But the backport version would not replace the old version in Universe, it just would be an upgrade to it. But someone would still have to maintain that package as well and that's the crux of the problem, no one is stepping up from the community or from owncloud to do that.

Re: Why not allow the update into the repos?

Hey dicktard, how about you explain for me why the developers, if they're so concerned, can't simply upload the ALREADY EXISTING BACKPORT of 7.0 IN DEBIAN FORMAT that they've produced and host on their own site in .deb format, to the Ubuntu 'universe' repo?

Trivially easy. Yet nobody seems aware that this is possible, despite you seeming to think that you know all about debian repos.

Re: Why not allow the update into the repos?

[lukas4625]

This would require to follow processes such as SRU. - While it may sounds like an easy solution this is a heavy burden which we do not want to take on us.
Especially, if we want to do security releases at the same time we could - even if we would maintain the Ubuntu packages ourself - not guarantee that this would happen at the same time. We're therefore providing our own repositories at owncloud.org/install
But if you want to do this "trivially easy" job for us over the whole lifetime of the distribution (5 years) we'd really appreciate it.

Re:Why not allow the update into the repos?

[lukas4625]

As noted in another reply from myself:

Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [debian.org] Thomas did last modify the packages at 11 Oct 2012.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:Why not allow the update into the repos?

[smash]

The developer may have nothing to do with Ubuntu, packages for distributions are often developed by a third party who takes the official sources and packages it up themselves. The developers often do not package anything directly and have no interest in maintaining packages for other people's operating systems. They distribute via source.

Re: Why not allow the update into the repos?

[smash]

I don't think you understand how software gets included in a distro. The developer doesn't ask for it to be included generally, it is often packaged by some third party who likes the software and wants a debian/redhat/etc. package for it. The developers distribute via source, if a distro wants to include their own custom package for it, that's their own doing.

Re: Why not allow the update into the repos?

[smash]

If it's trivially easy, why haven't you done it?

Re:Why not allow the update into the repos?

[smash]

There are patches to fix the vulnerabilities, they just haven't been backported by the developer to the old version of owncloud. The official owncloud path is to upgrade to the supported release. If Ubuntu want to support the old version, it is up to them to backport fixes to the old version(s) themselves, as the FreeBSD ports team often do with the ports tree.

Re:Why not allow the update into the repos?

[GPLHost-Thomas]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

When someone maintains a package in Debian, he may care about it, and provide sound security updates once the stable release is out. Though what's unexpected, is that the same package, while well maintained in Debian, may not be fixed in Ubuntu, because you know... it's "Universe"... The security team from Canonical will not take the time to get the updated package from Debian, unless someone carefully prepares the update and do the work for them.

The final result is that the Ubuntu universe repository is full of security issues unless someone "from the community" (understand: the Debian package maintainer) cares doing it, which often doesn't happen.

Don't use Ubuntu on your servers, it's simply not safe.

Re:Why not allow the update into the repos?

[GPLHost-Thomas]

The point is: the Debian maintainer never asked for taking the burden of maintaining his package in Ubuntu, he just maintains it in Debian. It just happened automatically. But security updates aren't automated. Now, are you saying that he must be forced to also maintain it in Ubuntu, otherwise they will forever keep some flowed packages? Man, he didn't choose the situation, and probably he simply doesn't want to do the work in Ubuntu. Why then just keeping his package there?

Re:Why not allow the update into the repos?

[kthreadd]

Explain for me why the developers cannot simply upload their EXISTING 12.04 and 14.04 backports to Ubuntu, again?

They want you to use their package repository.
If the Ubuntu community wants to provide a version in the Ubuntu repository then the Ubuntu community has to support it.

Re:Why not allow the update into the repos?

[kthreadd]

The Ubuntu package repositories are divided into two parts. Main and restricted contains a limited number of packages which are supported by the Ubuntu security team, but universe and multiverse are not; they are supported (or in this case unsupported) by the Ubuntu community.

The problem is that Ubuntu users don't know this.

Re: Why not allow the update into the repos?

They probably dont have proper branches which are nicely maintained over time. An upgrade would break a ton of stuff. So they cannot do that.

Welcome to the world of Hipster software - PHP says all.

Re: Why not allow the update into the repos?

[Zero__Kelvin]

And how, prey tell, do you expect the developers to sign their packages with everybody else's private keys? If they do that the update will fail, because the package manager isn't going to install a package from an Ubuntu repository that isn't signed by Cannonical's private key, for example.

Re: Why not allow the update into the repos?

[tepples]

Each PPA has its own key pair.

Re:Why not allow the update into the repos?

FreeBSD is known to not just back-port fixes, but to also fix critical bugs in ports if the project is no longer maintained. Maybe Ubuntu needs to grow up. Lazy is all I can say. If it's in their ports tree, then Ubuntu should take a minimum amount of responsibility for it. Not to mention, the FreeBSD community is much smaller. If they are unwilling to remove the port, then they must be willing to maintain it.

Re:Why not allow the update into the repos?

as an ubuntu user I want a new package in universe maintained by the developers, a systemd (or rather ConsoleKit etc.) replacement.. and a pony.

Re: Why not allow the update into the repos?

[Khyber]

"this is a heavy burden which we do not want to take on us."

Go figure, GOOD PRACTICES are too much of a fucking burden.

What sort of shit software developer are you?

Re:Why not allow the update into the repos?

[kthreadd]

My understanding is that the Ubuntu community does not have the manpower that it takes to maintain universe, and Canonical is primarily only intrested in maintaining main and restricted. What they really should do is disable universe and multiverse by default.

Re:Why not allow the update into the repos?

[BronsCon]

This is the "universe" repo, which is community-maintained and not supported by Canonical in any way. It's also not enabled by default and there are ample warning when enabling it. This isn't a case of Ubuntu shipping with software that never gets updates, it's a case of Ubuntu users installing software they're told beforehand is unsupported and probably won't get updates.

Re: Why not allow the update into the repos?

[BronsCon]

The kind that introduced the bug that cause this whole issue to come up in the first place. That said, nobody's perfect and every developer has introduced boner security bugs at some point or another; some of us are just more willing to take the extra steps to fix them.

Re:Why not allow the update into the repos?

[BronsCon]

Ubuntu users don't need to know that unless they've enabled the universe, multiverse, or backports repositories, in which case they only don't know it if they didn't read the comments in the sources.list file while enabling them or, if they're using a GUI, they ignore the warnings that come up when they check the little boxes.

Re:Why not allow the update into the repos?

[BronsCon]

It's was removed from 14.10 prior to release, so, for the current and future Ubuntu releases, this is a solved issue.

Re: Why not allow the update into the repos?

[mysidia]

I vote the software author should provide an update to the Debian package though. The "update" should generate PROMINENT WARNINGS for the user that their software is out of date, that the debian packages are no longer being maintained, and FOLLOW THE FOLLOWING INSTRUCTIONS to switch from a .DEB managed installation to a .TAR.GZ managed installation.

Re:Why not allow the update into the repos?

[mysidia]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

I don't know about you, but if I maintain software; i'm shipping the security fixes and other bug fixes with the combined update. You don't get to pick and choose "security updates but no feature enhancements"

I'm a big fan of how Firefox and others don't have separate major releases nowadays. And no "maintaining old branches"

Re:Why not allow the update into the repos?

[jabuzz]

The problem with the Debian and Ubuntu bug fixes not updating packages is lets say I maintain an open source package and it is in Debian. I spot a bug, fix it and release a *BUG* only update with a new version number say 2.1 instead of 2.0.

What Debian now do is wacked out stupidity. They "backport" the bug to the 2.0 package and release a "Debian 2.0" version of the package. I now as a maintainer of the software know what is in a version 2.0 of a package because Debian have been frankly dicking about, because they think they are the only people in the world that might do bug fix only releases. Makes them a bunch of jerks to be honest.

I say this as someone who users Debian and has packages in Debian that this sort of stupidity has been done to in the past.

Re:Bring back Bennett!!

I've been away from slashdot for awhile.. who is this Bennett Haselton guy? I read his wiki page, so I know he runs some anti netfilter websites.

On slashdot, is the the new Jon Katz, Michael Sims, or more like a new Timothy, or something else entirely? Is he an 'editor' or just a frequent summary submitter?

Open Source Triumphs Again!

Open source is Free as in nobody is paid to fix the security holes!

Re:Open Source Triumphs Again!

[kthreadd]

The Ubuntu security team (which is mostly paid Canonical employees) provides security updates for packages in the main and restricted component. Packages in universe (such as owncloud) and multiverse are not supported by the security team.

Well, to be honest

[skids]

...opening back doors to my system is kind of the functionality I would expect from installing a package named "owncloud." At least now I know it exists so if I see it in the wild I'll know it's not an *intentional* rootkit.

Re:Well, to be honest

[fnj]

Maybe it should be named Pwncloud.

Re:Bring back Bennett!!

He's a frequent contributor.

Re:Bring back Bennett!!

[NotInHere]

Frequent summary submitter describes it very good:

http://slashdot.org/story/13/1...
http://tech.slashdot.org/story...
http://yro.slashdot.org/story/...
http://news.slashdot.org/story...

He just makes very long submissions. And since this week, a troll has been very busy, submitting stories:

http://slashdot.org/submission...
http://slashdot.org/submission...

and writing But-what-does-frequent-contributor-Bennett-Haselton-think-about-this posts into stories. The term "Frequent contributor" has been used in a summary by an editor, and is already associated with him by /. users:
http://hardware.slashdot.org/c...

Re:Bring back Bennett!!

[vux984]

The general issue with Bennett Haselton is simple.

Everyone else in the world submits articles, slashdot summarizes them, links back to the full article, and the comments here ensue.

In some cases the article links are just a link back to the article submitters own blog (and this is gently mocked but usually tolerated), in other cases the links are broken (also mocked), in some cases they are linked to an unrelated article (you bet we mock this too), and very occasionally for those people who enjoy the thrill of the hunt, they do go back to an original article in some legitimate or quasi-legitimate source of news. (Hooray!) (In which case we can mock everyone who didn't read TFA.)

Bennett however, as if you've read any of his articles you will know, is special. He read about the virtues of conciseness, efficiency, brevity and then wrote a short epic about how why they really shouldn't apply to him.

When he looked at what it would take to get his very own blog up and running he quickly realized that it was a pretty serious undertaking. He'd have to register somewhere, choose a password, maybe even pick a theme. Do you know how much that would cut into his actual writing time? Several minutes, at least, and he really just doesn't have that kind of time to spare, what with already being slammed just keeping up with writing down every thought that pops into his brain.

So, long story slightly less long, he decided why not just use slashdot itself as his very own personal blog? It saves him having to sign up for one, and better still he argues, saves us a mouse click by eliminating that superfluous step of having to click through to get to the full article.

After having this explained to him, Bennett rejected the argument and suggested we should be delighted at being able to reach his thoughts without having to make that one extra click to an external source.

So now we just mock Bennett.

I think that sums it up fairly concisely, at least relative to what Bennett would have said. ;)

Re:Bring back Bennett!!

He also contributes frequently.

Clarification regarding backports

[lukas4625]

Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... Thomas did last modify the packages at 11 Oct 2012.

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:Clarification regarding backports

[GPLHost-Thomas]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed. Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

Re:Clarification regarding backports

[lukas4625]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed.

Absolutely, that said: the Debian maintainers are doing great work and the ownCloud Debian packages are absolutely up-to-date.

Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As a project we did not add our package anywhere. The point here is that we *are* responsible and actively maintaining our packages and we do it as a central place which is OBS. The problem is only that there is not yet a way to make that easy usable in Ubuntu or other distributions.

As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

Why should we have to maintain our own repositories and the ones of every distribution out there? - This is okay as a short-term solution where we only have to to minor updates, but as soon as we have another major update it gets somewhat trickier :-)
I think this shows a bigger problem with the Universe repository: In our case we complained, but most other packages in there are most likely quite outdated as well but in their case no-one bothers to complain.

Re:Clarification regarding backports

It's always great to see the actual people involved comment under their own name. Cheers!

(Posting as AC to preserve moderation actions.)

Re:Clarification regarding backports

They have not yet pissed off any Mighty Crimimal Yet. Like Bush, Merkel or so.

Re:Clarification regarding backports

[drinkypoo]

Advising your users to use your own repository is not a satisfying answer.

Yes, yes it is. At least, I am satisfied by such an answer.

If there's a package in Debian, then it should be fine using it.

And if it's not fine to use it, then it should be removed from the repo, without a request from the developer.

My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

There's no technical reason they can't remove a non-required package from a release. So yes, that's the solution, but it shouldn't be the only solution.

Re:Clarification regarding backports

Switching from the version of ownCloud packaged by Ubuntu to the package provided by ownCloud via an "apt-get upgrade" wiped out all my synced files.

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories, I'm not impressed with the attitudes on display in the ownCloud community and I am very unhappy with the way ownCloud's software wiped out all my work files when I upgraded to the "safe" version. If ownCloud was really interested in the sfety of their users and the users' data, this would have been handled much differently.

Re:Clarification regarding backports

[geminidomino]

Your righteous indignation might have been more inspiring were it not being bogged down by your semi-literacy and incompetence.

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories,

Did you read a different message than the one everyone's sharing around the internet, or do you not know the difference between a command and a request: an actual request, at that, not even one delivered at the barrel of a lawyer.

Considering the biggest part of the userbase for Owncloud is privacy- and security-minded sysadmins (running their own rather than trusting the outside providers), I'd say not wanting them to get pwned because Ubuntu's serving out stale versions is a pretty good thing. They're not the package mantainers, and it's Ubuntu who doesn't seem to give a shit here (there's no good excuse for 'we can't take the unmaintained exploitable package out of the unmaintained repository).

I'm not impressed with the attitudes on display in the ownCloud community and I am very unhappy with the way ownCloud's software wiped out all my work files when I upgraded to the "safe" version. If ownCloud was really interested in the sfety of their users and the users' data, this would have been handled much differently.

And thus, the fledgling learns the value of "backups before updates", after landing flat on his beak.

Re:Clarification regarding backports

[GPLHost-Thomas]

I fully agree with you. There's a big problem with the Universe repository.

Re:Clarification regarding backports

[jbolden]

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

I understand why, but that goes against the whole philosophy of distributions. From your perspective it obviously makes things easy. From the user's perspective you are one of a 100 packages that wants to install and be configured in specialized ways. And then of course this introduces complexity in both directions. For distribution packages which want features of OwnCloud they are going to pull down the Ubuntu package possibly crewing up the custom distribution. For OwnCloud packages that want dependency they aren't going to pull in the right things from the Ubuntu distribution or link to them properly. A total mess.

Really there is no good solution then there existing a package maintainer for the major distributions. owncloud.com has to decide if making owncloud.org's product work well/safely on Ubuntu is good or bad for the business. I can easily see either being the case. Ubuntu has to decide if owncloud.org's product is worth them supporting and right now they've decided no. If both decide no, and no individual steps up then... well there is a problem and owncloud will be iffy on Ubuntu.

Re:Clarification regarding backports

[jbolden]

And thus, the fledgling learns the value of "backups before updates", after landing flat on his beak.

Or better. Backup complex software always. Have extra backups done using a different mechanism before updates.

Re:Clarification regarding backports

[Qzukk]

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories

"Please do not ship outdated buggy binaries."

Re: owncloud is implemented in ... wait for it

If you wonder about the typos in above comment, that is the result of typing in the /. comment box using a tablet device. The /. comment function is another technology scratch that piece of s* that ought to be outlawed.

Shitpile in support of Unit 8200

PHP and most (all?)PHP-based software have been shitpiles of exploitable bugs for years now. The core reason is that the "convenience" features of PHP, including the type-laziness, directly contribute to a high defect rate. Ready to be exploited.

So the Israelis created something to make the Internet more "transparent".

Dont touch anything PHP-based.

Re:Bring back Bennett!!

[jones_supa]

So now we just mock Bennett.

I'm not sure if he deserves all the mockery. Maybe some people think that he has posted a couple of silly opinion pieces, but that does not make him a malicious monster.

Re: owncloud is implemented in ... wait for it

Welcome to the Western World Jungle. You can essentially buy every insane drug you can think of if you really want to poison yourself. Same with PHP.

Just avoid it personally and tell other people. That's all you can do.

Drop owncloud

[allo]

PHP: meh
insecure programming practices: Building SQL-Statements from string concatenation (no format strings for example) and so on
rather slow
NO INCREMENTAL SYNC!

only pro: Server runs on a cheap webspace.

And now go and have a look at seafile.com

Re:Drop owncloud

Your C code looks dangerous, too. Why dont you at least use C++ and nicely contain all the raw-pointer-surgery to a few classes for strings, arrays. hashtables and the like ?

That would make people "in the know" much more confident relative to your security.

Re:Drop owncloud

[allo]

It's not my code, i am only a user.
But in my experience, the developers are reacting quite good on "issues" on their github (see the repos of haiwen).
On the other hand, the owncloud devs tend to "i close this (still open) bug due to inactivity", when the inactivity is on their side, because they just need to fix the stuff with all information already provided.

Re:Drop owncloud

seafile doesnt support calendars and contacts management ...meh.

Re:Drop owncloud

[allo]

yep, its a filesync tool.

for calendar and contacts you may still consider owncloud, but there are a lot of "groupwares", which do a fine job.
owncloud tries to do everything ... which gives quite a cloud replacement if you look at google, but may be a bit too much for a single project, which needs to maintain all this stuff.

i used owncloud and despite the other flaws, the missing incremental sync (which will not be added later) was the top argument. you cannot upload 100 mb each time you change a tiny bit.

Re:Drop owncloud

[javanree]

Unfortunately nothing else comes even close to OwnCloud in terms of feature. Like LDAP/AD integration, proper quota, multi-platform client (although the Linux client is a shameful mess)

Been running Owncloud for a year now and every upgrade again gives me this sick feeling in my stomach. What will they break this time... The idea behind Owncloud is solid, however their development model is a mess. Loads of re-appearing bugs in every new major release, big features which get borked during upgrades etc. It would be nice if they stopped messing about with new stuff so much, focused more on stability and made sure their stuff works without issues on common platforms such as RedHat Enterprise 6 (both server and client, without warnings)

Re:Drop owncloud

[allo]

Meh, what did the user do before owncloud, which is a rather home grown software? I did not test a lot of groupwares, but i am aware, that there are many to choose from, with many users. Some are very old already and i guess they have many of the features a normal users needs. tine looks nice, horde is more mailcentric, egroupware is some other name i never tested ... and you can combine single products. While owncloud is nice and each feature is not too bad, there is another more complete software for each feature, which is just not integrating into a single product, which is the advantage of owncloud.

Re:Drop owncloud

[WuphonsReach]

Try seafile - not saying they cover everything, but for file sync, it seems to work very well (and scales better then Owncloud when you have a few thousand files).

Re: Bring back Bennett!!

The editors that permit this do.

Re:Bring back Bennett!!

I'm the one who started with the all the posts ending in "He's a frequent contributor" yesterday. Well said. I'd like to add is that Dice dishes out his opinion and he never comes to comments. I feel that if he should get special treatment, he might as well be a commenter. I think the feeling of being shoved his dumb opinions is what creates the equal reaction of repeated mocking. The exchange is a one way transmission of blabber so this is the result.

Re:Bring back Bennett!!

He's definitely not a malicious monster. However, Slashdot (or DiceDot) basically endorses his opinion pieces - which then get intelligently torn apart in the comments. And there's is no accounting for this from the other end. It's different if a story gets posted and we all know it's a stupid idea. It's another dynamic when DiceDot endorses a retarded opinion and we completely call them out, but then the cycle just repeats. The equal reaction is the a cycle of mocking, because people blatantly point out why his opinion fails and there is no accountability on his part or DiceDot's... just another repetition of the cycle.

Re:Bring back Bennett!!

[TheRaven64]

Bennett has been posting these long ramblings since a very long time before Dice bought Slashdot. Unfortunately, I think that your complaints are not likely to be heard because Slashdot seems to have had a policy for a long time of not recruiting editors from people who regularly read the site...

Re:Bring back Bennett!!

[LordLimecat]

Theres also the fact that his ideas are often enough repellent, such as when he explains how we dont really need the double jeopardy or self incrimination protections of the 5th amendment, or how Computer Acceptable Use Policies and the corresponding network IDS and filtering systems are literally Hitler.

Re:Bring back Bennett!!

[LordLimecat]

His ideas are very often absurd, and appear very much as if he recently learned about (or began thinking on) a topic, and immediately crafted an opinion on how everyone else who is an expert in said field is wrong.

Notable entries in this category:
  * Why the 5th amendment is totally unnecessary.
  * More questions about the 5th amendment, indicating a lack of understanding of its background and purpose (leading one to question in what way Bennett was qualified to raise objections to it).
  * Why corporate network filtering and intrusion prevention are tyranny
  * Why you should ignore every lawyer's advice of "dont talk to cops".

There are hundreds more, if you do a search for Bennett Haselton. The guy is well intentioned-- he clearly has a passion for getting rid of censorship and fixing the world-- the trouble is that hes proven massively susceptible to the Dunning-Kruger effect.

Re:Bring back Bennett!!

[LordLimecat]

Was. His account no longer exists. All prior articles no longer have a link to his profile page, and manually typing it in gets a "not found".

Transitional packages

[tepples]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

Of course it can. The repository maintainer can introduce a new package pwnCloud and turn ownCloud into a metapackage that requires pwnCloud. This "transitional package" pattern happens often in Ubuntu updates.

Re:Bring back Bennett!!

He *posts* frequently. He contributes very little.

Re:owncloud is implemented in ... wait for it

[tepples]

If PHP ought to be banned, then what migration path do you propose for (say) Wikipedia, which runs MediaWiki software, which is written in PHP? This migration path proposal might give ownCloud's developers ideas on how to migrate from PHP.

Re: owncloud is implemented in ... wait for it

[Teun]

My tablet has it's own spell checker, why doesn't yours?

Re:Bring back Bennett!!

my favorite is writing a 10 page rant on the lg optimus prime when everyone who comments here pretty much knows low end android phones are junk basically on purpose and will never get updates or bug fixes. all the 10 pages could have been summed up with "i bought a cheap android phone, and i can confirm it sucks"

Responsiiblity

[drolli]

If you are an decently qualidied Adminsitrator, then you always conciously choose between the following:

a) You customize/install/update/recompile/patch the software you need on your own time. Usually you do thos when the service availability is absolutely critical and at the same time no out of the box solution exists

b) You use an "out of the box" solution. This solution should be supported, and used within its nominal use case.

Ubuntu very clearly states that Universe packages may - at best - only receive a minimal quality check at the distibution release and are patched by maintainers, which are not necessarily authors of the software nor employees of ubunut. As such their time which they may spend to predictably react to problems is limited, and, if anything in their life changes they just have to stop doing anything for the package without further warning - if the packge is important enogh for you, donate money to the maintainer and pay him.

I appreciate that the author loudly raises his concers, but i think anybody running an unsupported port of an program is responsible for himself. Pulling the pckage is not good. I for my part run any service for myself (file sharing etc) on a machine which only shows a single port for a vpn to the outside world. If something other than a security problem in the VPN software apprears, i would prefer to contunue using (and reinstalling) the packages which I chose.

If I run SW which faces the internet, then if fix it myself

So they should fork.

[Lord+Kano]

Call the Ubuntu specific version PwnCloud...

Thank you, I'll be here all week.

LK

Re:So they should fork.

[mysidia]

If pwncloud.com wasn't registered by one of those folks just parking domains who probably picked up the domain to try and sell it for $20,000 or so, it would be a cool name for a fork of Owncloud.

I guess in theory, it could also be the name a pentesting service could call their product if they specialize in pentesting services running on cloud-based infrastructure.

One of the things I hate about Linux

[melting_clock]

Although I've used Linux as my main OS for many years, the idea that bundling applications locked to version that cannot be update is insane and one of the things that I hate about Linux distros. Ubuntu did the same stupid thing with Firefox and Open Office at one point. Being stuck with outdated and potential insecure software, unless you compile your own or used another unofficial repository, is crazy. This is a great example of a system that is designed to fail and a huge security flaw.

I do often compile and install or directly install debs or add other repos. It isn't difficult but can become a hassle when it expects a base Linux environment that is very different. It is about time for some standardisation in the Linux distros. That would also help with a broader adoption of Linux in a desktop role and attract more commercial software to Linux that is currently Windows only. Commercial devs can chose between developing for a small number of Windows versions or a shitload of constantly changing version of Linux. Learn something from the example of Android as a commercially successful version of Linux...

Locking the core OS and software necessary to provide a common base makes some sense but this is taken too far. Either keep software in repositories updated or don't provide them. Ubuntu don't have to be the ones updating but they can have a policy of removing software that isn't keep up to date and banning it from future versions. Shift it back to the original developers to decide what distros to support and install the software directly, rather than through the broken repository approach.

Re: Bring back Bennett!!

What I'd like to know is why someone would apt-get a web service from Ubuntu who notoriously lags behind the current version in pretty much everything. Especially one that should have its own internal update feature (like Pydio)

Same Truecrypt Behavior

Other great tool that is restricted by "security" (for us o for someone else).