Slashdot Mirror

← Back to Stories (view on slashdot.org)

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

Posted by timothy on from the if-you-could-turn-back-time dept.

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

10 of 126 comments (clear)

  1. Re:Why not allow the update into the repos? by Gaygirlie · · Score: 3, Informative

    They *DO* provide repos for multiple distros: http://software.opensuse.org/d...

    Providing repos, however, does not fix this. If Ubuntu decides to carry packages for ownCloud on their on repos then keeping those packages up-to-date and secure is their responsibility.

  2. Re: Packages can't be removed? by Gaygirlie · · Score: 3, Informative

    No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

    They do: http://software.opensuse.org/d...

    They're not the ones maintaining the packages in Ubuntu's repos, that's Ubuntu-folks' own doing.

  3. Re:Why not allow the update into the repos? by Anonymous Coward · · Score: 2, Informative

    The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

  4. Re: Why not allow the update into the repos? by fnj · · Score: 4, Informative

    I don't think our AC(s) have the slightest idea how real life works. Developers don't "want their packages included" in any specific distro. Developers develop. They put the stuff out there and continually modernize it. Distros pick and choose what versions of what packages they include in any given release at the time of release. That's when all major revs are frozen for the duration of use of that distro release. The whole rat's nest of apps and libraries has to work together, You can't just update one piece of it.

    The alternative is a rolling release like Arch, where every package is continually updated to the latest. The downside to that is when, for example, Apache 2.2 gets updated to 2.4 your website stops working because they changed the details of the config file. Rolling is the way to go for desktop where you don't want million year old obsolete packages preventing you from getting anything done, but not so much for servers.

    This is to help the clueless understand. Obviously you know how it works.

  5. Re:Bring back Bennett!! by vux984 · · Score: 4, Informative

    The general issue with Bennett Haselton is simple.

    Everyone else in the world submits articles, slashdot summarizes them, links back to the full article, and the comments here ensue.

    In some cases the article links are just a link back to the article submitters own blog (and this is gently mocked but usually tolerated), in other cases the links are broken (also mocked), in some cases they are linked to an unrelated article (you bet we mock this too), and very occasionally for those people who enjoy the thrill of the hunt, they do go back to an original article in some legitimate or quasi-legitimate source of news. (Hooray!) (In which case we can mock everyone who didn't read TFA.)

    Bennett however, as if you've read any of his articles you will know, is special. He read about the virtues of conciseness, efficiency, brevity and then wrote a short epic about how why they really shouldn't apply to him.

    When he looked at what it would take to get his very own blog up and running he quickly realized that it was a pretty serious undertaking. He'd have to register somewhere, choose a password, maybe even pick a theme. Do you know how much that would cut into his actual writing time? Several minutes, at least, and he really just doesn't have that kind of time to spare, what with already being slammed just keeping up with writing down every thought that pops into his brain.

    So, long story slightly less long, he decided why not just use slashdot itself as his very own personal blog? It saves him having to sign up for one, and better still he argues, saves us a mouse click by eliminating that superfluous step of having to click through to get to the full article.

    After having this explained to him, Bennett rejected the argument and suggested we should be delighted at being able to reach his thoughts without having to make that one extra click to an external source.

    So now we just mock Bennett.

    I think that sums it up fairly concisely, at least relative to what Bennett would have said. ;)

  6. Clarification regarding backports by lukas4625 · · Score: 5, Informative

    Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

    The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

    I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
    Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... Thomas did last modify the packages at 11 Oct 2012.

    We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

    (Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

  7. Re: Why not allow the update into the repos? by lukas4625 · · Score: 3, Informative

    This would require to follow processes such as SRU. - While it may sounds like an easy solution this is a heavy burden which we do not want to take on us.
    Especially, if we want to do security releases at the same time we could - even if we would maintain the Ubuntu packages ourself - not guarantee that this would happen at the same time. We're therefore providing our own repositories at owncloud.org/install
    But if you want to do this "trivially easy" job for us over the whole lifetime of the distribution (5 years) we'd really appreciate it.

  8. Re:Why not allow the update into the repos? by smash · · Score: 4, Informative

    There are patches to fix the vulnerabilities, they just haven't been backported by the developer to the old version of owncloud. The official owncloud path is to upgrade to the supported release. If Ubuntu want to support the old version, it is up to them to backport fixes to the old version(s) themselves, as the FreeBSD ports team often do with the ports tree.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  9. Re: Packages can't be removed? by Kjella · · Score: 4, Informative

    The universe repository is not supported by Ubuntu. There are four sections:

    Main - Officially supported software.
    Restricted - Supported software that is not available under a completely free license.
    Universe - Community maintained software, i.e. not officially supported software.
    Multiverse - Software that is not free.

    So someone in the "community" once made an ownCloud package, got it in universe and isn't maintaining it. Ubuntu is saying "that's not ours, you fix it" while the developers are saying "that's not ours, you fix it" and they're both making valid arguments. Ubuntu is saying the quality of the universe packages is what the community makes of it, if it's broken or vulnerable it stays that way until the community provides a fixed version. Otherwise they'd get overrun by lazy packagers who get it into the release repository then orphan it and ditch the maintenance responsibility on Ubuntu. If the developers won't jump through the hoops to fix it then it can't be that important to them.

    The developers of course see it differently, they never asked for their software to be put in this repository. They never broke it, why should they fix it? Clearly they're a victim here. Still, just because you're a victim there might still be a process. If you send an angry mail to YouTube saying "Hey you bastards, stop sharing my video kthxbye" they might redirect you to say here's the report copyright violation form, fill this out and we'll process it and you go "Nuh uh, too much work and I already told you stop so stop already." you won't get far. And Ubuntu is legally in the clear here, if they want to keep shipping that package they can. It's a request, not a demand.

    --
    Live today, because you never know what tomorrow brings
  10. Re:Bring back Bennett!! by LordLimecat · · Score: 1, Informative

    His ideas are very often absurd, and appear very much as if he recently learned about (or began thinking on) a topic, and immediately crafted an opinion on how everyone else who is an expert in said field is wrong.

    Notable entries in this category:
      * Why the 5th amendment is totally unnecessary.
      * More questions about the 5th amendment, indicating a lack of understanding of its background and purpose (leading one to question in what way Bennett was qualified to raise objections to it).
      * Why corporate network filtering and intrusion prevention are tyranny
      * Why you should ignore every lawyer's advice of "dont talk to cops".

    There are hundreds more, if you do a search for Bennett Haselton. The guy is well intentioned-- he clearly has a passion for getting rid of censorship and fixing the world-- the trouble is that hes proven massively susceptible to the Dunning-Kruger effect.