Slashdot Mirror

← Back to Stories (view on slashdot.org)

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

Posted by timothy on from the if-you-could-turn-back-time dept.

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

5 of 126 comments (clear)

  1. Why not allow the update into the repos? by saloomy · · Score: 2, Insightful

    That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

    This is why Linux is not desktop ready... to many stubborn minds pushing their way.

  2. Re:Packages can't be removed? by Anonymous Coward · · Score: 0, Insightful

    Why would they be removed? Why wouldn't the motherfucking DEVELOPER of the motherfucking PACKAGE back-port a newer version to 12.04 and 14.04, in order to get an updated version of the software into the repository?

    Jesus christ, what a bunch of bitch-ass whiners. Instead of spending the probably 45 minutes it would take to backport the package to Trusty and Precise, this tard wants Ubuntu to break the repo? Fuck him.

  3. Re: Packages can't be removed? by Anonymous Coward · · Score: 5, Insightful

    The developer has fixed the code. They're not responsible for maintaining the repositories of every single distribution or there, that's the job of the package maintainer of the distribution. Problem is, the package maintainer hasn't done their job, the developer has raised concerns, and has asked for it to be pulled until they do their job. It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

  4. Re: Packages can't be removed? by Anonymous Coward · · Score: 0, Insightful

    They're not responsible for maintaining the repositories of every single distribution or there

    No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

    It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

    They can't pull it. Anybody running owncloud can update it through numerous other methods. Somebody else in the Ubuntu community (including the developer) can go fix it and upload a backported, patched version to Ubuntu if they like. This is ridiculous whining by the ownCloud dev, nothing more.

  5. Re: Packages can't be removed? by pavon · · Score: 3, Insightful

    [quote]It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".[/quote]
    The package maintainers didn't say that. This package is in the universe repository. The entire purpose of this repository is that volunteers can upload packages that Canonical has decided they aren't going to support. So Canonical isn't the package maintainer and you can't really blame them for not supporting packages that they said they aren't going to support.

    Furthermore, it sounds like the ownCloud developers want Ubuntu to either use the latest & greatest release, or remove the package entirely. If that is correct, then I think it is irresponsible on the developer's part. Version 7 only came out 3 months ago, so they really ought to be providing security patches for version 6.