OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

Why not allow the update into the repos?

[saloomy]

That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

This is why Linux is not desktop ready... to many stubborn minds pushing their way.

Re:Why not allow the update into the repos?

[Gaygirlie]

They *DO* provide repos for multiple distros: http://software.opensuse.org/d...

Providing repos, however, does not fix this. If Ubuntu decides to carry packages for ownCloud on their on repos then keeping those packages up-to-date and secure is their responsibility.

Re:Why not allow the update into the repos?

[iYk6]

Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?

"multiple critical security bugs for which no fixes have been backported,"

The summary answers your question. There are no patches that address the known security vulnerabilities.

it's up to someone from the Ubuntu community to step up and fix it.

If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.

Re:Why not allow the update into the repos?

But it is Ubuntu's responsibility to make sure they don't have shitty ports. FreeBSD and PC-BSD backport fixes all the time. That's part of what the "Ports Team" does.

Maybe Ubuntu should grow up a bit like FreeBSD.

"Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. Therefore security vulnerabilities found in ports are recorded in the FreeBSD VuXML database. The Security Officer Team members also monitor it for issues requiring their intervention. ... exceptionally severe vulnerability should not hesitate to contact the Security Officer Team directly, as described on the FreeBSD Security Information page."

Re: Why not allow the update into the repos?

[grcumb]

Why shouldn't they? If you want it included in the distro, why is it the distro's responsibility for maintaining the package?

Because that's what fucking distros do. Maintain the fucking package.

Re:Why not allow the update into the repos?

[NotInHere]

The problem is that once released, all packages on an ubuntu distro don't get updates for features anymore. This is because ubuntu isn't rolling release like arch or other distros. There are only very few exceptions like firefox.
Ubuntu relies on upstream maintaining that current branch, or canonical does if it is in the 'main' repository, and upstream doesn't do it. For packages outside 'main', the community has to provide patches, or they go unpatched.

This isn't being stubborn, this is just simply to keep something feature stable. This is neccessary for some people, and also something that microsoft does. But unlike microsoft, ubuntu also tries to keep almost all applications feature stable. This is harder than "just" a basic platform. And the basic platform is already in the 'main' repo, which gets patches.

But still I don't understand why Owncloud has been included in the first place if nobody wanted to provide patches for it. If nobody can do that, its not part of Ubuntu, simple as that. There is a ppa for ownloud for those who want to install it.

Re:Why not allow the update into the repos?

The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

Re: Why not allow the update into the repos?

[fnj]

I don't think our AC(s) have the slightest idea how real life works. Developers don't "want their packages included" in any specific distro. Developers develop. They put the stuff out there and continually modernize it. Distros pick and choose what versions of what packages they include in any given release at the time of release. That's when all major revs are frozen for the duration of use of that distro release. The whole rat's nest of apps and libraries has to work together, You can't just update one piece of it.

The alternative is a rolling release like Arch, where every package is continually updated to the latest. The downside to that is when, for example, Apache 2.2 gets updated to 2.4 your website stops working because they changed the details of the config file. Rolling is the way to go for desktop where you don't want million year old obsolete packages preventing you from getting anything done, but not so much for servers.

This is to help the clueless understand. Obviously you know how it works.

Re: Why not allow the update into the repos?

[pinkushun]

Excellent point! I never knew they provided these repos...

Either way, the version jump is too large to demand an automatic update, so the next natural step would be a security update, which is supposed to be supported by 12.04[1] and 14.04.

These usually enter the stream as patches, so it is likely that nobody has submitted a patch to fix these holes.

[1]: https://help.ubuntu.com/commun...

Re:Why not allow the update into the repos?

[ChunderDownunder]

Ubuntu does have backports - does this not handle 'Universe'? If it does then the dev just needs to add their package, surely.

Re:Why not allow the update into the repos?

Yes Ubuntu has a separate backports repo for every release, but I don't think its automatically enabled. But the backport version would not replace the old version in Universe, it just would be an upgrade to it. But someone would still have to maintain that package as well and that's the crux of the problem, no one is stepping up from the community or from owncloud to do that.

Re: Why not allow the update into the repos?

[lukas4625]

This would require to follow processes such as SRU. - While it may sounds like an easy solution this is a heavy burden which we do not want to take on us.
Especially, if we want to do security releases at the same time we could - even if we would maintain the Ubuntu packages ourself - not guarantee that this would happen at the same time. We're therefore providing our own repositories at owncloud.org/install
But if you want to do this "trivially easy" job for us over the whole lifetime of the distribution (5 years) we'd really appreciate it.

Re:Why not allow the update into the repos?

[lukas4625]

As noted in another reply from myself:

Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [debian.org] Thomas did last modify the packages at 11 Oct 2012.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:Why not allow the update into the repos?

[smash]

The developer may have nothing to do with Ubuntu, packages for distributions are often developed by a third party who takes the official sources and packages it up themselves. The developers often do not package anything directly and have no interest in maintaining packages for other people's operating systems. They distribute via source.

Re: Why not allow the update into the repos?

[smash]

I don't think you understand how software gets included in a distro. The developer doesn't ask for it to be included generally, it is often packaged by some third party who likes the software and wants a debian/redhat/etc. package for it. The developers distribute via source, if a distro wants to include their own custom package for it, that's their own doing.

Re: Why not allow the update into the repos?

[smash]

If it's trivially easy, why haven't you done it?

Re:Why not allow the update into the repos?

[smash]

There are patches to fix the vulnerabilities, they just haven't been backported by the developer to the old version of owncloud. The official owncloud path is to upgrade to the supported release. If Ubuntu want to support the old version, it is up to them to backport fixes to the old version(s) themselves, as the FreeBSD ports team often do with the ports tree.

Re:Why not allow the update into the repos?

[GPLHost-Thomas]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

When someone maintains a package in Debian, he may care about it, and provide sound security updates once the stable release is out. Though what's unexpected, is that the same package, while well maintained in Debian, may not be fixed in Ubuntu, because you know... it's "Universe"... The security team from Canonical will not take the time to get the updated package from Debian, unless someone carefully prepares the update and do the work for them.

The final result is that the Ubuntu universe repository is full of security issues unless someone "from the community" (understand: the Debian package maintainer) cares doing it, which often doesn't happen.

Don't use Ubuntu on your servers, it's simply not safe.

Re:Why not allow the update into the repos?

[GPLHost-Thomas]

The point is: the Debian maintainer never asked for taking the burden of maintaining his package in Ubuntu, he just maintains it in Debian. It just happened automatically. But security updates aren't automated. Now, are you saying that he must be forced to also maintain it in Ubuntu, otherwise they will forever keep some flowed packages? Man, he didn't choose the situation, and probably he simply doesn't want to do the work in Ubuntu. Why then just keeping his package there?

Re:Why not allow the update into the repos?

[kthreadd]

Explain for me why the developers cannot simply upload their EXISTING 12.04 and 14.04 backports to Ubuntu, again?

They want you to use their package repository.
If the Ubuntu community wants to provide a version in the Ubuntu repository then the Ubuntu community has to support it.

Re:Why not allow the update into the repos?

[kthreadd]

The Ubuntu package repositories are divided into two parts. Main and restricted contains a limited number of packages which are supported by the Ubuntu security team, but universe and multiverse are not; they are supported (or in this case unsupported) by the Ubuntu community.

The problem is that Ubuntu users don't know this.

Re: Why not allow the update into the repos?

[Zero__Kelvin]

And how, prey tell, do you expect the developers to sign their packages with everybody else's private keys? If they do that the update will fail, because the package manager isn't going to install a package from an Ubuntu repository that isn't signed by Cannonical's private key, for example.

Re: Why not allow the update into the repos?

[tepples]

Each PPA has its own key pair.

Re:Why not allow the update into the repos?

[kthreadd]

My understanding is that the Ubuntu community does not have the manpower that it takes to maintain universe, and Canonical is primarily only intrested in maintaining main and restricted. What they really should do is disable universe and multiverse by default.

Re:Why not allow the update into the repos?

[BronsCon]

This is the "universe" repo, which is community-maintained and not supported by Canonical in any way. It's also not enabled by default and there are ample warning when enabling it. This isn't a case of Ubuntu shipping with software that never gets updates, it's a case of Ubuntu users installing software they're told beforehand is unsupported and probably won't get updates.

Re: Why not allow the update into the repos?

[BronsCon]

The kind that introduced the bug that cause this whole issue to come up in the first place. That said, nobody's perfect and every developer has introduced boner security bugs at some point or another; some of us are just more willing to take the extra steps to fix them.

Re:Why not allow the update into the repos?

[BronsCon]

Ubuntu users don't need to know that unless they've enabled the universe, multiverse, or backports repositories, in which case they only don't know it if they didn't read the comments in the sources.list file while enabling them or, if they're using a GUI, they ignore the warnings that come up when they check the little boxes.

Re:Why not allow the update into the repos?

[BronsCon]

It's was removed from 14.10 prior to release, so, for the current and future Ubuntu releases, this is a solved issue.

Re: Why not allow the update into the repos?

[mysidia]

I vote the software author should provide an update to the Debian package though. The "update" should generate PROMINENT WARNINGS for the user that their software is out of date, that the debian packages are no longer being maintained, and FOLLOW THE FOLLOWING INSTRUCTIONS to switch from a .DEB managed installation to a .TAR.GZ managed installation.

Re:Why not allow the update into the repos?

[mysidia]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

I don't know about you, but if I maintain software; i'm shipping the security fixes and other bug fixes with the combined update. You don't get to pick and choose "security updates but no feature enhancements"

I'm a big fan of how Firefox and others don't have separate major releases nowadays. And no "maintaining old branches"

Re:Why not allow the update into the repos?

[jabuzz]

The problem with the Debian and Ubuntu bug fixes not updating packages is lets say I maintain an open source package and it is in Debian. I spot a bug, fix it and release a *BUG* only update with a new version number say 2.1 instead of 2.0.

What Debian now do is wacked out stupidity. They "backport" the bug to the 2.0 package and release a "Debian 2.0" version of the package. I now as a maintainer of the software know what is in a version 2.0 of a package because Debian have been frankly dicking about, because they think they are the only people in the world that might do bug fix only releases. Makes them a bunch of jerks to be honest.

I say this as someone who users Debian and has packages in Debian that this sort of stupidity has been done to in the past.

Re: Packages can't be removed?

The developer has fixed the code. They're not responsible for maintaining the repositories of every single distribution or there, that's the job of the package maintainer of the distribution. Problem is, the package maintainer hasn't done their job, the developer has raised concerns, and has asked for it to be pulled until they do their job. It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

Well, to be honest

[skids]

...opening back doors to my system is kind of the functionality I would expect from installing a package named "owncloud." At least now I know it exists so if I see it in the wild I'll know it's not an *intentional* rootkit.

Re:Well, to be honest

[fnj]

Maybe it should be named Pwncloud.

Re: Packages can't be removed?

[Gaygirlie]

No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

They do: http://software.opensuse.org/d...

They're not the ones maintaining the packages in Ubuntu's repos, that's Ubuntu-folks' own doing.

Re:Packages can't be removed?

[HJED]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Re: Packages can't be removed?

[pinkushun]

Even if they did remove it, it will only prevent new installations of that package, it will _not_ remove all those instances already running.

Think ahead, folks.

Re:Packages can't be removed?

[Waffle+Iron]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Do they allow packages to be ranamed? Then changing only 5 bits woudl rectify the situation.

If they just leave the code as-is, but change the name from "ownCloud" to "pwnCloud", then the actual functionality of the package would be clear to everyone.

Re: Packages can't be removed?

[pavon]

[quote]It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".[/quote]
The package maintainers didn't say that. This package is in the universe repository. The entire purpose of this repository is that volunteers can upload packages that Canonical has decided they aren't going to support. So Canonical isn't the package maintainer and you can't really blame them for not supporting packages that they said they aren't going to support.

Furthermore, it sounds like the ownCloud developers want Ubuntu to either use the latest & greatest release, or remove the package entirely. If that is correct, then I think it is irresponsible on the developer's part. Version 7 only came out 3 months ago, so they really ought to be providing security patches for version 6.

Re: Packages can't be removed?

[silfen]

There are lots of things they can do, however: they can upgrade to an empty package, upgrade to a package that requires positive confirmation from the user upon upgrade, or upgrade to a package with a non-existent dependency.

Re:Bring back Bennett!!

[vux984]

The general issue with Bennett Haselton is simple.

Everyone else in the world submits articles, slashdot summarizes them, links back to the full article, and the comments here ensue.

In some cases the article links are just a link back to the article submitters own blog (and this is gently mocked but usually tolerated), in other cases the links are broken (also mocked), in some cases they are linked to an unrelated article (you bet we mock this too), and very occasionally for those people who enjoy the thrill of the hunt, they do go back to an original article in some legitimate or quasi-legitimate source of news. (Hooray!) (In which case we can mock everyone who didn't read TFA.)

Bennett however, as if you've read any of his articles you will know, is special. He read about the virtues of conciseness, efficiency, brevity and then wrote a short epic about how why they really shouldn't apply to him.

When he looked at what it would take to get his very own blog up and running he quickly realized that it was a pretty serious undertaking. He'd have to register somewhere, choose a password, maybe even pick a theme. Do you know how much that would cut into his actual writing time? Several minutes, at least, and he really just doesn't have that kind of time to spare, what with already being slammed just keeping up with writing down every thought that pops into his brain.

So, long story slightly less long, he decided why not just use slashdot itself as his very own personal blog? It saves him having to sign up for one, and better still he argues, saves us a mouse click by eliminating that superfluous step of having to click through to get to the full article.

After having this explained to him, Bennett rejected the argument and suggested we should be delighted at being able to reach his thoughts without having to make that one extra click to an external source.

So now we just mock Bennett.

I think that sums it up fairly concisely, at least relative to what Bennett would have said. ;)

Re: Packages can't be removed?

[jrumney]

The last option would result in the current version remaining on user's machines. If a dependency for an update is not available, apt will hold the package back.

Clarification regarding backports

[lukas4625]

Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... Thomas did last modify the packages at 11 Oct 2012.

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:Clarification regarding backports

[GPLHost-Thomas]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed. Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

Re:Clarification regarding backports

[lukas4625]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed.

Absolutely, that said: the Debian maintainers are doing great work and the ownCloud Debian packages are absolutely up-to-date.

Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As a project we did not add our package anywhere. The point here is that we *are* responsible and actively maintaining our packages and we do it as a central place which is OBS. The problem is only that there is not yet a way to make that easy usable in Ubuntu or other distributions.

As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

Why should we have to maintain our own repositories and the ones of every distribution out there? - This is okay as a short-term solution where we only have to to minor updates, but as soon as we have another major update it gets somewhat trickier :-)
I think this shows a bigger problem with the Universe repository: In our case we complained, but most other packages in there are most likely quite outdated as well but in their case no-one bothers to complain.

Re:Clarification regarding backports

[drinkypoo]

Advising your users to use your own repository is not a satisfying answer.

Yes, yes it is. At least, I am satisfied by such an answer.

If there's a package in Debian, then it should be fine using it.

And if it's not fine to use it, then it should be removed from the repo, without a request from the developer.

My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

There's no technical reason they can't remove a non-required package from a release. So yes, that's the solution, but it shouldn't be the only solution.

Re:Clarification regarding backports

[geminidomino]

Your righteous indignation might have been more inspiring were it not being bogged down by your semi-literacy and incompetence.

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories,

Did you read a different message than the one everyone's sharing around the internet, or do you not know the difference between a command and a request: an actual request, at that, not even one delivered at the barrel of a lawyer.

Considering the biggest part of the userbase for Owncloud is privacy- and security-minded sysadmins (running their own rather than trusting the outside providers), I'd say not wanting them to get pwned because Ubuntu's serving out stale versions is a pretty good thing. They're not the package mantainers, and it's Ubuntu who doesn't seem to give a shit here (there's no good excuse for 'we can't take the unmaintained exploitable package out of the unmaintained repository).

I'm not impressed with the attitudes on display in the ownCloud community and I am very unhappy with the way ownCloud's software wiped out all my work files when I upgraded to the "safe" version. If ownCloud was really interested in the sfety of their users and the users' data, this would have been handled much differently.

And thus, the fledgling learns the value of "backups before updates", after landing flat on his beak.

Re:Clarification regarding backports

[GPLHost-Thomas]

I fully agree with you. There's a big problem with the Universe repository.

Re:Clarification regarding backports

[jbolden]

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

I understand why, but that goes against the whole philosophy of distributions. From your perspective it obviously makes things easy. From the user's perspective you are one of a 100 packages that wants to install and be configured in specialized ways. And then of course this introduces complexity in both directions. For distribution packages which want features of OwnCloud they are going to pull down the Ubuntu package possibly crewing up the custom distribution. For OwnCloud packages that want dependency they aren't going to pull in the right things from the Ubuntu distribution or link to them properly. A total mess.

Really there is no good solution then there existing a package maintainer for the major distributions. owncloud.com has to decide if making owncloud.org's product work well/safely on Ubuntu is good or bad for the business. I can easily see either being the case. Ubuntu has to decide if owncloud.org's product is worth them supporting and right now they've decided no. If both decide no, and no individual steps up then... well there is a problem and owncloud will be iffy on Ubuntu.

Re:Clarification regarding backports

[jbolden]

And thus, the fledgling learns the value of "backups before updates", after landing flat on his beak.

Or better. Backup complex software always. Have extra backups done using a different mechanism before updates.

Re:Clarification regarding backports

[Qzukk]

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories

"Please do not ship outdated buggy binaries."

Re: Packages can't be removed?

[smash]

It is up to the package maintainer to backport security fixes if they want them. If they don't want to remove the package fair enough, but they should be popping up copious warnings, and maybe push a package update that alerts via script (even if it doesn't secure the package) that "THIS PACKAGE IS INSECURE AND UNMAINTAINED - it is recommended you deinstall and upgrade via original sources" or similar. This is similar to how FreeBSD ports work.

Re:Packages can't be removed?

[smash]

As I understand it, this package is not part of the official ubuntu distribution, but part of the third party not officially supported packages, so that should not preclude it from being updated.

Re:Packages can't be removed?

[GPLHost-Thomas]

Of course it makes sense: this is Ubuntu. When they say "it's from universe", you should understand: "we synced from Debian, and we wont do any more work on the package, as we don't give a shit about what we ship".

I think it's more than time that everyone understand Ubuntu is not a good fit for running a server, unless you remove nearly all software from it (that is: everything that is "synced from Debian"). So then, why not using Debian in the first place?

Re:Packages can't be removed?

[kthreadd]

The reasons that I often hear is more reliable release cycle and supported hardware enabledment kernels during the first two years of and LTS. But yes, most Ubuntu users do not understand the security ramifications of using packages from the Universe component.

Re:Open Source Triumphs Again!

[kthreadd]

The Ubuntu security team (which is mostly paid Canonical employees) provides security updates for packages in the main and restricted component. Packages in universe (such as owncloud) and multiverse are not supported by the security team.

Re:Packages can't be removed?

[dbraden]

That's correct. It's in the "universe" repo, which is community maintained, so it's not Canonical's responsibility to keep it updated. It's up to the package maintainer(s) to back-port security fixes, and I don't think anyone has volunteered to take that on.

Re: Packages can't be removed?

[Kjella]

The universe repository is not supported by Ubuntu. There are four sections:

Main - Officially supported software.
Restricted - Supported software that is not available under a completely free license.
Universe - Community maintained software, i.e. not officially supported software.
Multiverse - Software that is not free.

So someone in the "community" once made an ownCloud package, got it in universe and isn't maintaining it. Ubuntu is saying "that's not ours, you fix it" while the developers are saying "that's not ours, you fix it" and they're both making valid arguments. Ubuntu is saying the quality of the universe packages is what the community makes of it, if it's broken or vulnerable it stays that way until the community provides a fixed version. Otherwise they'd get overrun by lazy packagers who get it into the release repository then orphan it and ditch the maintenance responsibility on Ubuntu. If the developers won't jump through the hoops to fix it then it can't be that important to them.

The developers of course see it differently, they never asked for their software to be put in this repository. They never broke it, why should they fix it? Clearly they're a victim here. Still, just because you're a victim there might still be a process. If you send an angry mail to YouTube saying "Hey you bastards, stop sharing my video kthxbye" they might redirect you to say here's the report copyright violation form, fill this out and we'll process it and you go "Nuh uh, too much work and I already told you stop so stop already." you won't get far. And Ubuntu is legally in the clear here, if they want to keep shipping that package they can. It's a request, not a demand.

Re:Bring back Bennett!!

[jones_supa]

So now we just mock Bennett.

I'm not sure if he deserves all the mockery. Maybe some people think that he has posted a couple of silly opinion pieces, but that does not make him a malicious monster.

Re:Packages can't be removed?

[dissy]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

I'm less familiar with Ubuntu specifically but have extensive Debian experience, so can't comment on the Ubuntu policy, but I suspect Ubuntu views this more as removing a package is them breaking package management on existing systems, vs leaving it as is would still be breaking the system due to the vulnerabilities but not Ubuntu's fault (which I still find arguable, but again it's also just my guess)

Debian stable will also out right refuse to break apt by removing a package, however Debian has a large security patch repo plus a huge backports repo and community - which typically spends their own time back porting patches for newer app versions from the original developers back to older versions the devs stopped patching.

Many years ago at least Ubuntu still did not have the infrastructure for this nor dedicated any man power to the task. Sounds like that is still at least partially the case there.

This is also why ownCloud distributes their stuff in their own repo, which is the best way to go about it (so props to ownCloud there)
That way it is completely up to them how "stable" they want their software to be viewed.
They can either force people to upgrade to a new major version, breaking all existing installs until configs can be updated - or they can try to be stable and backport patches - or anything in between.

It's just mind boggling some dip decided that despite the fact ownCloud has their own maintained packages and even a repo for them, that it would at all be necessary to claim "now i'm the package maintainer!" and put it in Ubuntus repo...

Was this Ubuntus direct doing?
In Debian only the core system is packaged by their own team. 3rd party stuff however anyone can step up and decide to be the package maintainer, compiling from src to debian standards and releasing debs. But it's usually easier to see who to point the finger at in that case.

Re:Bring back Bennett!!

[TheRaven64]

Bennett has been posting these long ramblings since a very long time before Dice bought Slashdot. Unfortunately, I think that your complaints are not likely to be heard because Slashdot seems to have had a policy for a long time of not recruiting editors from people who regularly read the site...

Re:Bring back Bennett!!

[LordLimecat]

Theres also the fact that his ideas are often enough repellent, such as when he explains how we dont really need the double jeopardy or self incrimination protections of the 5th amendment, or how Computer Acceptable Use Policies and the corresponding network IDS and filtering systems are literally Hitler.

Re:Bring back Bennett!!

[LordLimecat]

His ideas are very often absurd, and appear very much as if he recently learned about (or began thinking on) a topic, and immediately crafted an opinion on how everyone else who is an expert in said field is wrong.

Notable entries in this category:
  * Why the 5th amendment is totally unnecessary.
  * More questions about the 5th amendment, indicating a lack of understanding of its background and purpose (leading one to question in what way Bennett was qualified to raise objections to it).
  * Why corporate network filtering and intrusion prevention are tyranny
  * Why you should ignore every lawyer's advice of "dont talk to cops".

There are hundreds more, if you do a search for Bennett Haselton. The guy is well intentioned-- he clearly has a passion for getting rid of censorship and fixing the world-- the trouble is that hes proven massively susceptible to the Dunning-Kruger effect.

Re:Bring back Bennett!!

[LordLimecat]

Was. His account no longer exists. All prior articles no longer have a link to his profile page, and manually typing it in gets a "not found".

Re:Drop owncloud

[allo]

It's not my code, i am only a user.
But in my experience, the developers are reacting quite good on "issues" on their github (see the repos of haiwen).
On the other hand, the owncloud devs tend to "i close this (still open) bug due to inactivity", when the inactivity is on their side, because they just need to fix the stuff with all information already provided.

Transitional packages

[tepples]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

Of course it can. The repository maintainer can introduce a new package pwnCloud and turn ownCloud into a metapackage that requires pwnCloud. This "transitional package" pattern happens often in Ubuntu updates.

Re:owncloud is implemented in ... wait for it

[tepples]

If PHP ought to be banned, then what migration path do you propose for (say) Wikipedia, which runs MediaWiki software, which is written in PHP? This migration path proposal might give ownCloud's developers ideas on how to migrate from PHP.

Re:Drop owncloud

[allo]

yep, its a filesync tool.

for calendar and contacts you may still consider owncloud, but there are a lot of "groupwares", which do a fine job.
owncloud tries to do everything ... which gives quite a cloud replacement if you look at google, but may be a bit too much for a single project, which needs to maintain all this stuff.

i used owncloud and despite the other flaws, the missing incremental sync (which will not be added later) was the top argument. you cannot upload 100 mb each time you change a tiny bit.

Re: owncloud is implemented in ... wait for it

[Teun]

My tablet has it's own spell checker, why doesn't yours?

Responsiiblity

[drolli]

If you are an decently qualidied Adminsitrator, then you always conciously choose between the following:

a) You customize/install/update/recompile/patch the software you need on your own time. Usually you do thos when the service availability is absolutely critical and at the same time no out of the box solution exists

b) You use an "out of the box" solution. This solution should be supported, and used within its nominal use case.

Ubuntu very clearly states that Universe packages may - at best - only receive a minimal quality check at the distibution release and are patched by maintainers, which are not necessarily authors of the software nor employees of ubunut. As such their time which they may spend to predictably react to problems is limited, and, if anything in their life changes they just have to stop doing anything for the package without further warning - if the packge is important enogh for you, donate money to the maintainer and pay him.

I appreciate that the author loudly raises his concers, but i think anybody running an unsupported port of an program is responsible for himself. Pulling the pckage is not good. I for my part run any service for myself (file sharing etc) on a machine which only shows a single port for a vpn to the outside world. If something other than a security problem in the VPN software apprears, i would prefer to contunue using (and reinstalling) the packages which I chose.

If I run SW which faces the internet, then if fix it myself

Re: Packages can't be removed?

[BronsCon]

why is it officially part of the stable release?

It's not. The stable release consists of the repos that are enabled by default, a list which does not include universe. The universe repository also comes with the following warning:

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

There are similar, but stronger, warnings on multiverse and backports, as well. It's not like they don't tell you what you're getting yourself into when you choose to enable those sources.

Re: Packages can't be removed?

[BronsCon]

You mean warnings like this comment above the disabled by default universe repository (where owncloud exists)?

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

That covers the entire repository, including its contents, which would include owncloud, if installed from Ubuntu's repository. If installed from elsewhere, it's not Ubuntu's responsibility, anyway.

Re:Drop owncloud

[javanree]

Unfortunately nothing else comes even close to OwnCloud in terms of feature. Like LDAP/AD integration, proper quota, multi-platform client (although the Linux client is a shameful mess)

Been running Owncloud for a year now and every upgrade again gives me this sick feeling in my stomach. What will they break this time... The idea behind Owncloud is solid, however their development model is a mess. Loads of re-appearing bugs in every new major release, big features which get borked during upgrades etc. It would be nice if they stopped messing about with new stuff so much, focused more on stability and made sure their stuff works without issues on common platforms such as RedHat Enterprise 6 (both server and client, without warnings)

Re:Drop owncloud

[allo]

Meh, what did the user do before owncloud, which is a rather home grown software? I did not test a lot of groupwares, but i am aware, that there are many to choose from, with many users. Some are very old already and i guess they have many of the features a normal users needs. tine looks nice, horde is more mailcentric, egroupware is some other name i never tested ... and you can combine single products. While owncloud is nice and each feature is not too bad, there is another more complete software for each feature, which is just not integrating into a single product, which is the advantage of owncloud.

So they should fork.

[Lord+Kano]

Call the Ubuntu specific version PwnCloud...

Thank you, I'll be here all week.

LK

Re:So they should fork.

[mysidia]

If pwncloud.com wasn't registered by one of those folks just parking domains who probably picked up the domain to try and sell it for $20,000 or so, it would be a cool name for a fork of Owncloud.

I guess in theory, it could also be the name a pentesting service could call their product if they specialize in pentesting services running on cloud-based infrastructure.

Re:Packages can't be removed?

[x_t0ken_407]

Lol!!!! Where are my mod points...

One of the things I hate about Linux

[melting_clock]

Although I've used Linux as my main OS for many years, the idea that bundling applications locked to version that cannot be update is insane and one of the things that I hate about Linux distros. Ubuntu did the same stupid thing with Firefox and Open Office at one point. Being stuck with outdated and potential insecure software, unless you compile your own or used another unofficial repository, is crazy. This is a great example of a system that is designed to fail and a huge security flaw.

I do often compile and install or directly install debs or add other repos. It isn't difficult but can become a hassle when it expects a base Linux environment that is very different. It is about time for some standardisation in the Linux distros. That would also help with a broader adoption of Linux in a desktop role and attract more commercial software to Linux that is currently Windows only. Commercial devs can chose between developing for a small number of Windows versions or a shitload of constantly changing version of Linux. Learn something from the example of Android as a commercially successful version of Linux...

Locking the core OS and software necessary to provide a common base makes some sense but this is taken too far. Either keep software in repositories updated or don't provide them. Ubuntu don't have to be the ones updating but they can have a policy of removing software that isn't keep up to date and banning it from future versions. Shift it back to the original developers to decide what distros to support and install the software directly, rather than through the broken repository approach.

Re:Drop owncloud

[WuphonsReach]

Try seafile - not saying they cover everything, but for file sync, it seems to work very well (and scales better then Owncloud when you have a few thousand files).