Slashdot Mirror

← Back to Stories (view on slashdot.org)

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

Posted by timothy on from the if-you-could-turn-back-time dept.

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

22 of 126 comments (clear)

  1. Why not allow the update into the repos? by saloomy · · Score: 2, Insightful

    That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

    This is why Linux is not desktop ready... to many stubborn minds pushing their way.

    1. Re:Why not allow the update into the repos? by Gaygirlie · · Score: 3, Informative

      They *DO* provide repos for multiple distros: http://software.opensuse.org/d...

      Providing repos, however, does not fix this. If Ubuntu decides to carry packages for ownCloud on their on repos then keeping those packages up-to-date and secure is their responsibility.

    2. Re:Why not allow the update into the repos? by iYk6 · · Score: 2

      Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?

      "multiple critical security bugs for which no fixes have been backported,"

      The summary answers your question. There are no patches that address the known security vulnerabilities.

      it's up to someone from the Ubuntu community to step up and fix it.

      If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.

    3. Re: Why not allow the update into the repos? by grcumb · · Score: 2

      Why shouldn't they? If you want it included in the distro, why is it the distro's responsibility for maintaining the package?

      Because that's what fucking distros do. Maintain the fucking package.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    4. Re:Why not allow the update into the repos? by Anonymous Coward · · Score: 2, Informative

      The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

    5. Re: Why not allow the update into the repos? by fnj · · Score: 4, Informative

      I don't think our AC(s) have the slightest idea how real life works. Developers don't "want their packages included" in any specific distro. Developers develop. They put the stuff out there and continually modernize it. Distros pick and choose what versions of what packages they include in any given release at the time of release. That's when all major revs are frozen for the duration of use of that distro release. The whole rat's nest of apps and libraries has to work together, You can't just update one piece of it.

      The alternative is a rolling release like Arch, where every package is continually updated to the latest. The downside to that is when, for example, Apache 2.2 gets updated to 2.4 your website stops working because they changed the details of the config file. Rolling is the way to go for desktop where you don't want million year old obsolete packages preventing you from getting anything done, but not so much for servers.

      This is to help the clueless understand. Obviously you know how it works.

    6. Re:Why not allow the update into the repos? by ChunderDownunder · · Score: 2

      Ubuntu does have backports - does this not handle 'Universe'? If it does then the dev just needs to add their package, surely.

    7. Re: Why not allow the update into the repos? by lukas4625 · · Score: 3, Informative

      This would require to follow processes such as SRU. - While it may sounds like an easy solution this is a heavy burden which we do not want to take on us.
      Especially, if we want to do security releases at the same time we could - even if we would maintain the Ubuntu packages ourself - not guarantee that this would happen at the same time. We're therefore providing our own repositories at owncloud.org/install
      But if you want to do this "trivially easy" job for us over the whole lifetime of the distribution (5 years) we'd really appreciate it.

    8. Re:Why not allow the update into the repos? by lukas4625 · · Score: 2
      As noted in another reply from myself:

      Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [debian.org] Thomas did last modify the packages at 11 Oct 2012.

      (Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

    9. Re: Why not allow the update into the repos? by smash · · Score: 2

      I don't think you understand how software gets included in a distro. The developer doesn't ask for it to be included generally, it is often packaged by some third party who likes the software and wants a debian/redhat/etc. package for it. The developers distribute via source, if a distro wants to include their own custom package for it, that's their own doing.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    10. Re:Why not allow the update into the repos? by smash · · Score: 4, Informative

      There are patches to fix the vulnerabilities, they just haven't been backported by the developer to the old version of owncloud. The official owncloud path is to upgrade to the supported release. If Ubuntu want to support the old version, it is up to them to backport fixes to the old version(s) themselves, as the FreeBSD ports team often do with the ports tree.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    11. Re:Why not allow the update into the repos? by kthreadd · · Score: 2

      The Ubuntu package repositories are divided into two parts. Main and restricted contains a limited number of packages which are supported by the Ubuntu security team, but universe and multiverse are not; they are supported (or in this case unsupported) by the Ubuntu community.

      The problem is that Ubuntu users don't know this.

  2. Re: Packages can't be removed? by Anonymous Coward · · Score: 5, Insightful

    The developer has fixed the code. They're not responsible for maintaining the repositories of every single distribution or there, that's the job of the package maintainer of the distribution. Problem is, the package maintainer hasn't done their job, the developer has raised concerns, and has asked for it to be pulled until they do their job. It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

  3. Re: Packages can't be removed? by Gaygirlie · · Score: 3, Informative

    No, they're responsible for maintaining their packages in every repository they wish to add their package to, though. If they want to be part of the Ubuntu repo, rather than hosting their own repository, they play by Ubuntu's rules. Don't like it? Run your own repository.

    They do: http://software.opensuse.org/d...

    They're not the ones maintaining the packages in Ubuntu's repos, that's Ubuntu-folks' own doing.

  4. Re:Packages can't be removed? by Waffle+Iron · · Score: 2

    Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

    Do they allow packages to be ranamed? Then changing only 5 bits woudl rectify the situation.

    If they just leave the code as-is, but change the name from "ownCloud" to "pwnCloud", then the actual functionality of the package would be clear to everyone.

  5. Re: Packages can't be removed? by pavon · · Score: 3, Insightful

    [quote]It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".[/quote]
    The package maintainers didn't say that. This package is in the universe repository. The entire purpose of this repository is that volunteers can upload packages that Canonical has decided they aren't going to support. So Canonical isn't the package maintainer and you can't really blame them for not supporting packages that they said they aren't going to support.

    Furthermore, it sounds like the ownCloud developers want Ubuntu to either use the latest & greatest release, or remove the package entirely. If that is correct, then I think it is irresponsible on the developer's part. Version 7 only came out 3 months ago, so they really ought to be providing security patches for version 6.

  6. Re:Well, to be honest by fnj · · Score: 2

    Maybe it should be named Pwncloud.

  7. Re:Bring back Bennett!! by vux984 · · Score: 4, Informative

    The general issue with Bennett Haselton is simple.

    Everyone else in the world submits articles, slashdot summarizes them, links back to the full article, and the comments here ensue.

    In some cases the article links are just a link back to the article submitters own blog (and this is gently mocked but usually tolerated), in other cases the links are broken (also mocked), in some cases they are linked to an unrelated article (you bet we mock this too), and very occasionally for those people who enjoy the thrill of the hunt, they do go back to an original article in some legitimate or quasi-legitimate source of news. (Hooray!) (In which case we can mock everyone who didn't read TFA.)

    Bennett however, as if you've read any of his articles you will know, is special. He read about the virtues of conciseness, efficiency, brevity and then wrote a short epic about how why they really shouldn't apply to him.

    When he looked at what it would take to get his very own blog up and running he quickly realized that it was a pretty serious undertaking. He'd have to register somewhere, choose a password, maybe even pick a theme. Do you know how much that would cut into his actual writing time? Several minutes, at least, and he really just doesn't have that kind of time to spare, what with already being slammed just keeping up with writing down every thought that pops into his brain.

    So, long story slightly less long, he decided why not just use slashdot itself as his very own personal blog? It saves him having to sign up for one, and better still he argues, saves us a mouse click by eliminating that superfluous step of having to click through to get to the full article.

    After having this explained to him, Bennett rejected the argument and suggested we should be delighted at being able to reach his thoughts without having to make that one extra click to an external source.

    So now we just mock Bennett.

    I think that sums it up fairly concisely, at least relative to what Bennett would have said. ;)

  8. Clarification regarding backports by lukas4625 · · Score: 5, Informative

    Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

    The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

    I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
    Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... Thomas did last modify the packages at 11 Oct 2012.

    We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

    (Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

    1. Re:Clarification regarding backports by lukas4625 · · Score: 5, Interesting

      Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed.

      Absolutely, that said: the Debian maintainers are doing great work and the ownCloud Debian packages are absolutely up-to-date.

      Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

      As a project we did not add our package anywhere. The point here is that we *are* responsible and actively maintaining our packages and we do it as a central place which is OBS. The problem is only that there is not yet a way to make that easy usable in Ubuntu or other distributions.

      As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

      Why should we have to maintain our own repositories and the ones of every distribution out there? - This is okay as a short-term solution where we only have to to minor updates, but as soon as we have another major update it gets somewhat trickier :-)
      I think this shows a bigger problem with the Universe repository: In our case we complained, but most other packages in there are most likely quite outdated as well but in their case no-one bothers to complain.

  9. Re: Packages can't be removed? by Kjella · · Score: 4, Informative

    The universe repository is not supported by Ubuntu. There are four sections:

    Main - Officially supported software.
    Restricted - Supported software that is not available under a completely free license.
    Universe - Community maintained software, i.e. not officially supported software.
    Multiverse - Software that is not free.

    So someone in the "community" once made an ownCloud package, got it in universe and isn't maintaining it. Ubuntu is saying "that's not ours, you fix it" while the developers are saying "that's not ours, you fix it" and they're both making valid arguments. Ubuntu is saying the quality of the universe packages is what the community makes of it, if it's broken or vulnerable it stays that way until the community provides a fixed version. Otherwise they'd get overrun by lazy packagers who get it into the release repository then orphan it and ditch the maintenance responsibility on Ubuntu. If the developers won't jump through the hoops to fix it then it can't be that important to them.

    The developers of course see it differently, they never asked for their software to be put in this repository. They never broke it, why should they fix it? Clearly they're a victim here. Still, just because you're a victim there might still be a process. If you send an angry mail to YouTube saying "Hey you bastards, stop sharing my video kthxbye" they might redirect you to say here's the report copyright violation form, fill this out and we'll process it and you go "Nuh uh, too much work and I already told you stop so stop already." you won't get far. And Ubuntu is legally in the clear here, if they want to keep shipping that package they can. It's a request, not a demand.

    --
    Live today, because you never know what tomorrow brings
  10. So they should fork. by Lord+Kano · · Score: 2

    Call the Ubuntu specific version PwnCloud...

    Thank you, I'll be here all week.

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano