Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bug Ubuntu Cloud Open Source Security SuSE IT Linux

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes 126

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."
This discussion has been archived. No new comments can be posted.

OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

Comments Filter:
  • by saloomy ( 2817221 ) on Friday October 24, 2014 @10:24PM (#48227349)
    That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

    This is why Linux is not desktop ready... to many stubborn minds pushing their way.
    • by iYk6 ( 1425255 )

      Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?

      "multiple critical security bugs for which no fixes have been backported,"

      The summary answers your question. There are no patches that address the known security vulnerabilities.

      it's up to someone from the Ubuntu community to step up and fix it.

      If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.

    • The problem is that once released, all packages on an ubuntu distro don't get updates for features anymore. This is because ubuntu isn't rolling release like arch or other distros. There are only very few exceptions like firefox.
      Ubuntu relies on upstream maintaining that current branch, or canonical does if it is in the 'main' repository, and upstream doesn't do it. For packages outside 'main', the community has to provide patches, or they go unpatched.

      This isn't being stubborn, this is just simply to keep

      • Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

        When someone maintains a package in Debian, he may care about it, and provide sound security updates once the stable release is out. Though what's unexpected, is that the same package, while well maintained in Debian, may not be fixed in Ubuntu, because you know... it's "Universe"... The security team from Canonical will not take the ti
        • by mysidia ( 191772 )

          Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

          I don't know about you, but if I maintain software; i'm shipping the security fixes and other bug fixes with the combined update. You don't get to pick and choose "security updates but no feature enhancements"

          I'm a big fan of how Firefox and others don't have separate major releases nowadays. And no "maintaining old branches"

        • by jabuzz ( 182671 )

          The problem with the Debian and Ubuntu bug fixes not updating packages is lets say I maintain an open source package and it is in Debian. I spot a bug, fix it and release a *BUG* only update with a new version number say 2.1 instead of 2.0.

          What Debian now do is wacked out stupidity. They "backport" the bug to the 2.0 package and release a "Debian 2.0" version of the package. I now as a maintainer of the software know what is in a version 2.0 of a package because Debian have been frankly dicking about, becau

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

      • Ubuntu does have backports - does this not handle 'Universe'? If it does then the dev just needs to add their package, surely.

        • by Anonymous Coward

          Yes Ubuntu has a separate backports repo for every release, but I don't think its automatically enabled. But the backport version would not replace the old version in Universe, it just would be an upgrade to it. But someone would still have to maintain that package as well and that's the crux of the problem, no one is stepping up from the community or from owncloud to do that.

      • As noted in another reply from myself:

        Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [metadata.ftp-master.deb] [debian.org] Thomas did last modify the packages at 11 Oct 2012.

        (Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

      • The point is: the Debian maintainer never asked for taking the burden of maintaining his package in Ubuntu, he just maintains it in Debian. It just happened automatically. But security updates aren't automated. Now, are you saying that he must be forced to also maintain it in Ubuntu, otherwise they will forever keep some flowed packages? Man, he didn't choose the situation, and probably he simply doesn't want to do the work in Ubuntu. Why then just keeping his package there?
    • This is the "universe" repo, which is community-maintained and not supported by Canonical in any way. It's also not enabled by default and there are ample warning when enabling it. This isn't a case of Ubuntu shipping with software that never gets updates, it's a case of Ubuntu users installing software they're told beforehand is unsupported and probably won't get updates.
  • ...opening back doors to my system is kind of the functionality I would expect from installing a package named "owncloud." At least now I know it exists so if I see it in the wild I'll know it's not an *intentional* rootkit.

  • by Lukas Reschke ( 3889899 ) <lukas@owncloud.com> on Saturday October 25, 2014 @02:05AM (#48227867)

    Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

    The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

    I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
    Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [debian.org] Thomas did last modify the packages at 11 Oct 2012.

    We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

    (Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

    • Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed. Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

      As
      • by Lukas Reschke ( 3889899 ) <lukas@owncloud.com> on Saturday October 25, 2014 @02:52AM (#48227981)

        Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed.

        Absolutely, that said: the Debian maintainers are doing great work and the ownCloud Debian packages are absolutely up-to-date.

        Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

        As a project we did not add our package anywhere. The point here is that we *are* responsible and actively maintaining our packages and we do it as a central place which is OBS. The problem is only that there is not yet a way to make that easy usable in Ubuntu or other distributions.

        As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

        Why should we have to maintain our own repositories and the ones of every distribution out there? - This is okay as a short-term solution where we only have to to minor updates, but as soon as we have another major update it gets somewhat trickier :-)
        I think this shows a bigger problem with the Universe repository: In our case we complained, but most other packages in there are most likely quite outdated as well but in their case no-one bothers to complain.

      • Advising your users to use your own repository is not a satisfying answer.

        Yes, yes it is. At least, I am satisfied by such an answer.

        If there's a package in Debian, then it should be fine using it.

        And if it's not fine to use it, then it should be removed from the repo, without a request from the developer.

        My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

        There's no technical reason they can't remove a non-required package from a release. So yes, that's the solution, but it shouldn't be the only solution.

    • by jbolden ( 176878 )

      We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

      I understand why, but that goes against the whole philosophy of distributions. From your perspective it obviously makes things easy. From the user's perspective you are one of a 100 packages that wants to install and be configured in specialized ways. And then of course this introduces complexity in both directions. For d

  • PHP: meh
    insecure programming practices: Building SQL-Statements from string concatenation (no format strings for example) and so on
    rather slow
    NO INCREMENTAL SYNC!

    only pro: Server runs on a cheap webspace.

    And now go and have a look at seafile.com

    • Unfortunately nothing else comes even close to OwnCloud in terms of feature. Like LDAP/AD integration, proper quota, multi-platform client (although the Linux client is a shameful mess)

      Been running Owncloud for a year now and every upgrade again gives me this sick feeling in my stomach. What will they break this time... The idea behind Owncloud is solid, however their development model is a mess. Loads of re-appearing bugs in every new major release, big features which get borked during upgrades etc. It wou

      • by allo ( 1728082 )

        Meh, what did the user do before owncloud, which is a rather home grown software? I did not test a lot of groupwares, but i am aware, that there are many to choose from, with many users. Some are very old already and i guess they have many of the features a normal users needs. tine looks nice, horde is more mailcentric, egroupware is some other name i never tested ... and you can combine single products. While owncloud is nice and each feature is not too bad, there is another more complete software for each

      • Try seafile - not saying they cover everything, but for file sync, it seems to work very well (and scales better then Owncloud when you have a few thousand files).
  • If you are an decently qualidied Adminsitrator, then you always conciously choose between the following:

    a) You customize/install/update/recompile/patch the software you need on your own time. Usually you do thos when the service availability is absolutely critical and at the same time no out of the box solution exists

    b) You use an "out of the box" solution. This solution should be supported, and used within its nominal use case.

    Ubuntu very clearly states that Universe packages may - at best - only receive a

  • Call the Ubuntu specific version PwnCloud...

    Thank you, I'll be here all week.

    LK

    • by mysidia ( 191772 )

      If pwncloud.com wasn't registered by one of those folks just parking domains who probably picked up the domain to try and sell it for $20,000 or so, it would be a cool name for a fork of Owncloud.

      I guess in theory, it could also be the name a pentesting service could call their product if they specialize in pentesting services running on cloud-based infrastructure.

  • Although I've used Linux as my main OS for many years, the idea that bundling applications locked to version that cannot be update is insane and one of the things that I hate about Linux distros. Ubuntu did the same stupid thing with Firefox and Open Office at one point. Being stuck with outdated and potential insecure software, unless you compile your own or used another unofficial repository, is crazy. This is a great example of a system that is designed to fail and a huge security flaw.

    I do often comp

Disclaimer: "These opinions are my own, though for a small fee they be yours too." -- Dave Haynie

Working...