OwnCloud Dev Requests Removal From Ubuntu Repos Over Security Holes

operator_error notes a report that ownCloud developer Lukas Reschke has emailed the Ubuntu Devel mailing list to request that ownCloud (server) be removed from the Ubuntu repositories because it contains "multiple critical security bugs for which no fixes have been backported," through which an attacker could "gain complete control [of] the web server process." From the article: However, packages can't be removed from the Ubuntu repositories for an Ubuntu version that was already released, that's why the package was removed from Ubuntu 14.10 (2 days before its release) but it's still available in the Ubuntu 14.04 and 12.04 repositories (ownCloud 6.0.1 for Ubuntu 14.04 and ownCloud 5.0.4 for Ubuntu 12.04, while the latest ownCloud version is 7.0.2). Furthermore, the ownCloud package is in the universe repository and software in this repository "WILL NOT receive any review or updates from the Ubuntu security team" (you should see this if you take a look at your /etc/apt/sources.list file) so it's up to someone from the Ubuntu community to step up and fix it. "If nobody does that, then it unfortunately stays the way it is", says Marc Deslauriers, Security Tech Lead at Canonical. You can follow the discussion @ Ubuntu Devel mailing list. So, until (if) someone fixes this, if you're using ownCloud from the Ubuntu repositories, you should either remove it or upgrade to the latest ownCloud from its official repository, hosted by the openSUSE Build Service."

Re: Packages can't be removed?

[Anonymous Coward]

The developer has fixed the code. They're not responsible for maintaining the repositories of every single distribution or there, that's the job of the package maintainer of the distribution. Problem is, the package maintainer hasn't done their job, the developer has raised concerns, and has asked for it to be pulled until they do their job. It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: Packages can't be removed?

[Kjella]

The universe repository is not supported by Ubuntu. There are four sections [ubuntu.com]:

Main - Officially supported software.
Restricted - Supported software that is not available under a completely free license.
Universe - Community maintained software, i.e. not officially supported software.
Multiverse - Software that is not free.

So someone in the "community" once made an ownCloud package, got it in universe and isn't maintaining it. Ubuntu is saying "that's not ours, you fix it" while the developers are saying "that's not ours, you fix it" and they're both making valid arguments. Ubuntu is saying the quality of the universe packages is what the community makes of it, if it's broken or vulnerable it stays that way until the community provides a fixed version. Otherwise they'd get overrun by lazy packagers who get it into the release repository then orphan it and ditch the maintenance responsibility on Ubuntu. If the developers won't jump through the hoops to fix it then it can't be that important to them.

The developers of course see it differently, they never asked for their software to be put in this repository. They never broke it, why should they fix it? Clearly they're a victim here. Still, just because you're a victim there might still be a process. If you send an angry mail to YouTube saying "Hey you bastards, stop sharing my video kthxbye" they might redirect you to say here's the report copyright violation form, fill this out and we'll process it and you go "Nuh uh, too much work and I already told you stop so stop already." you won't get far. And Ubuntu is legally in the clear here, if they want to keep shipping that package they can. It's a request, not a demand.

Re:

[BronsCon]

why is it officially part of the stable release?

It's not. The stable release consists of the repos that are enabled by default, a list which does not include universe. The universe repository also comes with the following warning:

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

There are similar, but stronger, warnings on multiverse and backports, as well. It's not like they don't tell you what you're

Re: Packages can't be removed?

[pavon]

[quote]It's just irresponsible for the package maintainers to come back and say "we can't pull it, we're leaving it as is, and we're not patching it either".[/quote]
The package maintainers didn't say that. This package is in the universe repository. The entire purpose of this repository is that volunteers can upload packages that Canonical has decided they aren't going to support. So Canonical isn't the package maintainer and you can't really blame them for not supporting packages that they said they aren't going to support.

Furthermore, it sounds like the ownCloud developers want Ubuntu to either use the latest & greatest release, or remove the package entirely. If that is correct, then I think it is irresponsible on the developer's part. Version 7 only came out 3 months ago, so they really ought to be providing security patches for version 6.

Re:

[smash]

It is up to the package maintainer to backport security fixes if they want them. If they don't want to remove the package fair enough, but they should be popping up copious warnings, and maybe push a package update that alerts via script (even if it doesn't secure the package) that "THIS PACKAGE IS INSECURE AND UNMAINTAINED - it is recommended you deinstall and upgrade via original sources" or similar. This is similar to how FreeBSD ports work.

Re:

[BronsCon]

You mean warnings like this comment above the disabled by default universe repository (where owncloud exists)?

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.

That covers the entire repository, including its contents, which would include owncloud, if installed from Ubuntu's repository. If installed from elsewhere, it's not Ubuntu's responsibility, anyway

Re:

[HJED]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Re:

[Waffle Iron]

Because ubuntu dosen't allow new major versions to be added to a distro that has already been released.

Do they allow packages to be ranamed? Then changing only 5 bits woudl rectify the situation.

If they just leave the code as-is, but change the name from "ownCloud" to "pwnCloud", then the actual functionality of the package would be clear to everyone.

Re:

[dissy]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

I'm less familiar with Ubuntu specifically but have extensive Debian experience, so can't comment on the Ubuntu policy, but I suspect Ubuntu views this more as removing a package is them breaking package management on existing systems, vs leaving it as is would still be breaking the system due to the vulnerabilities but not Ubuntu's

Transitional packages

[tepples]

No, because renaming it has the same effects on existing systems. The installed package "ownCloud" is no longer there (by that name) so future usage of apt-get can still break.

Of course it can. The repository maintainer can introduce a new package pwnCloud and turn ownCloud into a metapackage that requires pwnCloud. This "transitional package" pattern [askubuntu.com] happens often in Ubuntu updates.

Re:

[x_t0ken_407]

Lol!!!! Where are my mod points...

Re:

[smash]

As I understand it, this package is not part of the official ubuntu distribution, but part of the third party not officially supported packages, so that should not preclude it from being updated.

Re:

[dbraden]

That's correct. It's in the "universe" repo, which is community maintained, so it's not Canonical's responsibility to keep it updated. It's up to the package maintainer(s) to back-port security fixes, and I don't think anyone has volunteered to take that on.

Re: Packages can't be removed?

[pinkushun]

Even if they did remove it, it will only prevent new installations of that package, it will _not_ remove all those instances already running.

Think ahead, folks.

Re:

[silfen]

There are lots of things they can do, however: they can upgrade to an empty package, upgrade to a package that requires positive confirmation from the user upon upgrade, or upgrade to a package with a non-existent dependency.

Re:

[jrumney]

The last option would result in the current version remaining on user's machines. If a dependency for an update is not available, apt will hold the package back.

Re:

[GPLHost-Thomas]

Of course it makes sense: this is Ubuntu. When they say "it's from universe", you should understand: "we synced from Debian, and we wont do any more work on the package, as we don't give a shit about what we ship".

I think it's more than time that everyone understand Ubuntu is not a good fit for running a server, unless you remove nearly all software from it (that is: everything that is "synced from Debian"). So then, why not using Debian in the first place?

Re:

[kthreadd]

The reasons that I often hear is more reliable release cycle and supported hardware enabledment kernels during the first two years of and LTS. But yes, most Ubuntu users do not understand the security ramifications of using packages from the Universe component.

Why not allow the update into the repos?

[saloomy]

That seems like a lot of dick-measuring on the part of developers. Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities? Where is the years of support? When you update your package list, the developers of those packages should be able to post updates...

This is why Linux is not desktop ready... to many stubborn minds pushing their way.

Re:

[iYk6]

Why wouldn't Canonical simply update the repository with patches that address known security vulnerabilities?

"multiple critical security bugs for which no fixes have been backported,"

The summary answers your question. There are no patches that address the known security vulnerabilities.

it's up to someone from the Ubuntu community to step up and fix it.

If someone creates a patch, they are welcome to submit it, and maybe the package maintainer will apply it.

Re:Why not allow the update into the repos?

[smash]

There are patches to fix the vulnerabilities, they just haven't been backported by the developer to the old version of owncloud. The official owncloud path is to upgrade to the supported release. If Ubuntu want to support the old version, it is up to them to backport fixes to the old version(s) themselves, as the FreeBSD ports team often do with the ports tree.

Re:

[NotInHere]

The problem is that once released, all packages on an ubuntu distro don't get updates for features anymore. This is because ubuntu isn't rolling release like arch or other distros. There are only very few exceptions like firefox.
Ubuntu relies on upstream maintaining that current branch, or canonical does if it is in the 'main' repository, and upstream doesn't do it. For packages outside 'main', the community has to provide patches, or they go unpatched.

This isn't being stubborn, this is just simply to keep

Re:

[BronsCon]

It's was removed from 14.10 prior to release, so, for the current and future Ubuntu releases, this is a solved issue.

Re:

[GPLHost-Thomas]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

When someone maintains a package in Debian, he may care about it, and provide sound security updates once the stable release is out. Though what's unexpected, is that the same package, while well maintained in Debian, may not be fixed in Ubuntu, because you know... it's "Universe"... The security team from Canonical will not take the ti

Re:

[mysidia]

Not getting updates for features is perfectly fine. What is a problem is not getting security fixes, and having the security team of Canonical not caring at all about that.

I don't know about you, but if I maintain software; i'm shipping the security fixes and other bug fixes with the combined update. You don't get to pick and choose "security updates but no feature enhancements"

I'm a big fan of how Firefox and others don't have separate major releases nowadays. And no "maintaining old branches"

Re:

[jabuzz]

The problem with the Debian and Ubuntu bug fixes not updating packages is lets say I maintain an open source package and it is in Debian. I spot a bug, fix it and release a *BUG* only update with a new version number say 2.1 instead of 2.0.

What Debian now do is wacked out stupidity. They "backport" the bug to the 2.0 package and release a "Debian 2.0" version of the package. I now as a maintainer of the software know what is in a version 2.0 of a package because Debian have been frankly dicking about, becau

Re:

[Anonymous Coward]

The owncloud package is in Universe not Main. Canonical only supports packages in Main. The Ubuntu community is responsible for maintaining packages in Universe. It also should be noted that one of owncloud's contributing developers is listed as a package maintainer for owncloud in Debian. This makes the claim by Lukas Reschke that there is no one on their team that could help either update the package in Universe or contribute a backported version a little disingenuous.

Re:

[ChunderDownunder]

Ubuntu does have backports - does this not handle 'Universe'? If it does then the dev just needs to add their package, surely.

Re:

[Anonymous Coward]

Yes Ubuntu has a separate backports repo for every release, but I don't think its automatically enabled. But the backport version would not replace the old version in Universe, it just would be an upgrade to it. But someone would still have to maintain that package as well and that's the crux of the problem, no one is stepping up from the community or from owncloud to do that.

Re:

[Lukas Reschke]

As noted in another reply from myself:

Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [metadata.ftp-master.deb] [debian.org] Thomas did last modify the packages at 11 Oct 2012.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:

[GPLHost-Thomas]

The point is: the Debian maintainer never asked for taking the burden of maintaining his package in Ubuntu, he just maintains it in Debian. It just happened automatically. But security updates aren't automated. Now, are you saying that he must be forced to also maintain it in Ubuntu, otherwise they will forever keep some flowed packages? Man, he didn't choose the situation, and probably he simply doesn't want to do the work in Ubuntu. Why then just keeping his package there?

Re:

[BronsCon]

This is the "universe" repo, which is community-maintained and not supported by Canonical in any way. It's also not enabled by default and there are ample warning when enabling it. This isn't a case of Ubuntu shipping with software that never gets updates, it's a case of Ubuntu users installing software they're told beforehand is unsupported and probably won't get updates.

Re:

[grcumb]

Why shouldn't they? If you want it included in the distro, why is it the distro's responsibility for maintaining the package?

Because that's what fucking distros do. Maintain the fucking package.

Re: Why not allow the update into the repos?

[fnj]

I don't think our AC(s) have the slightest idea how real life works. Developers don't "want their packages included" in any specific distro. Developers develop. They put the stuff out there and continually modernize it. Distros pick and choose what versions of what packages they include in any given release at the time of release. That's when all major revs are frozen for the duration of use of that distro release. The whole rat's nest of apps and libraries has to work together, You can't just update one piece of it.

The alternative is a rolling release like Arch, where every package is continually updated to the latest. The downside to that is when, for example, Apache 2.2 gets updated to 2.4 your website stops working because they changed the details of the config file. Rolling is the way to go for desktop where you don't want million year old obsolete packages preventing you from getting anything done, but not so much for servers.

This is to help the clueless understand. Obviously you know how it works.

Re:

[Lukas Reschke]

This would require to follow processes such as SRU [ubuntu.com]. - While it may sounds like an easy solution this is a heavy burden which we do not want to take on us.
Especially, if we want to do security releases at the same time we could - even if we would maintain the Ubuntu packages ourself - not guarantee that this would happen at the same time. We're therefore providing our own repositories at owncloud.org/install
But if you want to do this "trivially easy" job for us over the whole lifetime of the distribution (

Re:

[Khyber]

"this is a heavy burden which we do not want to take on us."

Go figure, GOOD PRACTICES are too much of a fucking burden.

What sort of shit software developer are you?

Re:

[BronsCon]

The kind that introduced the bug that cause this whole issue to come up in the first place. That said, nobody's perfect and every developer has introduced boner security bugs at some point or another; some of us are just more willing to take the extra steps to fix them.

Re:

[smash]

If it's trivially easy, why haven't you done it?

Re:

[Zero__Kelvin]

And how, prey tell, do you expect the developers to sign their packages with everybody else's private keys? If they do that the update will fail, because the package manager isn't going to install a package from an Ubuntu repository that isn't signed by Cannonical's private key, for example.

Re:

[tepples]

Each PPA has its own key pair.

Re:

[mysidia]

I vote the software author should provide an update to the Debian package though. The "update" should generate PROMINENT WARNINGS for the user that their software is out of date, that the debian packages are no longer being maintained, and FOLLOW THE FOLLOWING INSTRUCTIONS to switch from a .DEB managed installation to a .TAR.GZ managed installation.

Re:

[smash]

I don't think you understand how software gets included in a distro. The developer doesn't ask for it to be included generally, it is often packaged by some third party who likes the software and wants a debian/redhat/etc. package for it. The developers distribute via source, if a distro wants to include their own custom package for it, that's their own doing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[kthreadd]

Explain for me why the developers cannot simply upload their EXISTING 12.04 and 14.04 backports to Ubuntu, again?

They want you to use their package repository.
If the Ubuntu community wants to provide a version in the Ubuntu repository then the Ubuntu community has to support it.

Re: Why not allow the update into the repos?

[pinkushun]

Excellent point! I never knew they provided these repos...

Either way, the version jump is too large to demand an automatic update, so the next natural step would be a security update, which is supposed to be supported by 12.04[1] and 14.04.

These usually enter the stream as patches, so it is likely that nobody has submitted a patch to fix these holes.

[1]: https://help.ubuntu.com/commun... [ubuntu.com]

Re:

[Anonymous Coward]

But it is Ubuntu's responsibility to make sure they don't have shitty ports. FreeBSD and PC-BSD backport fixes all the time. That's part of what the "Ports Team" does.

Maybe Ubuntu should grow up a bit like FreeBSD.

"Given the huge number of ports in the tree, a security advisory cannot be issued on each incident without creating a flood and losing the attention of the audience when it comes to really serious matters. Therefore security vulnerabilities found in ports are recorded in the FreeBSD VuXML da

Re:

[kthreadd]

The Ubuntu package repositories are divided into two parts. Main and restricted contains a limited number of packages which are supported by the Ubuntu security team, but universe and multiverse are not; they are supported (or in this case unsupported) by the Ubuntu community.

The problem is that Ubuntu users don't know this.

Re:

[BronsCon]

Ubuntu users don't need to know that unless they've enabled the universe, multiverse, or backports repositories, in which case they only don't know it if they didn't read the comments in the sources.list file while enabling them or, if they're using a GUI, they ignore the warnings that come up when they check the little boxes.

Re:

[kthreadd]

My understanding is that the Ubuntu community does not have the manpower that it takes to maintain universe, and Canonical is primarily only intrested in maintaining main and restricted. What they really should do is disable universe and multiverse by default.

Re:

[smash]

The developer may have nothing to do with Ubuntu, packages for distributions are often developed by a third party who takes the official sources and packages it up themselves. The developers often do not package anything directly and have no interest in maintaining packages for other people's operating systems. They distribute via source.

Re:

[kthreadd]

The Ubuntu security team (which is mostly paid Canonical employees) provides security updates for packages in the main and restricted component. Packages in universe (such as owncloud) and multiverse are not supported by the security team.

Well, to be honest

[skids]

...opening back doors to my system is kind of the functionality I would expect from installing a package named "owncloud." At least now I know it exists so if I see it in the wild I'll know it's not an *intentional* rootkit.

Re:

[fnj]

Maybe it should be named Pwncloud.

Clarification regarding backports

[Lukas Reschke]

Lukas from ownCloud here (the one mentioned in that article). I have to say, that this quickly escalated in a way that I did certainly not intend to. However, I'd like to clarify one thing.

The article states "for which no fixes have been backported". With that I meant to refer to the Ubuntu packages and not Version 5 or 6. We still support ownCloud 5 for security patches and critical bugfixes and ownCloud 6 for bugfixes and security patches. This might have been unclear.

I sent this request to Ubuntu because we're very much concerned about our users. While some of us might know that using the "Universe" repository is not a that great idea for internet facing software, most people don't. Furthermore, I don't believe it's the responsibility of the developer to update packages in every single distribution out there. Especially with distributions such as Ubuntu you have to follow quite complex processes such as SRU which consumes a lot of time.
Additionally, some people in the comments seem to claim that "one developer of ownCloud is noted as maintainer for the Debian package". This entry is a legacy entry and as you can see in the changelog at http://metadata.ftp-master.deb... [debian.org] Thomas did last modify the packages at 11 Oct 2012.

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

(Disclaimer: Opinions expressed in this post are solely my own and do not necessarily also express the views of the ownCloud project or my employer)

Re:

[GPLHost-Thomas]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed. Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As

Re:Clarification regarding backports

[Lukas Reschke]

Advising your users to use your own repository is not a satisfying answer. If there's a package in Debian, then it should be fine using it. It should as well receive (security) updates if needed.

Absolutely, that said: the Debian maintainers are doing great work and the ownCloud Debian packages are absolutely up-to-date.

Now, it's looking like you didn't choose to have your package "synced" in Ubuntu universe. It just happened just like with many other software. My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

As a project we did not add our package anywhere. The point here is that we *are* responsible and actively maintaining our packages and we do it as a central place which is OBS. The problem is only that there is not yet a way to make that easy usable in Ubuntu or other distributions.

As for updating packages in Ubuntu, my experience is that it's not that hard. Just prepare a new package, and send the link to the Ubuntu security team, and basically, they can take care of the rest.

Why should we have to maintain our own repositories and the ones of every distribution out there? - This is okay as a short-term solution where we only have to to minor updates, but as soon as we have another major update it gets somewhat trickier :-)
I think this shows a bigger problem with the Universe repository: In our case we complained, but most other packages in there are most likely quite outdated as well but in their case no-one bothers to complain.

Re:

[GPLHost-Thomas]

I fully agree with you. There's a big problem with the Universe repository.

Re:

[drinkypoo]

Advising your users to use your own repository is not a satisfying answer.

Yes, yes it is. At least, I am satisfied by such an answer.

If there's a package in Debian, then it should be fine using it.

And if it's not fine to use it, then it should be removed from the repo, without a request from the developer.

My advice then would be to explicitely ask that the owncloud package is not synced again in any future release of Ubuntu, so you don't run into the same trouble again.

There's no technical reason they can't remove a non-required package from a release. So yes, that's the solution, but it shouldn't be the only solution.

Re:

[jbolden]

We're always recommending to our users to use one of the supported installation methods such as owncloud.org/install where we even provide our own repositories for most distributions.

I understand why, but that goes against the whole philosophy of distributions. From your perspective it obviously makes things easy. From the user's perspective you are one of a 100 packages that wants to install and be configured in specialized ways. And then of course this introduces complexity in both directions. For d

Re:

[geminidomino]

Your righteous indignation might have been more inspiring were it not being bogged down by your semi-literacy and incompetence.

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories,

Did you read a different message than the one everyone's sharing around the internet, or do you not know the difference between a command and a request: an actual request, at that, not even one delivered at the barrel of a lawyer.

Considering the biggest part of the userbase for Owncloud is privacy- and security-minded sysadmins (running their own rather than trusting the outside pro

Re:

[jbolden]

And thus, the fledgling learns the value of "backups before updates", after landing flat on his beak.

Or better. Backup complex software always. Have extra backups done using a different mechanism before updates.

Re:

[Qzukk]

I am not impressed with ownCloud's heavy-handed approach to dictating what distros can provide in their repositories

"Please do not ship outdated buggy binaries."

Drop owncloud

[allo]

PHP: meh
insecure programming practices: Building SQL-Statements from string concatenation (no format strings for example) and so on
rather slow
NO INCREMENTAL SYNC!

only pro: Server runs on a cheap webspace.

And now go and have a look at seafile.com

Re:

[javanree]

Unfortunately nothing else comes even close to OwnCloud in terms of feature. Like LDAP/AD integration, proper quota, multi-platform client (although the Linux client is a shameful mess)

Been running Owncloud for a year now and every upgrade again gives me this sick feeling in my stomach. What will they break this time... The idea behind Owncloud is solid, however their development model is a mess. Loads of re-appearing bugs in every new major release, big features which get borked during upgrades etc. It wou

Re:

[allo]

Meh, what did the user do before owncloud, which is a rather home grown software? I did not test a lot of groupwares, but i am aware, that there are many to choose from, with many users. Some are very old already and i guess they have many of the features a normal users needs. tine looks nice, horde is more mailcentric, egroupware is some other name i never tested ... and you can combine single products. While owncloud is nice and each feature is not too bad, there is another more complete software for each

Re:

[WuphonsReach]

Try seafile - not saying they cover everything, but for file sync, it seems to work very well (and scales better then Owncloud when you have a few thousand files).

Re:

[allo]

It's not my code, i am only a user.
But in my experience, the developers are reacting quite good on "issues" on their github (see the repos of haiwen).
On the other hand, the owncloud devs tend to "i close this (still open) bug due to inactivity", when the inactivity is on their side, because they just need to fix the stuff with all information already provided.

Re:

[allo]

yep, its a filesync tool.

for calendar and contacts you may still consider owncloud, but there are a lot of "groupwares", which do a fine job.
owncloud tries to do everything ... which gives quite a cloud replacement if you look at google, but may be a bit too much for a single project, which needs to maintain all this stuff.

i used owncloud and despite the other flaws, the missing incremental sync (which will not be added later) was the top argument. you cannot upload 100 mb each time you change a tiny bit.

Responsiiblity

[drolli]

If you are an decently qualidied Adminsitrator, then you always conciously choose between the following:

a) You customize/install/update/recompile/patch the software you need on your own time. Usually you do thos when the service availability is absolutely critical and at the same time no out of the box solution exists

b) You use an "out of the box" solution. This solution should be supported, and used within its nominal use case.

Ubuntu very clearly states that Universe packages may - at best - only receive a

So they should fork.

[Lord Kano]

Call the Ubuntu specific version PwnCloud...

Thank you, I'll be here all week.

LK

Re:

[mysidia]

If pwncloud.com wasn't registered by one of those folks just parking domains who probably picked up the domain to try and sell it for $20,000 or so, it would be a cool name for a fork of Owncloud.

I guess in theory, it could also be the name a pentesting service could call their product if they specialize in pentesting services running on cloud-based infrastructure.

One of the things I hate about Linux

[melting_clock]

Although I've used Linux as my main OS for many years, the idea that bundling applications locked to version that cannot be update is insane and one of the things that I hate about Linux distros. Ubuntu did the same stupid thing with Firefox and Open Office at one point. Being stuck with outdated and potential insecure software, unless you compile your own or used another unofficial repository, is crazy. This is a great example of a system that is designed to fail and a huge security flaw.

I do often comp

Re:

[LordLimecat]

Was. His account no longer exists. All prior articles no longer have a link to his profile page, and manually typing it in gets a "not found".

Re:

[NotInHere]

Frequent summary submitter describes it very good:

http://slashdot.org/story/13/1... [slashdot.org]
http://tech.slashdot.org/story... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://news.slashdot.org/story... [slashdot.org]

He just makes very long submissions. And since this week, a troll has been very busy, submitting stories:

http://slashdot.org/submission... [slashdot.org]
http://slashdot.org/submission... [slashdot.org]

and writing But-what-does-frequent-contributor-Bennett-Haselton-think-about-this posts into stories. The term "Frequent contributor" has been used in a summary

Re:Bring back Bennett!!

[vux984]

The general issue with Bennett Haselton is simple.

Everyone else in the world submits articles, slashdot summarizes them, links back to the full article, and the comments here ensue.

In some cases the article links are just a link back to the article submitters own blog (and this is gently mocked but usually tolerated), in other cases the links are broken (also mocked), in some cases they are linked to an unrelated article (you bet we mock this too), and very occasionally for those people who enjoy the thrill of the hunt, they do go back to an original article in some legitimate or quasi-legitimate source of news. (Hooray!) (In which case we can mock everyone who didn't read TFA.)

Bennett however, as if you've read any of his articles you will know, is special. He read about the virtues of conciseness, efficiency, brevity and then wrote a short epic about how why they really shouldn't apply to him.

When he looked at what it would take to get his very own blog up and running he quickly realized that it was a pretty serious undertaking. He'd have to register somewhere, choose a password, maybe even pick a theme. Do you know how much that would cut into his actual writing time? Several minutes, at least, and he really just doesn't have that kind of time to spare, what with already being slammed just keeping up with writing down every thought that pops into his brain.

So, long story slightly less long, he decided why not just use slashdot itself as his very own personal blog? It saves him having to sign up for one, and better still he argues, saves us a mouse click by eliminating that superfluous step of having to click through to get to the full article.

After having this explained to him, Bennett rejected the argument and suggested we should be delighted at being able to reach his thoughts without having to make that one extra click to an external source.

So now we just mock Bennett.

I think that sums it up fairly concisely, at least relative to what Bennett would have said. ;)

Re:

[jones_supa]

So now we just mock Bennett.

I'm not sure if he deserves all the mockery. Maybe some people think that he has posted a couple of silly opinion pieces, but that does not make him a malicious monster.

Re:

[LordLimecat]

His ideas are very often absurd, and appear very much as if he recently learned about (or began thinking on) a topic, and immediately crafted an opinion on how everyone else who is an expert in said field is wrong.

Notable entries in this category:
* Why the 5th amendment is totally unnecessary. [slashdot.org]
* More questions about the 5th amendment, [slashdot.org] indicating a lack of understanding of its background and purpose (leading one to question in what way Bennett was qualified to raise objections to it).
*

Re:

[LordLimecat]

Theres also the fact that his ideas are often enough repellent, such as when he explains how we dont really need the double jeopardy or self incrimination protections of the 5th amendment, or how Computer Acceptable Use Policies and the corresponding network IDS and filtering systems are literally Hitler.

Re:

[TheRaven64]

Bennett has been posting these long ramblings since a very long time before Dice bought Slashdot. Unfortunately, I think that your complaints are not likely to be heard because Slashdot seems to have had a policy for a long time of not recruiting editors from people who regularly read the site...

Re:

[Teun]

My tablet has it's own spell checker, why doesn't yours?

Re:

[tepples]

If PHP ought to be banned, then what migration path do you propose for (say) Wikipedia, which runs MediaWiki software, which is written in PHP? This migration path proposal might give ownCloud's developers ideas on how to migrate from PHP.