[Pkg-owncloud-maintainers] Owncloud / security support

Moritz Mühlenhoff jmm at inutil.org
Thu Aug 28 16:27:13 UTC 2014 

Hi David,

On Wed, Aug 27, 2014 at 06:30:44PM -0400, David Prévot wrote:
> Hi,
> 
> I’ve not noticed any follow up from the security team, please point me
> to it if I missed it.

I thought I had replied, but I can't it in my outbox, so I might not have
replied after all...
 
> Le 25/03/2014 12:32, David Prévot a écrit :
> > Le 25/03/2014 11:41, Moritz Muehlenhoff a écrit :
> > 
> >> owncloud was dropped from wheezy before/during freeze since the maintenance support frame
> >> is too short and the package to volatile (we need a supported release for at least a few
> >> years).
> > 
> > AFAIUI, it was dropped because the (oldish) version present in testing
> > at freeze time was reaching EOL and the packaging team wasn’t much
> > active to push updated version before and during the freeze
> > (NMU-maintenance).
> > 
> >> Did this change with the current 6.0x in jessie (or any later release you plan to ship
> >> in jessie)?
> > 
> > The actual reasons why the package was dropped in Wheezy don’t seem
> > likely to be reproduced for Jessie, and I’ll ask upstream about their
> > forthcoming 7. release and maintenance timeframe.
> 
> I’ve since had encouraging (private) exchanges with people in charge of
> security in ownCloud, and even if ownCloud 7 will not be officially
> supported during the whole Jessie lifetime, they should be able to help
> us (ownCloud packaging team) prepare and test security backports ready
> for review by the Debian security team when needed.

Ok, sounds good. 

Compared to wheezy the maintenance team seems broader now and you've always 
been responsive and reliabe with spip, so I think we're good here.
 
> The Sabre dependency branch (php-sabre*) will also reach its EOL during
> Jessie support, but I’ve received encouraging feedback from upstream
> about security backports on similar terms than with the ownCloud
> security team.

Ok. What about Zend Framework, IIRC it's also entangled into owncloud?
 
> I thus believe ownCloud to be a worthy candidate for Jessie support, but
> wouldn’t mind to restrict the security support timeframe until Jessie+1
> is released if needed (i.e., once Jessie+1 is released, if the security
> support becomes too complicated/time-consuming, I’d like to keep our
> options open to drop it from oldstable in a similar way Mozilla products
> have been dropped in the past).

Ok. Could you add a README.Debian file which indicates this to users?

We're planning to have debian-security-support installed by default in
jessie, so we can flag this to users. 

Cheers,
        Moritz

More information about the Pkg-owncloud-maintainers mailing list