[Pkg-owncloud-maintainers] You want users to lose data?!?!

[Jos Poortvliet]

On Saturday, February 27, 2016 9:38:52 PM AMT Martin Steigerwald wrote:
> On Samstag, 27. Februar 2016 12:29:46 CET Jos Poortvliet wrote:
> > Guys and girls,
> 
> Jos,
> 
> I considered again and again to follow-up on the thread I started but in the 
> end I thought it would be pointless, cause its the actual packages of both 
> sides needing to speak to each other what can be done.
> 
> > We just noticed you made a patch to remove the check the skipping of
> > releases on upgrade. We don't test skipping releases on upgrade and don't
> > support it for that reason - you really want to subject users to that
> > massive risk of data loss?
> > 
> > Our highest priority is to never cause data loss for users. We made massive
> > progress in that area over the last years and a properly administered and
> > installed ownCloud is unlikely to lose you data, even when you're running
> > it with 10K users and 10TB of files.
> 
> Jos, did you notice the amount of effort David put into making sure upgrade to 
> new Owncloud will work within Debian?
> 
> Do you also know that this work is not yet completed and the new version of 
> Debian is not even near to being frozen?
> 
> So how about trying to *work* together, instead of *flaming* at the people who 
> work to make Owncloud available within Debian?

I thought a polite email to this mail would be considered nice. Also, I didn't blog or put anything on social media, did I?

If you consider the conversations happening on github and our developer mailing list 'flaming', well - sorry, but people speak their mind and they consider skipping the upgrade routines dangerous for user data - which it is. I see jabs at the ownCloud developers on this list too, and don't complain about that.

> > I understand you have a problem caused by the slow release cycle of Debian
> > but risking user data is NOT a good way of dealing with that. This is
> > exactly the kind of thing I was writing a blog about earlier - a blog wich
> > made many of you rather angry, and I understand that, so I decided to do
> > you the courtesy to email you before we would publish another blog post
> > telling people not to use (debian) packages... This risks user data, risks
> > our reputation - could I please ask you not to do this?
> 
> What is the alternative?

Let me try to put it in a different way.

On each mayor upgrade, ownCloud runs upgrade routines which migrate data in the database to a new schema. These routines only run from one major upgrade to the next and don't work when you skip a release.

Without these routines, data loss isn't a "maybe" but a guaranteed thing. So, this patch alone WILL be sure to lose user data.

As I noted, we've been working hard to make sure users don't lose their data, hence, we get a little upset when a downstream undermines these efforts.

Now, if you plan on making more changes, like, letting the upgrade routines of each intermediate release run upon upgrade or something like that - we have decided not to try and make that work due to the risk involved so you won't really be able to count on help from us, nor would we be OK with that unless you undertake, somehow, a very major testing effort akin to the work CERN did with Smashbox.

In other words - even if this is unfinished, we think it is too risky to try.

> Deploying Owncloud in a docker container and upgrading it from git master each 
> day?

Fedora seems to be working that way [0], though of course running git master is not smart as the upgrade routines only work from one major release to the next, not on daily snapshots.

But, to answer the real question you're asking: the solution is to provide a new version more regularly. I wrote a blog about that [1]. You want utmost stability, so I suggest to upgrade to the latest patch release of N some time after N+2 has been released as latest ownCloud release.

That would mean that the oldest version you ship to users on any Debian, right now, is the 8.1. Anything older is NOT more stable and provides nothing but a worse experience.

> I stand by it that I don´t want to run a docker container just to be able to 
> run Owncloud from git master each day and that a tarball stuffed into a *.deb 
> is also not going to do it for me.

Fair enough, we're working on providing 'smarter' packages. Note that the reason we dumbed them down to a "tarball stuffed into a *.deb" was to avoid users losing data - I don't know what you put on your ownCloud but mine has enough important private documents that I prefer safe over easy to use.

> A first start would be that Owncloud´s own packagers speak with Debian 
> Owncloud maintainers about what can be done to improve the situation while 
> taking both upstream *and* Debian needs into as well as supportability into 
> account.

Hence my email.

I still consider that a courtesy - we have a lot of platforms to support and while we could follow most other projects in just providing zip files or, indeed, follow the general trend to virtualization, I personally feel distributions can be beneficial to software deployment, even for web apps. Moreover, I still have hope that Debian can adjust its policy of shipping known insecure and outdated software [1].

Cheers,
Jos

> Thanks,
> 

[0] https://lwn.net/Articles/675846/
[1] http://blog.jospoortvliet.com/2015/12/five-reasons-to-upgrade-your-owncloud.html
[2]  https://statuscode.ch/2016/02/distribution-packages-considered-insecure
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20160227/710bfb74/attachment.sig>