[Pkg-owncloud-maintainers] You want users to lose data?!?!

[Sandro Knauß]

Hey,

Okay let's talk about db migrations. Well on debian we have a fully working 
solution for that it is called dbconfig-common, that takes care about upgrade/
saving/ etc. If there is a SQL script that needs to run while update, this 
will do the thing, If you skip version dbconfig will take care of it. And this 
is planed to use for owncloud (as mentioned in the TODO file). 
But yes it is still WIP. But we can't simply don't support the upgrade from 
one debian stable to the next. And we care about users data, that for sure. 
I find this very frustratin, to hear every time from upstream: Oh you debian 
guys don't care about users /users data. WTF we care very much about them, 
thats we it takes often a little bit longer till a package appears in the 
general repository. Because they are first test on our own test instances and 
there we find problems. Funnily enough often the problems are not packaging 
issues - They are upstream ones. 
But I don't blame everytime upstream that they broke another time the 
installation. I know it is a hard to support that many different setups and 
installations. I try to report a bugreport and help as much to get the bug 
fixed.
That's the work we do day-by-day - we help upstream to improve there software 
and hold back the release of the broken version so long till there is a patch 
for bugs we found. Tell the users, please wait some days, till it is fixed. And 
afterwards we get blamed by upstream, that we do not have the newest hottest 
shit rolled out immediately. This is really not fun to be pushed as the bad 
guys from upstream. It would be nice if upstream would also see, that we help 
the owncloud community too. Yes we may have a different view, how often a 
update should be done and when we ship things. But as upstream we also have 
our reasons.

> I still consider that a courtesy - we have a lot of platforms to support and 
while we could follow most other projects in just providing zip files or, 
indeed, follow the general trend to virtualization, I personally feel 
distributions can be beneficial to software deployment, even for web apps. 
Moreover, I still have hope that Debian can adjust its policy of shipping 
known insecure and outdated software [2].
> [2]  https://statuscode.ch/2016/02/distribution-packages-considered-insecure

The next paragraph is mostly looking at a docker based container - but I think 
the most questions also be true with another container solution:

First yes you are right, there are many open security bugs, but is the 
solution now to jump to a container based system? Than the interesting 
questions pop up: Who is responsible there for taking care of fixing security 
bugs? For the top level package it is you owncloud, but you rely on many, many 
other packages. You also compile your own qt4/qt5 version on your obs - Do you 
follow every dependency you have and provide patches for them? Do you upgrade 
your docker daily? What about your 3rdparty copies of other packages, that are 
available in your source tree, you you follow all security trackers for them 
an provide bug fixes? Did you read the advice from docker to not run apt dist-
upgrade [1]?
"You should avoid RUN apt-get upgrade or dist-upgrade, as many of the 
“essential” packages from the base images won’t upgrade inside an unprivileged 
container. If a package contained in the base image is out-of-date, you should 
contact its maintainers."

IMO the security is not improved by docker at all, because you switch now to a 
system that is more intransparent, when things are updated/upgraded and you 
have no public security issue tracker where you can see what is vulnerabe. You 
rely on the person that is providing the base image to upgrade it. 

On debian all these things are more transparent. You see what is going on and 
why. By the way owncloud-client and security issues were quite bad ( I only 
had to deal with the one for occ). On the one side the information, what 
version is valunable were wrong in the CVE, so I put a lot of effort in try to 
find the patch. On the other side I also heard for upstream: "Why you are fixing 
this? Just provide a new version - Btw. we don't file every CVE that we found, 
because it is too much work for us."
^^Ah, what owncloud don't care about publishing security bugs, but blame 
others, that they don't have the manpower to solve/backport them?
Yes I know backporting is work and i really would enjoy not doing it :D 
But let's be honest owncloud Inc. is also doing a lot of backport work too, 
not? Because if clients buys a support contract for more than one year and I 
really can't image that you just update there installations to the newest 
version, when it comes out. So why you blame debian for putting effort in 
backporting and doing the same?

Sorry If that all sounds very harsh to you - but yes I am a bit pissed about 
the current way upstream is blaming downstream. I would really like to see, 
that owncloud also regards the work of downstream. 

>I would like to invite all of you to the ownCloud conference in September - 
it would be nice to have a sit down and see how we can improve things; and the 
work together to make it happen. I would be happy to arrange travel support 
for those who need it.

Thanks for the invite - I will have to look to my timetable. Sound like a good 
place to improve.

Regards,

Sandro

[1] https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20160228/eb04b65b/attachment.sig>