[Pkg-owncloud-maintainers] You want users to lose data?!?!
bugs at sandroknauss.de
Sun Feb 28 20:10:07 UTC 2016
Okay let's talk about db migrations. Well on debian we have a fully working
solution for that it is called dbconfig-common, that takes care about upgrade/
saving/ etc. If there is a SQL script that needs to run while update, this
will do the thing, If you skip version dbconfig will take care of it. And this
is planed to use for owncloud (as mentioned in the TODO file).
But yes it is still WIP. But we can't simply don't support the upgrade from
one debian stable to the next. And we care about users data, that for sure.
I find this very frustratin, to hear every time from upstream: Oh you debian
guys don't care about users /users data. WTF we care very much about them,
thats we it takes often a little bit longer till a package appears in the
general repository. Because they are first test on our own test instances and
there we find problems. Funnily enough often the problems are not packaging
issues - They are upstream ones.
But I don't blame everytime upstream that they broke another time the
installation. I know it is a hard to support that many different setups and
installations. I try to report a bugreport and help as much to get the bug
That's the work we do day-by-day - we help upstream to improve there software
and hold back the release of the broken version so long till there is a patch
for bugs we found. Tell the users, please wait some days, till it is fixed. And
afterwards we get blamed by upstream, that we do not have the newest hottest
shit rolled out immediately. This is really not fun to be pushed as the bad
guys from upstream. It would be nice if upstream would also see, that we help
the owncloud community too. Yes we may have a different view, how often a
update should be done and when we ship things. But as upstream we also have
> I still consider that a courtesy - we have a lot of platforms to support and
while we could follow most other projects in just providing zip files or,
indeed, follow the general trend to virtualization, I personally feel
distributions can be beneficial to software deployment, even for web apps.
Moreover, I still have hope that Debian can adjust its policy of shipping
known insecure and outdated software .
>  https://statuscode.ch/2016/02/distribution-packages-considered-insecure
The next paragraph is mostly looking at a docker based container - but I think
the most questions also be true with another container solution:
First yes you are right, there are many open security bugs, but is the
solution now to jump to a container based system? Than the interesting
questions pop up: Who is responsible there for taking care of fixing security
bugs? For the top level package it is you owncloud, but you rely on many, many
other packages. You also compile your own qt4/qt5 version on your obs - Do you
follow every dependency you have and provide patches for them? Do you upgrade
your docker daily? What about your 3rdparty copies of other packages, that are
available in your source tree, you you follow all security trackers for them
an provide bug fixes? Did you read the advice from docker to not run apt dist-
"You should avoid RUN apt-get upgrade or dist-upgrade, as many of the
“essential” packages from the base images won’t upgrade inside an unprivileged
container. If a package contained in the base image is out-of-date, you should
contact its maintainers."
IMO the security is not improved by docker at all, because you switch now to a
system that is more intransparent, when things are updated/upgraded and you
have no public security issue tracker where you can see what is vulnerabe. You
rely on the person that is providing the base image to upgrade it.
On debian all these things are more transparent. You see what is going on and
why. By the way owncloud-client and security issues were quite bad ( I only
had to deal with the one for occ). On the one side the information, what
version is valunable were wrong in the CVE, so I put a lot of effort in try to
find the patch. On the other side I also heard for upstream: "Why you are fixing
this? Just provide a new version - Btw. we don't file every CVE that we found,
because it is too much work for us."
^^Ah, what owncloud don't care about publishing security bugs, but blame
others, that they don't have the manpower to solve/backport them?
Yes I know backporting is work and i really would enjoy not doing it :D
But let's be honest owncloud Inc. is also doing a lot of backport work too,
not? Because if clients buys a support contract for more than one year and I
really can't image that you just update there installations to the newest
version, when it comes out. So why you blame debian for putting effort in
backporting and doing the same?
Sorry If that all sounds very harsh to you - but yes I am a bit pissed about
the current way upstream is blaming downstream. I would really like to see,
that owncloud also regards the work of downstream.
>I would like to invite all of you to the ownCloud conference in September -
it would be nice to have a sit down and see how we can improve things; and the
work together to make it happen. I would be happy to arrange travel support
for those who need it.
Thanks for the invite - I will have to look to my timetable. Sound like a good
place to improve.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the Pkg-owncloud-maintainers