The problem was generated by old ownCloud packages in repos

Oct 23, 2014 09:00 GMT  ·  By

A member of the ownCloud security team has sent a request to Canonical asking them to remove all the packages from their repositories regarding this software stack. The problem is that things are not that simple.

One of the big issues with the Ubuntu repositories, in particular "universe," is that they’re full of old and unmaintained versions. This is a repository where anyone care be a maintainer and it's mainly used for applications that are not supported officially.

What happens is that a user becomes a maintainer for a particular package, which basically means that he updates that package on a regular basis, or at least he should. Stuff happens, the packages are no longer maintained, and Ubuntu users get to use some really old versions. The same happened with ownCloud. The version being offered in the repos was full of security issues and it posed a real problem to end users.

ownCloud asked and Canonical refused, at first

It might seem like a trivial matter to remove something from a repository, but it's not that simple. Lukas Reschke from ownCloud has tried to explain the situation in a message to a mailing list.

"On behalf of the ownCloud project I'm requesting that 'ownCloud server' is removed from the Ubuntu packages: http://packages.ubuntu.com/trusty/owncloud (including all versions) - Let's hope that this is finally the right ML for this kind of request. These packaged versions are all vulnerable to multiple critical security bugs and no security fixes have been backported."

On the other side, Canonical's Marc Deslauriers has explained that it's not possible to remove something from the "universe" repositories and has revealed which some of the options available to the ownCloud people are. Unfortunately, all the solutions proposed will make the ownCloud devs work quite a lot to create updated packages for older releases, backport fixes to the versions that already shipped, or create package updates that remove all functionality (empty package). The last one should be considered a last resort.

As it was to be expected, Lukas Reschke didn't agree with the solutions, because ownCloud's people don't have the time to be both developers for a software stack that runs on multiple distros and maintainers for a specific one.

"If there is anything I can do to have this resolved on another way without investing hours to fix packages: I'm open for any suggestion. - I do not really want to add a warning to our installation guide, but is this the only way to protect our users I'll do it."

For now, the issue has yet to be resolved entirely. Marc Deslauriers has removed the ownCloud packages from the Ubuntu 14.10 repositories, but that was easy because that system is not out yet. What will happen with the repository for Ubuntu 12.04 LTS, which is still a supported distro, remains to be seen.