ownCloud 9 is Here
-
@jospoortvliet said:
Look, these are warnings. If you're confident there is no problem, you can ignore them.
This is not a professional response to being informed clearly that there is a bug.
You just told me to ignore a bug. Are we 100% clear that that's what's going on? Is that how ownCloud feels about security issues? Sweet them under the rug? Be wrong and hope that users ignore them?
-
@scottalanmiller said:
@jospoortvliet said:
We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.
Honestly, I find your attitude offensive. This is pathetic. The errors are wrong and that's obvious. Your security guy is a fraud and you are clearly trying to cover for him. I'm sure your a small company and he's a friend but I'm sorry, he's making you look bad and you are making the company look worse.
These aren't real errors, the security issue isn't a problem. Sorry if I trust Red Hat engineering more than a random guy who clearly doesn't understand the platform. Feel free to prove me wrong but you crossed a line here and I don't feel that ownCloud has any clout to stand on here and needs to prove itself anew. This is a ridiculous, offensive statement.
Seriously? There is ONE error with a bad wording. I'll report it. The other errors - they are good warnings as far as I can tell - at least - I have not seen any evidence that the are not (in which case I could submit a bug report, perhaps). Again, this is to help people secure their system.
-
@jospoortvliet said:
These warnings are meant to help home users who run ownCloud on their raspberry pi to get a more secure setup. If this is confusing a professional sysadmin - well, I expect them to be able to figure out what to do more than home users.
But it doesn't help home users, it would be totally wrong and misleading for them. For those who aren't experts, it might make them do some seriously bad things. For those who are experts, it makes us question the team making the product.
What's the upside to bugs and security mistakes?
-
@jospoortvliet said:
I think you're taking this a little too serious, to be honest. We're trying to be helpful and easy to use here.
You feel that I'm taking ownCloud more seriously than ownCloud does? That's not a good stance.
I'm also trying to make it helpful and easy. I've pointed out where it fails to do that and instead of taking that advice, you are defending bugs and being hard or confusing to use so that only experts can figure out what ownCloud has bugs rather than thinking that they could not set it up properly.
Honestly, your latests responses make me wonder if these aren't intentional flaws to make lesser admins feel that they need to pay for support. Is it normal for support to disable the alerts? Or to break the RPM repos? how do the paid support people resolve these bugs for customers? Or do they just tell them to ignore them?
-
@jospoortvliet said:
Seriously? There is ONE error with a bad wording. I'll report it. The other errors - they are good warnings as far as I can tell - at least - I have not seen any evidence that the are not (in which case I could submit a bug report, perhaps). Again, this is to help people secure their system.
So far every error we've looked at is wrong and the only one that might be right we have no reason to even suspect is right. Sure, it is only a few, but that you feel any confidence that the remaining one is real seems odd. Why do you even feel that that is likely? Especially given the solid explanations as to why we assume it is wrong based on the same misunderstandings as the other ones.
-
NSS is from January. You say that there are details as to why this is outdated (sorry, it's current again) and insecure. But I see no details on that one either. Here are the RPM details. NSS 3.19.1-19 is only a few weeks old. And it is the most current version for RHEL.
rpm -qi nss-3.19.1-19.el7_2.x86_64 Name : nss Version : 3.19.1 Release : 19.el7_2 Architecture: x86_64 Install Date: Fri 15 Jan 2016 03:26:22 PM UTC Group : System Environment/Libraries Size : 2609903 License : MPLv2.0 Signature : RSA/SHA256, Thu 07 Jan 2016 10:18:33 PM UTC, Key ID 24c6a8a7f4a80eb5 Source RPM : nss-3.19.1-19.el7_2.src.rpm Build Date : Thu 07 Jan 2016 08:31:16 PM UTC Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.mozilla.org/projects/security/pki/nss/ Summary : Network Security Services Description : Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. -
So, now that we've covered that ALL of the alerts are incorrect and that this is clearly very confusing to anyone who isn't a confident Linux admin... why are we getting these errors? They cannot help someone who isn't an expert, and they aren't useful to us. They would be very harmful to normal users trying to just run the system.
-
So just to recap:
- Internet Access Not Working: False. Internet access is just fine.
- cURL / NSS Out of Date: False. Current and patched. Latest from Red Hat.
- PHP Unsupported: False / Tricky. Unsupported by someone who is not the support vendor, so very misleading to anyone that isn't an expert and worthless to anyone who is.
- CentOS 7 Out of date: False Turns out that the concept of the target platform is misunderstood and is actually fully up to date.
Does this make it clear why we see these are problematic?
-
@scottalanmiller said:
@jospoortvliet said:
Look, these are warnings. If you're confident there is no problem, you can ignore them.
This is not a professional response to being informed clearly that there is a bug.
You just told me to ignore a bug. Are we 100% clear that that's what's going on? Is that how ownCloud feels about security issues? Sweet them under the rug? Be wrong and hope that users ignore them?
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix. You claim our security guy is incompetent and you trust Red Hat. Fine. Just two links then about PHP:
https://access.redhat.com/solutions/641423
https://bugzilla.redhat.com/show_bug.cgi?id=662707Here's the cURL bug, yes, related to a NSS issue: https://bugzilla.redhat.com/show_bug.cgi?id=1241172
As I said - before I take your input as 'bugreports' I need some proof that these warnings are wrong. For now, I have some reason to think it is GOOD to warn of projects no longer supported by upstream: clearly, distributions don't do a good job keeping up with issues in them and clearly, our warnings (no matter how annoying) are helpful.
Ok, let me give you one more then: https://statuscode.ch/2016/02/distribution-packages-considered-insecure so you can read a bit from the guy we're talking about. There's a reason Lukas is pretty well known in the security world - he knows his stuff. And works for us. These warnings are there because these ARE issues. Perhaps not today because RH just fixed one - but again next week as they are 'maintaining' something which isn't easy to maintain and they don't do such a great job. Wait, wasn't that what you said yourself about LTS earlier? Ah!
Oh and really, if you're right about our security guy, you can make loads of money: https://hackerone.com/owncloud
If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be. I honestly think you're barking up the wrong tree - we are careful to warn when there's a serious potential for trouble. Maybe that's zealous - overzealous even. But better safe than sorry.
-
@jospoortvliet said:
If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be.
Then I hope you don't mind if I quit recommending ownCloud as a viable solution to my clients.
-
@jospoortvliet said:
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.
Okay, whatever. Clearly I'm taking your platform way too seriously.
-
@JaredBusch said:
@jospoortvliet said:
If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be.
Then I hope you don't mind if I quit recommending ownCloud as a viable solution to my clients.
I certainly no longer see them as a business class solution. What a joke.
-
@scottalanmiller said:
@jospoortvliet said:
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.
Okay, whatever. Clearly I'm taking your platform way too seriously.
Seriously? You didn't read the links? Wow. Good night...
-
@jospoortvliet said:
You claim our security guy is incompetent and you trust Red Hat. Fine.
Correct.
-
@jospoortvliet said:
@scottalanmiller said:
@jospoortvliet said:
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.
Okay, whatever. Clearly I'm taking your platform way too seriously.
Seriously? You didn't read the links? Wow. Good night...
I did. That's CentOS 6 from 2013. It's important why?
-
@jospoortvliet said:
@scottalanmiller said:
@jospoortvliet said:
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.
Okay, whatever. Clearly I'm taking your platform way too seriously.
Seriously? You didn't read the links? Wow. Good night...
Maybe because I cannot? Also this is talking about RHEL 6.4
-
-
the other is from 2010. Again, why did you link it? Are these just misdirection hoping that we wouldn't follow the links?
-
@jospoortvliet said:
Here's the cURL bug, yes, related to a NSS issue: https://bugzilla.redhat.com/show_bug.cgi?id=1241172
More misdirection. This isn't a security problem. Yes it has a bug, so? So does ownCloud and they wont even admit it. Red Hat takes this so seriously they are actually working on it. Big difference. They don't pretend that that's okay that there are bugs.
Why is this is a reason to stop using Red Hat's repos and go to rolling out own? That's insane. You can't actually expect us to take this seriously?
-
@scottalanmiller said:
@jospoortvliet said:
@scottalanmiller said:
@jospoortvliet said:
YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.
Okay, whatever. Clearly I'm taking your platform way too seriously.
Seriously? You didn't read the links? Wow. Good night...
I did. That's CentOS 6 from 2013. It's important why?
Because it shows exactly what I said - these warnings are useful. They were in those cases and by your own account (not trusting LTS releases), they are now. Also note when they were opened and when they were fixed.
What more do you want? That we, real-time, update these warnings based on existing vulnerabilities that aren't disclosed or fixed? That would be awesome, don't get me wrong - but rather ambitious.
