ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ownCloud 9 is Here

    Scheduled Pinned Locked Moved News
    owncloud
    142 Posts 10 Posters 62.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @jospoortvliet
      last edited by

      @jospoortvliet said:

      Amazing that these are so outdated, or, indeed, perhaps there's a bug in ownCloud which incorrectly states these things.

      See, this is part of the problem. They are not outdated, they are current. ownCloud is redefining outdated differently that the industry sees it. We see this as completely current. These are the absolute current versions in RHEL.

      If you are looking for versions newer than these it means that ownCloud actually doesn't understand what RHEL is and, yet again, this is concerning. Why are you expecting something more current? The "contract" between RHEL/CentOS and its users is that these versions never change, they only get security patches. So if you think that these versions are old, it means you have a fundamental disconnect with using CentOS or RHEL as your platform.

      Do you see the problem here? ownCloud should know that this is how RHEL works if they support or recommend it. What end users do you expect to ever not get these errors?

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @jospoortvliet
        last edited by

        @jospoortvliet said:

        Please forgive me for assuming our software does what it should do until I see evidence to the contrary.

        But we've done so already. You know it isn't working, you've even stated what the bugs are in some cases. You've pointed out that ownCloud isn't familiar with the OSes that they recommend. How much evidence do you expect us to provide?

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @jospoortvliet
          last edited by

          @jospoortvliet said:

          There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.

          Ah, but it does. It makes this a bug. It makes this ownCloud's problem. Why are you throwing an error for a fully updated, fully supported PHP version? Don't try to claim that it isn't. What it is not is not supported by PHP. If you mention PHP's support, that means we have a disconnect. We are in IT, not home hobbyists. Our support is from Red Hat, not PHP. Who gets support from PHP? Seriously?

          This is a scary disconnect from how IT and Linux work. Here are some problems:

          • ownCloud doesn't understand their target platform.
          • ownCloud is throwing errors on things it doesn't understand.
          • ownCloud is stating that things are old that are not. PHP on CentOS is fully up to date, it's just a different family. The patch level on it is very current. It is a misunderstanding of the versions levels causing the issue.

          All of these things are worrisome. Very, very worrisome when you claim that you trust your internal "security" guy who is missing these very, very basic concepts of the platforms he's supposed to be your expert on!!

          jospoortvlietJ 1 Reply Last reply Reply Quote 0
          • jospoortvlietJ
            jospoortvliet Vendor @scottalanmiller
            last edited by

            @scottalanmiller said:

            @jospoortvliet said:

            Again, you want us not to warn even though there IS something broken, even though we can't figure out exactly what it is?

            I never said that in the least. I want you to fix your bug where you report the wrong thing. Simply report the truth, don't hypothesize and act like the issue couldn't be the most obvious thing.

            And likewise, I'm telling you that you have a bug. A bug that you've stated yourself that you have in your description. Do you not want us telling you when ownCloud has a very obvious problem and just ignore it?

            We have been telling you that you have issues and you are making excuses to act like the system should be wrong, should throw false errors, etc. I want real errors as a best case, no errors as an acceptable case, and never false errors. Nothing is worse than false errors.

            I'm sorry, what? I've agreed that the wording on one of the warnings is unclear - it should probably state "ownCloud failed to connect to ownCloud.org" rather than "this server has no working internet connection". Despite the bad wording, it is still not a 'false error': there IS a problem with the server configuration and the lack in clarity of the error message is sad but bugs happen and this minor wording problem can be fixed with a very simple pull request on github. And if a customer would have this problem, they have a phone number to call.

            The other errors - perhaps you don't trust them, that's fine. I do unless I see evidence to that points out that they're wrong, that's all I said. And I still don't see how you can claim that warning about outdated PHP or cURL versions is a bad thing.

            As you stated:

            I think that throwing alerts for PHP while saying that you support the platform that you alert on is a bad combination. Don't call CentOS 7 fully patched "out of date" while saying you support the platform. Just say you don't support it and move on.

            That is caused by a mis-understanding we had about the term 'support'. I think I explained what I mean with it - and how it couldn't mean anything else unless we're talking about a customer-vendor relationship. Which, here, we're not - ownCloud is an open source, volunteer-run project and you're users who use it for free. When we say 'support' - don't expect more than you can expect from any other open source platform. And thus, yes, a 'platform' which we 'support' can be a 'problem'.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @jospoortvliet
              last edited by

              @jospoortvliet said:

              We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.

              Honestly, I find your attitude offensive. This is pathetic. The errors are wrong and that's obvious. Your security guy is a fraud and you are clearly trying to cover for him. I'm sure your a small company and he's a friend but I'm sorry, he's making you look bad and you are making the company look worse.

              These aren't real errors, the security issue isn't a problem. Sorry if I trust Red Hat engineering more than a random guy who clearly doesn't understand the platform. Feel free to prove me wrong but you crossed a line here and I don't feel that ownCloud has any clout to stand on here and needs to prove itself anew. This is a ridiculous, offensive statement.

              jospoortvlietJ 1 Reply Last reply Reply Quote 0
              • jospoortvlietJ
                jospoortvliet Vendor @scottalanmiller
                last edited by jospoortvliet

                @scottalanmiller said:

                @jospoortvliet said:

                There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.

                Ah, but it does. It makes this a bug. It makes this ownCloud's problem. Why are you throwing an error for a fully updated, fully supported PHP version? Don't try to claim that it isn't. What it is not is not supported by PHP. If you mention PHP's support, that means we have a disconnect. We are in IT, not home hobbyists. Our support is from Red Hat, not PHP. Who gets support from PHP? Seriously?

                This is a scary disconnect from how IT and Linux work. Here are some problems:

                • ownCloud doesn't understand their target platform.
                • ownCloud is throwing errors on things it doesn't understand.
                • ownCloud is stating that things are old that are not. PHP on CentOS is fully up to date, it's just a different family. The patch level on it is very current. It is a misunderstanding of the versions levels causing the issue.

                All of these things are worrisome. Very, very worrisome when you claim that you trust your internal "security" guy who is missing these very, very basic concepts of the platforms he's supposed to be your expert on!!

                Look, these are warnings. If you're confident there is no problem, you can ignore them. This is the community edition of ownCloud: it is for common home users, not for large enterprises. These warnings are meant to help home users who run ownCloud on their raspberry pi to get a more secure setup. If this is confusing a professional sysadmin - well, I expect them to be able to figure out what to do more than home users.

                The enterprise edition comes with a phone number to dial in these cases. I think you're taking this a little too serious, to be honest. We're trying to be helpful and easy to use here.

                scottalanmillerS 3 Replies Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @jospoortvliet
                  last edited by

                  @jospoortvliet said:

                  Let me be clear: nobody gets any support until they PAY. Then they get a contract.

                  Yeah, I get it, you want to make money. Of course. But the first rule of getting people to pay for support is demonstrating that you care about making a good solid product, fixing things when they are wrong, not ignoring when people trying to help you and understanding how the product is supposed to work.

                  1 Reply Last reply Reply Quote 1
                  • scottalanmillerS
                    scottalanmiller @jospoortvliet
                    last edited by

                    @jospoortvliet said:

                    Look, these are warnings. If you're confident there is no problem, you can ignore them.

                    This is not a professional response to being informed clearly that there is a bug.

                    You just told me to ignore a bug. Are we 100% clear that that's what's going on? Is that how ownCloud feels about security issues? Sweet them under the rug? Be wrong and hope that users ignore them?

                    jospoortvlietJ 1 Reply Last reply Reply Quote 0
                    • jospoortvlietJ
                      jospoortvliet Vendor @scottalanmiller
                      last edited by

                      @scottalanmiller said:

                      @jospoortvliet said:

                      We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.

                      Honestly, I find your attitude offensive. This is pathetic. The errors are wrong and that's obvious. Your security guy is a fraud and you are clearly trying to cover for him. I'm sure your a small company and he's a friend but I'm sorry, he's making you look bad and you are making the company look worse.

                      These aren't real errors, the security issue isn't a problem. Sorry if I trust Red Hat engineering more than a random guy who clearly doesn't understand the platform. Feel free to prove me wrong but you crossed a line here and I don't feel that ownCloud has any clout to stand on here and needs to prove itself anew. This is a ridiculous, offensive statement.

                      Seriously? There is ONE error with a bad wording. I'll report it. The other errors - they are good warnings as far as I can tell - at least - I have not seen any evidence that the are not (in which case I could submit a bug report, perhaps). Again, this is to help people secure their system.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @jospoortvliet
                        last edited by

                        @jospoortvliet said:

                        These warnings are meant to help home users who run ownCloud on their raspberry pi to get a more secure setup. If this is confusing a professional sysadmin - well, I expect them to be able to figure out what to do more than home users.

                        But it doesn't help home users, it would be totally wrong and misleading for them. For those who aren't experts, it might make them do some seriously bad things. For those who are experts, it makes us question the team making the product.

                        What's the upside to bugs and security mistakes?

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @jospoortvliet
                          last edited by

                          @jospoortvliet said:

                          I think you're taking this a little too serious, to be honest. We're trying to be helpful and easy to use here.

                          You feel that I'm taking ownCloud more seriously than ownCloud does? That's not a good stance.

                          I'm also trying to make it helpful and easy. I've pointed out where it fails to do that and instead of taking that advice, you are defending bugs and being hard or confusing to use so that only experts can figure out what ownCloud has bugs rather than thinking that they could not set it up properly.

                          Honestly, your latests responses make me wonder if these aren't intentional flaws to make lesser admins feel that they need to pay for support. Is it normal for support to disable the alerts? Or to break the RPM repos? how do the paid support people resolve these bugs for customers? Or do they just tell them to ignore them?

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @jospoortvliet
                            last edited by

                            @jospoortvliet said:

                            Seriously? There is ONE error with a bad wording. I'll report it. The other errors - they are good warnings as far as I can tell - at least - I have not seen any evidence that the are not (in which case I could submit a bug report, perhaps). Again, this is to help people secure their system.

                            So far every error we've looked at is wrong and the only one that might be right we have no reason to even suspect is right. Sure, it is only a few, but that you feel any confidence that the remaining one is real seems odd. Why do you even feel that that is likely? Especially given the solid explanations as to why we assume it is wrong based on the same misunderstandings as the other ones.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              NSS is from January. You say that there are details as to why this is outdated (sorry, it's current again) and insecure. But I see no details on that one either. Here are the RPM details. NSS 3.19.1-19 is only a few weeks old. And it is the most current version for RHEL.

                              rpm -qi nss-3.19.1-19.el7_2.x86_64
                              Name        : nss
                              Version     : 3.19.1
                              Release     : 19.el7_2
                              Architecture: x86_64
                              Install Date: Fri 15 Jan 2016 03:26:22 PM UTC
                              Group       : System Environment/Libraries
                              Size        : 2609903
                              License     : MPLv2.0
                              Signature   : RSA/SHA256, Thu 07 Jan 2016 10:18:33 PM UTC, Key ID 24c6a8a7f4a80eb5
                              Source RPM  : nss-3.19.1-19.el7_2.src.rpm
                              Build Date  : Thu 07 Jan 2016 08:31:16 PM UTC
                              Build Host  : worker1.bsys.centos.org
                              Relocations : (not relocatable)
                              Packager    : CentOS BuildSystem <http://bugs.centos.org>
                              Vendor      : CentOS
                              URL         : http://www.mozilla.org/projects/security/pki/nss/
                              Summary     : Network Security Services
                              Description :
                              Network Security Services (NSS) is a set of libraries designed to
                              support cross-platform development of security-enabled client and
                              server applications. Applications built with NSS can support SSL v2
                              and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
                              v3 certificates, and other security standards.
                              
                              1 Reply Last reply Reply Quote 1
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                So, now that we've covered that ALL of the alerts are incorrect and that this is clearly very confusing to anyone who isn't a confident Linux admin... why are we getting these errors? They cannot help someone who isn't an expert, and they aren't useful to us. They would be very harmful to normal users trying to just run the system.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  So just to recap:

                                  • Internet Access Not Working: False. Internet access is just fine.
                                  • cURL / NSS Out of Date: False. Current and patched. Latest from Red Hat.
                                  • PHP Unsupported: False / Tricky. Unsupported by someone who is not the support vendor, so very misleading to anyone that isn't an expert and worthless to anyone who is.
                                  • CentOS 7 Out of date: False Turns out that the concept of the target platform is misunderstood and is actually fully up to date.

                                  Does this make it clear why we see these are problematic?

                                  1 Reply Last reply Reply Quote 1
                                  • jospoortvlietJ
                                    jospoortvliet Vendor @scottalanmiller
                                    last edited by jospoortvliet

                                    @scottalanmiller said:

                                    @jospoortvliet said:

                                    Look, these are warnings. If you're confident there is no problem, you can ignore them.

                                    This is not a professional response to being informed clearly that there is a bug.

                                    You just told me to ignore a bug. Are we 100% clear that that's what's going on? Is that how ownCloud feels about security issues? Sweet them under the rug? Be wrong and hope that users ignore them?

                                    YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix. You claim our security guy is incompetent and you trust Red Hat. Fine. Just two links then about PHP:
                                    https://access.redhat.com/solutions/641423
                                    https://bugzilla.redhat.com/show_bug.cgi?id=662707

                                    Here's the cURL bug, yes, related to a NSS issue: https://bugzilla.redhat.com/show_bug.cgi?id=1241172

                                    As I said - before I take your input as 'bugreports' I need some proof that these warnings are wrong. For now, I have some reason to think it is GOOD to warn of projects no longer supported by upstream: clearly, distributions don't do a good job keeping up with issues in them and clearly, our warnings (no matter how annoying) are helpful.

                                    Ok, let me give you one more then: https://statuscode.ch/2016/02/distribution-packages-considered-insecure so you can read a bit from the guy we're talking about. There's a reason Lukas is pretty well known in the security world - he knows his stuff. And works for us. These warnings are there because these ARE issues. Perhaps not today because RH just fixed one - but again next week as they are 'maintaining' something which isn't easy to maintain and they don't do such a great job. Wait, wasn't that what you said yourself about LTS earlier? Ah!

                                    Oh and really, if you're right about our security guy, you can make loads of money: https://hackerone.com/owncloud

                                    If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be. I honestly think you're barking up the wrong tree - we are careful to warn when there's a serious potential for trouble. Maybe that's zealous - overzealous even. But better safe than sorry.

                                    JaredBuschJ scottalanmillerS 6 Replies Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch @jospoortvliet
                                      last edited by

                                      @jospoortvliet said:

                                      If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be.

                                      Then I hope you don't mind if I quit recommending ownCloud as a viable solution to my clients.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 2
                                      • scottalanmillerS
                                        scottalanmiller @jospoortvliet
                                        last edited by

                                        @jospoortvliet said:

                                        YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.

                                        Okay, whatever. Clearly I'm taking your platform way too seriously.

                                        jospoortvlietJ 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @JaredBusch
                                          last edited by

                                          @JaredBusch said:

                                          @jospoortvliet said:

                                          If you don't mind, I'll retreat from this conversation. If the three links above is not enough proof that these warnings are useful - nothing will be.

                                          Then I hope you don't mind if I quit recommending ownCloud as a viable solution to my clients.

                                          I certainly no longer see them as a business class solution. What a joke.

                                          1 Reply Last reply Reply Quote 0
                                          • jospoortvlietJ
                                            jospoortvliet Vendor @scottalanmiller
                                            last edited by jospoortvliet

                                            @scottalanmiller said:

                                            @jospoortvliet said:

                                            YOU say they are bugs. I don't. I believe they are real issues a sysadmin should fix.

                                            Okay, whatever. Clearly I'm taking your platform way too seriously.

                                            Seriously? You didn't read the links? Wow. Good night...

                                            scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 1 / 8
                                            • First post
                                              Last post