Ubuntu, ownCloud, and a hidden dark side of Linux software repositories - youngtwored

The version of ownCloud in Ubuntu's Universe repositories is old and full of "multiple faultfinding security vulnerabilities." It's No secret. The ownCloud project itself asked Ubuntu to remove it so users wouldn't have vulnerable waiter software. Ubuntu suggested to ownCloud they should take terminated maintaining it instead. OwnCloud persuasion that was silly—they good want to write software and non hold over it in every distribution's repositories.

Ubuntu is finally pickings legal action and uploading an empty package that will disable the vulnerable ownCloud server software on Ubuntu 14.04 systems. But this integral weeks-long ordeal demonstrates a serious weakness with the way Linux software is packaged, distributed, and updated.

Why is in that location vulnerable software in Ubuntu's repositories?

Virtually Linux users in general get their software through their Linux distribution's package repositories. Linux users are told this is the best, to the highest degree secure way to arrive software. You can easily set up it from a centralized source, and your Linux distribution is then responsible for updating it for you and getting you timely security updates.

That's how it should work, simply that's non how it always works. In this vitrine, ownCloud is included in Ubuntu's "Population" repository, which is full of residential area-pendant software. Canonic and the important Ubuntu developers haven't committed to supporting this software with security measur updates.

Steam in the Ubuntu Software Center.

The Ubuntu Software Center provides a little warning about this, but most Linux users won't see it. The Universe repository is enabled past default, so most Linux users have no more idea that to the highest degree of the software in the Ubuntu Software Center isn't officially supported by Ubuntu with security updates.

The Ubuntu community—in that encase, whoever uploaded and packaged the software in the first situatio—is causative putting collectively updated, secure ownCloud packages so users stool get those security updates.

The developer World Health Organization was working on ownCloud seems to bear lost occupy, so updates haven't been issued since January. On that point's atomic number 102 indication they'll issue an update.

This is a dark, invisible truth about the way most Linux distributions' software system repositories work. You're dependent on a community of interests member to get you whatsoever security updates, and they have no real obligation to you. They whitethorn move onto something other and leave vulnerable software happening your system.

As Canonical's Marc Deslauriers explained on the mailing lean: "The owncloud package in Ubuntu is in universe, which means it's retained by the Ubuntu residential area. Person needs to whole step up and contract care for of it. If nobody does that, then it unfortunately stays the way it is."

ownCloud and Ubuntu come back-and-Forth River

To specify this problem, ownCloud took the extremely unusual whole step of sending a message connected the Ubuntu posting list, interrogatory the Ubuntu developers to remove the package from the repositories. They have no more valid right to demand this, of line—it's open-source software. Merely they'd suchlike to prevent their users from victimization this old, vulnerable software.

Their proposal seemed simple. After all, Ubuntu's developers could issue a new version of the package that was entirely empty. OwnCloud would be removed when a user updated their organization, Those users could and so set u ownCloud from the packages ownCloud provides for Ubuntu, which are created by the openSUSE build service. ownCloud would cost responsible for updating their users' systems with the security updates in a seasonable fashion.

A vulnerable version of ownCloud installed from Ubuntu repositories.

Ubuntu's developers initially balked at this. Why, this isn't the way of life the system works! The package is now locked-certain the stable release and shouldn't have any John Major changes, even though it's a basically precarious piece of server software. Actually removing it would personify highly unusual. They planned that ownCloud should adopt maintenance of the ownCloud packages in Ubuntu and keep them up-to-date. At the very to the lowest degree, it was ownCloud's job to make up an empty package and devour the functionary process to campaign it out.

OwnCloud's developers thought this was crazy. They wish to focal point connected creating software, and they already provide a single place where Linux users can get packages and updates for various Linux distributions. They don't want to spend time packaging their software program for a myraid of diverse Linux distributions and maintaining it in various different repositories. As ownCloud's Lukas Reschke explained:

"From my side, my work is cooked here, I have hip the responsible persons via multiple channels and if they have no intentions to fix the problems along their own we can first-rate animation (sic) with that and will just add a big security warning to our installation guide."

During the gage-and-forth, Ubuntu users were left therewith archaic, vulnerable server software for weeks longer.

OwnCloud ISN't in Ubuntu 14.10's repositories, but it is in Ubuntu 14.04's repositories. Thankfully, Ubuntu is now in the process of pushful out an looted package to withdraw the vulnerable version of ownCloud. Kubuntu's Jonathan Riddell stepped up to do the necessary work, deactivation the plac.

This happens regularly

This isn't a one-prison term problem, although it is a big trade this time because it's a piece of server software we're talking about—software that's unprotected directly to the Internet where it could be compromised.

In the past, I feature personally reported single security bugs directly to Ubuntu in Launchpad. In the most egregious case, the version of Java added to the Multiverse repository in partnership with Solarise—complete with enthusiastic talk in the media how Sun was "working immediately in partnership with Canonical" on the publicity—was left As an old, vulnerable software. Ubuntu just didn't think it was their farm out to provide updated, secure versions of Java for the current Ubuntu release, even when they released that security measures update for the future, in-development releases of Ubuntu. Hera's the sad germ report from 2007.

Want to sit up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmarker the World On the far side Windows column page operating theater follow our RSS feed.

Ultimately, the multitude of different Linux distributions with their own package repositories and formats creates problems. Packages are oft created and maintained past users who may walk absent at any time. There's no way around this—and it's a serious problem on Linux.

Thankfully, ordinary host software like Apache and desktop software like Firefox have more attending paid to them. For example, these are part of the "Main" secretary on Ubuntu, where Canonical commits to providing timely security updates for them. Beware server software supported by the community of interests.

Source: https://www.pcworld.com/article/436288/ubuntu-owncloud-and-a-hidden-dark-side-of-linux-software-repositories.html

Posted by: youngtwored.blogspot.com

Share this post