ownCloud 9 is Here
-
I'm not saying CENTOS or RHEL are not supported. I'm saying that those old versions ship with software with some know security issues and we warn for that. That is all. We're not in charge nor feel responsible for fixing those problems - they are Red Hat's or CentOS' problems, simple as that. But we want ownCloud users to be aware of problems we detect.
In case of the 'no internet access', this can be caused by a number of problems, from missing proper certificates to other stuff. I don't know why we don't give a more specific error message - perhaps nobody had time to investigate it, perhaps it is impossible as it is on a level below ownCloud (CURL is used by PHP which is used by ownCloud - we might not have access to the error that CURL throws).
Generally, the error is related to broken/insecure openSSL. My security guy tells me we actually do catch the broken-curl thing separately but some others are bunched together still.
Obviously, if customers bump into this, our support helps them track down the exact problem. There are probably even knowledge base articles available on our enterprise site on this subject. But that's different from users of the community edition of course. They have each other and the forums and github... Well, and a bit of me sometimes
-
@scottalanmiller said:
What's even crazier is that the worst possible option would be Ubuntu LTS. All of the "out of date" of something like CentOS 7 yet without the support infrastructure. ownCloud said that they are not in the distro business. Yet... they build their appliances on the most out of date, least supported option of the bunch, Ubuntu 14.04!! So these things totally conflict. ownCloud themselves is actively promoting the least business class, least supported, most out of date option while telling us that we are out of date and unsupported for trying to do the opposite.
I find this very upsetting. The message to the customers is extremely mixed.
A clarification: a customer is somebody who is paying us. Our messaging to them is on owncloud.com and perfectly clear with regards to platforms - CENTOS and RHEL are actually the preferred platforms, and ownCloud 9 is not available for customers at all.
-
@jospoortvliet said:
I'm not saying CENTOS or RHEL are not supported. I'm saying that those old versions ship with software with some know security issues and we warn for that. That is all. We're not in charge nor feel responsible for fixing those problems - they are Red Hat's or CentOS' problems, simple as that. But we want ownCloud users to be aware of problems we detect.
What old versions? We are clearly showing you that it is CentOS 7.2 release 1511. This is the most current and up to date version of CentOS that exists.
-
@jospoortvliet said:
I'm not saying CENTOS or RHEL are not supported. I'm saying that those old versions ship with software with some know security issues and we warn for that. That is all. We're not in charge nor feel responsible for fixing those problems - they are Red Hat's or CentOS' problems, simple as that. But we want ownCloud users to be aware of problems we detect.
But you are still calling them problems. That, itself, is a problem. You are saying that the platform itself is a problem. This isn't a bug, this is the concept of the platform.
-
On a different note, with each release our packages have been in flux - we very much recognize that by trying to provide packages, we've taken on a task which seems to be too large. We might do what most other PHP web apps do - just offer zip and tar balls. But that's up in the air, I really don't know what we'll do here. Help with packaging is obviously welcome...
-
@jospoortvliet said:
@scottalanmiller said:
What's even crazier is that the worst possible option would be Ubuntu LTS. All of the "out of date" of something like CentOS 7 yet without the support infrastructure. ownCloud said that they are not in the distro business. Yet... they build their appliances on the most out of date, least supported option of the bunch, Ubuntu 14.04!! So these things totally conflict. ownCloud themselves is actively promoting the least business class, least supported, most out of date option while telling us that we are out of date and unsupported for trying to do the opposite.
I find this very upsetting. The message to the customers is extremely mixed.
A clarification: a customer is somebody who is paying us. Our messaging to them is on owncloud.com and perfectly clear with regards to platforms - CENTOS and RHEL are actually the preferred platforms, and ownCloud 9 is not available for customers at all.
You just got done say that they are problems, said that we run old versions for using them and acted like they are jokes that need to be warned about. You are warning about the use of your preferred distro? Something is very wrong.
-
@scottalanmiller said:
@jospoortvliet said:
I'm not saying CENTOS or RHEL are not supported. I'm saying that those old versions ship with software with some know security issues and we warn for that. That is all. We're not in charge nor feel responsible for fixing those problems - they are Red Hat's or CentOS' problems, simple as that. But we want ownCloud users to be aware of problems we detect.
But you are still calling them problems. That, itself, is a problem. You are saying that the platform itself is a problem. This isn't a bug, this is the concept of the platform.
well, if you are running a broken CURL or openSSL, we warn you. If those come with your platform, even if we support that platform, it is still broken, so we warn you. I don't see how that is bad...
-
@jospoortvliet said:
On a different note, with each release our packages have been in flux - we very much recognize that by trying to provide packages, we've taken on a task which seems to be too large. We might do what most other PHP web apps do - just offer zip and tar balls. But that's up in the air, I really don't know what we'll do here. Help with packaging is obviously welcome...
Packaging is good, but I would limit it to platforms that you feel are modern and supportable. If you feel the need to warn, I would hesitate to provide a package in the same way as the full support packages.
-
@scottalanmiller said:
@jospoortvliet said:
On a different note, with each release our packages have been in flux - we very much recognize that by trying to provide packages, we've taken on a task which seems to be too large. We might do what most other PHP web apps do - just offer zip and tar balls. But that's up in the air, I really don't know what we'll do here. Help with packaging is obviously welcome...
Packaging is good, but I would limit it to platforms that you feel are modern and supportable. If you feel the need to warn, I would hesitate to provide a package in the same way as the full support packages.
Yeah, that's sane, I don't disagree with you here. But we also have to provide what users need - and many run RHEL and CENTOS. And, as there are ways to fix the problems we point out (you can grab a newer openSSL or CURL), we warn...
And we did drop a number of platforms to keep things more manageable... Hope this will help improve stuff.
-
@jospoortvliet said:
well, if you are running a broken CURL or openSSL, we warn you. If those come with your platform, even if we support that platform, it is still broken, so we warn you. I don't see how that is bad...
Because you are warning about the most recent, fully supported platform options. Is cURL broken? I'm not sure that I agree. Being misused, certainly. You aren't warning that cURL is old, you are throwing a false error for something you didn't even check for.
I think you need to think about this as an end user. I see no warning that cURL is out of date, I see a warning that ownCloud isn't reporting things properly. That's a very different thing.
-
@jospoortvliet said:
Yeah, that's sane, I don't disagree with you here. But we also have to provide what users need - and many run RHEL and CENTOS. And, as there are ways to fix the problems we point out (you can grab a newer openSSL or CURL), we warn...
But many of us only did that because we thought that that was what was recommended. I'm rebuilding my install with Suse now to avoid the "unsupported out of date" issue you said in the other thread.
-
@scottalanmiller said:
@jospoortvliet said:
Yeah, that's sane, I don't disagree with you here. But we also have to provide what users need - and many run RHEL and CENTOS. And, as there are ways to fix the problems we point out (you can grab a newer openSSL or CURL), we warn...
But many of us only did that because we thought that that was what was recommended. I'm rebuilding my install with Suse now to avoid the "unsupported out of date" issue you said in the other thread.
Even though he just said above that CentOS is preferred. See:
@jospoortvliet said:
A clarification: a customer is somebody who is paying us. Our messaging to them is on owncloud.com and perfectly clear with regards to platforms - CENTOS and RHEL are actually the preferred platforms, and ownCloud 9 is not available for customers at all.
-
@jospoortvliet said:
In case of the 'no internet access', this can be caused by a number of problems, from missing proper certificates to other stuff
So from an end user perspective, you need to understand that this says "ownCloud is broken and blaming other people."
If a certificate is missing and you throw a "no Internet" warning, you have a bug. Whether some other library has a bug too may or may not be the case, but isn't relevant here. The issue here is falsely throwing an Internet error when it is clearly not the case and should never be thrown given the issues at hand.
-
@JaredBusch said:
@scottalanmiller said:
@jospoortvliet said:
Yeah, that's sane, I don't disagree with you here. But we also have to provide what users need - and many run RHEL and CENTOS. And, as there are ways to fix the problems we point out (you can grab a newer openSSL or CURL), we warn...
But many of us only did that because we thought that that was what was recommended. I'm rebuilding my install with Suse now to avoid the "unsupported out of date" issue you said in the other thread.
Even though he just said above that CentOS is preferred. See:
@jospoortvliet said:
A clarification: a customer is somebody who is paying us. Our messaging to them is on owncloud.com and perfectly clear with regards to platforms - CENTOS and RHEL are actually the preferred platforms, and ownCloud 9 is not available for customers at all.
But he also said "that might actually be because we don't support your old OS anymore?"
That was in reference to CentOS 7 in the other thread. IF the preferred OS is no longer supported, I'm hearing that ownCloud has gone out of support across the board. That doesn't make sense. There is no supported OS?
-
@jospoortvliet said:
well, if you are running a broken CURL or openSSL, we warn you. If those come with your platform, even if we support that platform, it is still broken, so we warn you. I don't see how that is bad...
PHP wasn't broken, though. That was the issue that was more key. PHP was fully up to date on a fully updated install, fully supported by the correct vendor and yet still the alert.
-
@scottalanmiller said:
@JaredBusch said:
@scottalanmiller said:
@jospoortvliet said:
Yeah, that's sane, I don't disagree with you here. But we also have to provide what users need - and many run RHEL and CENTOS. And, as there are ways to fix the problems we point out (you can grab a newer openSSL or CURL), we warn...
But many of us only did that because we thought that that was what was recommended. I'm rebuilding my install with Suse now to avoid the "unsupported out of date" issue you said in the other thread.
Even though he just said above that CentOS is preferred. See:
@jospoortvliet said:
A clarification: a customer is somebody who is paying us. Our messaging to them is on owncloud.com and perfectly clear with regards to platforms - CENTOS and RHEL are actually the preferred platforms, and ownCloud 9 is not available for customers at all.
But he also said "that might actually be because we don't support your old OS anymore?"
That was in reference to CentOS 7 in the other thread. IF the preferred OS is no longer supported, I'm hearing that ownCloud has gone out of support across the board. That doesn't make sense. There is no supported OS?
I realize that. The entire thing makes no sense and is clearly to me an attempt to push blame.
I love the ownCloud platform but this attitude sucks.
-
@JaredBusch said:
I love the ownCloud platform but this attitude sucks.
That's the feeling that I have. It's an amazing product, but these are weird excuses. I can't figure out how I would be expected to run this without being blamed for ownCloud's errors. They won't recommend a deployment option that isn't out of support.
-
@scottalanmiller said:
@jospoortvliet said:
well, if you are running a broken CURL or openSSL, we warn you. If those come with your platform, even if we support that platform, it is still broken, so we warn you. I don't see how that is bad...
PHP wasn't broken, though. That was the issue that was more key. PHP was fully up to date on a fully updated install, fully supported by the correct vendor and yet still the alert.
perhaps we're mixing up things here. Let's go back to the image we're talking about:
There is a cURL warning. The system uses an outdated NSS version. There might not be a newer version from your vendor, but that does not make it any less outdated or insecure - bug your vendor. You have a problem with us warning you about issues in a platform, even if we support that platform? Sorry, that's a no-fix. We warn of issues, even if we can't fix them.
There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.
We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.
Now the 'no internet access' error above it - this is most likely caused by the cURL version. What the error warns about is simple: ownCloud tries to connect to https://www.owncloud.org - if it can't, it gives this warning. There can be 100 reasons why it can't connect: a broken DNS, no network connection, a broken PHP, the wrong moon phase and many more. Some of these we can detect and give more detailed errors (that's why we warn about cURL and PHP there!), others we can't detect. Doesn't mean there is no problem, so we'll still tell you about it. What you do with it - well, Google the problem, ask on a forum or, if you have a support contract, call our support.
Again, you want us not to warn even though there IS something broken, even though we can't figure out exactly what it is? Wow! I hear this from our support team too - some admins want warnings to disappear without having to actually solve the problem. Well, the customer is always right I guess, but I wouldn't hire somebody with the attitude of ignoring problems rather than fixing them. No offense.
Then about the term 'supported platforms' you seem to consider 'vague' from me. First, I didn't know what centOS version was being used so perhaps I was to quick saying it might not be supported. Supported is CentoS 7. But the term 'support' seems mis-understood here, too.
Let me be clear: nobody gets any support until they PAY. Then they get a contract. If you have no contract, the term 'support' means the same as it means when you hear it from Ubuntu, KDE, LibreOffice and everything else which is free and from a community of volunteers: it means we do our best to run on these platforms. NOTHING MORE. We certainly don't promise these platforms are awesome and great for our software. Those platforms might suck and in that case, we give you warnings. We feel no obligation to fix those problems - you, as sysadmin, can, if you like. You probably should, but - that is not our call. If we fail in anything, well, you can file a bug or help us fix it - we're an open source project (until somebody pays us, then we're ownCloud, Inc. and they get to yell at us all they want).
I hope that that is clear and sane.
Of course, if this level of transparency makes you feel uncomfortable or unable to trust us, there are plenty of projects out there who would be happy to not spend any resources and time on warning their users about security or performance issues at all and paper over any problems of the underlying platform. I know there is no other open source file sync and share which has a decent security vulnerability disclosure policy, for example - and no publicity about security bugs might mean there are none, at least to some people. Good that there is choice, right?
-
@jospoortvliet said:
There is a cURL warning. The system uses an outdated NSS version. There might not be a newer version from your vendor, but that does not make it any less outdated or insecure - bug your vendor. You have a problem with us warning you about issues in a platform, even if we support that platform? Sorry, that's a no-fix. We warn of issues, even if we can't fix them.
Are you confident that you are checking that correctly? Is the RHEL version not patched? Have you confirmed that? If so, then okay, good catch. But from the other things, I'm guessing that this is based on an incorrect assumption and is a false alarm. The track record thus far of crying wolf has already made me sceptical of claims like this.
Do you have information on what this version is not patched?
-
@jospoortvliet said:
Then about the term 'supported platforms' you seem to consider 'vague' from me. First, I didn't know what centOS version was being used so perhaps I was to quick saying it might not be supported. Supported is CentoS 7. But the term 'support' seems mis-understood here, too.
Looking for a version that doesn't cause ownCloud to ever consider saying that maybe we are on an outdated and unsupported OS. I want the version that ownCloud stands behind and takes ownership of working on. I want the version that the conversation that happened won't happen on.