Want to stay up to date on Linux, BSD, Chrome OS, and the rest of the World Beyond Windows? Bookmark the World Beyond Windows column page or follow our RSS feed. Ubuntu just didn’t think it was their job to provide updated, secure versions of Java for the current Ubuntu release, even when they released that security update for the future, in-development releases of Ubuntu. In the most egregious case, the version of Java added to the Multiverse repository in partnership with Sun-complete with glowing talk in the media how Sun was “working directly in partnership with Canonical” on the packaging-was left as an old, vulnerable package. In the past, I have personally reported several security bugs directly to Ubuntu in Launchpad. This isn’t a one-time problem, although it is a big deal this time because it’s a piece of server software we’re talking about-software that’s exposed directly to the Internet where it could be compromised. Kubuntu’s Jonathan Riddell stepped up to do the necessary work, defusing the situation. Thankfully, Ubuntu is now in the process of pushing out an empty package to remove the vulnerable version of ownCloud. OwnCloud isn’t in Ubuntu 14.10’s repositories, but it is in Ubuntu 14.04’s repositories. “From my side, my work is done here, I have informed the responsible persons via multiple channels and if they have no intentions to fix the problems on their own we can very well life (sic) with that and will just add a big security warning to our installation guide.“ĭuring the back-and-forth, Ubuntu users were left with that old, vulnerable server software for weeks longer. They don’t want to spend time packaging their software for a myraid of different Linux distributions and maintaining it in various different repositories. They want to focus on creating software, and they already provide a single place where Linux users can get packages and updates for various Linux distributions. OwnCloud’s developers thought this was crazy. At the very least, it was ownCloud’s job to create an empty package and go through the bureaucratic process to push it out. They proposed that ownCloud should take over maintenance of the ownCloud packages in Ubuntu and keep them up-to-date. Actually removing it would be highly unusual. Why, this isn’t the way the system works! The package is now locked-in for the stable release and shouldn’t have any major changes, even though it’s a fundamentally insecure piece of server software. ![]() Ubuntu’s developers initially balked at this. ownCloud would be responsible for updating their users’ systems with the security updates in a timely fashion.Ī vulnerable version of ownCloud installed from Ubuntu repositories. ![]() OwnCloud would be removed when a user updated their system, Those users could then install ownCloud from the packages ownCloud provides for Ubuntu, which are created by the openSUSE build service. After all, Ubuntu’s developers could issue a new version of the package that was entirely empty. They may move onto something else and leave vulnerable software on your system. You’re dependent on a community member to get you any security updates, and they have no real obligation to you. ![]() This is a dark, hidden truth about the way most Linux distributions’ software repositories work. There’s no indication they’ll issue an update. The developer who was working on ownCloud seems to have lost interest, so updates haven’t been issued since January. The Ubuntu community-in this case, whoever uploaded and packaged the software in the first place-is responsible for putting together updated, secure ownCloud packages so users can get those security updates. The dark side of community-supported development The Universe repository is enabled by default, so most Linux users have no idea that most of the software in the Ubuntu Software Center isn’t officially supported by Ubuntu with security updates. The Ubuntu Software Center provides a little warning about this, but most Linux users won’t see it.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |