Linux Distributions and Open Source projects

lock
Some recent articles such as “ownCloud Asks Canonical to Remove Their Software from Ubuntu Repos, Sparks Fly“, and “ownCloud Ubuntu package affected by multiple critical security issues, nobody to fix it” got published and caused a stir in social media. The issue was even featured on Slashdot. Those articles were based on a request sent by one of our security team members to Ubuntu requesting the removal of an older “ownCloud” package on Ubuntu. While initially a subject for debate, the request was later approved by the Ubuntu Council, and prompted them to develop a policy to deal with outdated software in their repositories. The incident shows how independent open source projects sometimes struggle to deliver stable and secure software to their users within the current Linux Distribution Model.

Upstream and downstream

Where in the Windows and Apple world, users get their software directly from vendors and projects like Adobe or Mozilla, Linux has traditionally worked with a model more like the App stores most mobile users are familiar with. The distributions take the source code from the various Open Source projects, calling them ‘upstream’ – the code ‘flows down’ to them. Then it gets pre-packaged and distributed with a convenient set of installation and configuration tools, making up the familiar distributions like Ubuntu, Fedora, Gentoo or openSUSE.

This model ensures that users can expect their software to be:

  • Safe – Distributions do their own security checks and are generally more able to follow what is going on in the various projects they ship software from than typical end users could. This helps against spyware and other malicious features.
  • Stable – Distributions make sure all software works together in the distribution and do integration testing. Building software from an ecosystem as diverse as the Open Source ecosystem is notoriously hard.
  • Efficient – Distributions build software in a way that it shares functionality (in “shared libraries”). This saves disk space and memory, and helps the performance of your computer.
  • Secure – When a security issue is found, distributions can ensure a quick and system-wide security response due to their control over the entire software stack. This provides some protection against viruses and similar threats.

On top of the above, distributions commit to supporting software for the lifetime of their release, often backporting security and stability fixes for a time longer than the original Open Source projects provide them. This gives users a longer time span to plan and prepare migration to a newer platform.

But where the distributions take more control over the software, independent projects and vendors lose their ability to get software directly to their users. The software in a specific version of a specific distribution is often ‘frozen’ for everything but security improvements and bug fixes so users will end up behind on feature releases much of the time. And while the distributions’ update mechanisms provide a consistent and reliable mechanism to distribute security updates, it does require work on the side of the distributions. And that does not always go as well as you would hope, which brings us to the Ubuntu Universe repository.
logo-ubuntu_su-orange-hex

Introducing the Universe

Ubuntu comes with four different repositories:

  • Main – Officially supported software.
  • Restricted – Supported software that is not available under a completely free license.
  • Universe – Community maintained software, i.e. not officially supported software.
  • Multiverse – Software that is not free.

The ownCloud server was offered within the “Universe” repository, meaning that Ubuntu users could install the version offered by Ubuntu’s repositories with a simple apt-get install ownCloud. Provided that the “Universe” repository is enabled, which it is by default.

As ownCloud is mainly used by privacy- and security-minded users our utmost priority is to keep our users and their data secure. With the version used in the Ubuntu repository this was, to our regrets, not possible to guarantee anymore. The version included within the Universe repository for Ubuntu 12.04 is 5.0.4 while the latest version available is actually 5.0.17. In other words, since about 18 months no security or bug fixes have been backported to the version in Universe!

Many users are not aware of the fact that the “Universe” repository is considered completely unsupported by Canonical and that even applications with known vulnerabilities will not get removed. This is of course inherent to the way the Universe package repository relies on volunteers to keep packages updated. Unfortunately this creates a potential danger for users, negating many of the advantages distributions are supposed to offer users over self-obtained software!

This fact lead to the decision to send an informal removal request to Canonical (the company behind Ubuntu). Initially, a Canonical employee requested that either the ownCloud Project or volunteers should create package updates for the Ubuntu distribution. ownCloud does indeed provide packages for a wide variety of Linux distributions thanks to the Open Build Service, but these are not part of distributions like Ubuntu as that would require going through a (more or less) extensive bureaucratic process for each distribution, as well as complying to stringent standards and limitations, making it hard for ownCloud to provide what we consider the best experience to our users and adding significantly to our workload.
obs-logo

Problem solving

At an Ubuntu Council meeting it was decided that the package included in Ubuntu would be replaced with an ’empty’ package build by Kubuntu maintainer Jonathan Riddell that would suggest to the user to use the packages provided by ownCloud directly. The team also initiated the development of guidelines for removal of packages on request by upstream projects like ownCloud.

With software such as ownCloud, where the release cycles are very fast, the traditional packaging model does not seem to work very well anymore. Software updates are released nearly monthly and these regular updates require package maintainers to keep always up-to-date with the fast-paced ownCloud development. That’s why we at ownCloud have decided to maintain our packages for a wide variety of operating systems in a central place, thanks to the Open Build Service. Unfortunately, as of today there is no way yet to make those automatically updated packages easily available in Ubuntu and other distros, even if that technically would be an easy task.

Maybe the time has come to discuss again whether the traditional packaging model is still suitable for every kind of software. New models like the app stores have shown that a closer collaboration of software vendor and distributor can provide a better end user experience and perhaps the Linux distributions can take some cues from it. A solution which combines the benefits of centralized control and distribution with a transparent process and the ability for Open Source projects and ISV’s to quickly deliver software to their end users should be possible.

An ambitious approach has been proposed by the systemd developers though it is far from being reality, relying on advanced technologies which are years from wide adoption. Of course the Open Build Service which we use provides another approach, far closer to the current software distribution model. It solves much of the current problems thanks to abilities like connecting different Build Services together and transparently supporting a wide variety of OS’es, not limited to Linux either, ownCloud uses OBS to build its Windows packages too. Adoption by more Linux distributions (even if only by running one instance for a limited subset of software) would make life for upstream projects like ownCloud far easier.

But whatever solution will gain steam, the key factor will have to be that it is open and inclusive enough for the various distributions to rally around. We look forward to what the global Free and Open Source Software community comes up with!

12 Responses to “Linux Distributions and Open Source projects”

  1. Bill

    This is very frustrating. I originally installed my owncloud from the repository to get a feel for it. Since I liked it and kept using it, I have manually updated it directly from ownClouds website getting the latest and greatest. When I did my Ubuntu updates this morning, I was very flustered when I found that the update with the ‘blank package’ got pushed to my server and it is broke. I am working on re-downloading and reloading it manually, but this is ridiculous. My software was up-to-date. Just because I had originally installed “the package”, I have to go through this mess. I am very disappointed in Ubuntu for not allowing the packaged to be removed. I understand there are policies and procedures, but in my opinion, this did more harm than good. I understand OwnCloud’s decision to put the blank package out there for security reasons, but Ubuntu’s willingness to work with them in just unacceptable. Just a bad situation.

    • Bill

      To top it off, I just found out that it deleted my data folder also. Guess I get to restore that from backup. Hope the backups are good. What a disaster.

      • Jos Poortvliet

        I’m sorry this worked out badly for you. That was certainly not anybody’s intention…

      • Gee Deezy

        Will this happen to me if I install from SUSE repository, as well? I think not, but thought I should ask?

  2. Masoud

    I wish Canonical move the ownCloud client software to their main repository and partner with ownCloud community to officially support it for Ubuntu. Given the fact that they no longer offer Ubuntu One file sync, this makes perfect sense for them.

    • Jos Poortvliet

      They could either run an OBS instance and help us maintain the software (to bring it in line with their packaging standards), grab our packages manually (or via the repo we offer) or do it by themselves. The first option would of course be ideal. This is true for all Linux distributions – sadly, this currently isn’t really how distributions are willing to work.

      • Pascal d'Hermilly

        The current OBS approach with e.g. ubuntu packages is filled with all kind of risks:
        – The download site does not use SSL (http://software.opensuse.org/download/package?project=isv:ownCloud:community&package=owncloud) – which opens for man-in-the-middle attacks
        – The instructions for getting the GPG Key is also without SSL, also allowing for man-in-the-middle.
        I filed a bug at the opensuse admins a long time ago, but nothing happens. I also told some owncloud people a long time ago.
        Sooner or later this will be misused.

        • jospoortvliet

          They are accessible over https, but I agree that that should be default… Note that the GPG key DOES go over https, check the link on the owncloud.org/install page.

      • George

        I think it’s very believable that men aren’t wnililg to do something they’re not competitive at, though these are only the professional men and professional women, which makes me think that these runners are as competitive as anyone in the world. I wonder if there’s a simple way to test your idea. If you make some assumptions that the difference in attitude between men and women varies depending on position, you could test whether the difference in performance is equally strong when you compare the 1000-1100 top runners for both genders.

  3. DigitalGoddess

    Two suggestions for the Ubuntu thing. First ask to be moved to multiverse, partner, or extras. I’m not sure which one would be better suited to your needs. However, if you were to do that, you could make the installer a “thin” installer that would fetch the latest version, regardless.

    Secondly, there should be some automatic update/update information. You should consider building in some sort of update notifications into the user interface. Email alerts to the sys admins, and possibly a WordPress-equse update mechanism.

    • Jos Poortvliet

      Hmmm, there is the updater app, which does this kind-of. But I don’t believe it currently puts a warning on the admin UI when a new version is out, you have to run it manually. This is a good suggestion, care to create an issue to track it at http://github.com/owncloud/core/issues ???

    • Lauren

      Salut, OwnCloud est en effet bien prometteur, un petit be9mol pour moi: CalDav c est bien beau, mais ce n est pas pris en chgrae par de9faut sous Android par exemple.Du coup si on veut du contact+agenda centralise9 avec acce8s sur mobile il faudra se tourner vers une solution mail comple8te type Zimbra Par contre un client sous Android pour l envoi de fichier e0 la manie8re de DropBox (clique droit, envoyer e0 DropBox ) serait pas mal .. Je suis en train de m installer OwnCloud pour tester.Mais sinon pour e7a il y a aussi AjaxExplorer, avec une appli (?), je test e9galement ..

Comments are closed.