Some recent articles such as “ownCloud Asks Canonical to Remove Their Software from Ubuntu Repos, Sparks Fly“, and “ownCloud Ubuntu package affected by multiple critical security issues, nobody to fix it” got published and caused a stir in social media. The issue was even featured on Slashdot. Those articles were based on a request sent by one of our security team members to Ubuntu requesting the removal of an older “ownCloud” package on Ubuntu. While initially a subject for debate, the request was later approved by the Ubuntu Council, and prompted them to develop a policy to deal with outdated software in their repositories. The incident shows how independent open source projects sometimes struggle to deliver stable and secure software to their users within the current Linux Distribution Model.
Upstream and downstream
Where in the Windows and Apple world, users get their software directly from vendors and projects like Adobe or Mozilla, Linux has traditionally worked with a model more like the App stores most mobile users are familiar with. The distributions take the source code from the various Open Source projects, calling them ‘upstream’ – the code ‘flows down’ to them. Then it gets pre-packaged and distributed with a convenient set of installation and configuration tools, making up the familiar distributions like Ubuntu, Fedora, Gentoo or openSUSE.
This model ensures that users can expect their software to be:
- Safe – Distributions do their own security checks and are generally more able to follow what is going on in the various projects they ship software from than typical end users could. This helps against spyware and other malicious features.
- Stable – Distributions make sure all software works together in the distribution and do integration testing. Building software from an ecosystem as diverse as the Open Source ecosystem is notoriously hard.
- Efficient – Distributions build software in a way that it shares functionality (in “shared libraries”). This saves disk space and memory, and helps the performance of your computer.
- Secure – When a security issue is found, distributions can ensure a quick and system-wide security response due to their control over the entire software stack. This provides some protection against viruses and similar threats.
On top of the above, distributions commit to supporting software for the lifetime of their release, often backporting security and stability fixes for a time longer than the original Open Source projects provide them. This gives users a longer time span to plan and prepare migration to a newer platform.
But where the distributions take more control over the software, independent projects and vendors lose their ability to get software directly to their users. The software in a specific version of a specific distribution is often ‘frozen’ for everything but security improvements and bug fixes so users will end up behind on feature releases much of the time. And while the distributions’ update mechanisms provide a consistent and reliable mechanism to distribute security updates, it does require work on the side of the distributions. And that does not always go as well as you would hope, which brings us to the Ubuntu Universe repository.
Introducing the Universe
Ubuntu comes with four different repositories:
- Main – Officially supported software.
- Restricted – Supported software that is not available under a completely free license.
- Universe – Community maintained software, i.e. not officially supported software.
- Multiverse – Software that is not free.
The ownCloud server was offered within the “Universe” repository, meaning that Ubuntu users could install the version offered by Ubuntu’s repositories with a simple
apt-get install ownCloud. Provided that the “Universe” repository is enabled, which it is by default.
As ownCloud is mainly used by privacy- and security-minded users our utmost priority is to keep our users and their data secure. With the version used in the Ubuntu repository this was, to our regrets, not possible to guarantee anymore. The version included within the Universe repository for Ubuntu 12.04 is 5.0.4 while the latest version available is actually 5.0.17. In other words, since about 18 months no security or bug fixes have been backported to the version in Universe!
Many users are not aware of the fact that the “Universe” repository is considered completely unsupported by Canonical and that even applications with known vulnerabilities will not get removed. This is of course inherent to the way the Universe package repository relies on volunteers to keep packages updated. Unfortunately this creates a potential danger for users, negating many of the advantages distributions are supposed to offer users over self-obtained software!
This fact lead to the decision to send an informal removal request to Canonical (the company behind Ubuntu). Initially, a Canonical employee requested that either the ownCloud Project or volunteers should create package updates for the Ubuntu distribution. ownCloud does indeed provide packages for a wide variety of Linux distributions thanks to the Open Build Service, but these are not part of distributions like Ubuntu as that would require going through a (more or less) extensive bureaucratic process for each distribution, as well as complying to stringent standards and limitations, making it hard for ownCloud to provide what we consider the best experience to our users and adding significantly to our workload.
At an Ubuntu Council meeting it was decided that the package included in Ubuntu would be replaced with an ’empty’ package build by Kubuntu maintainer Jonathan Riddell that would suggest to the user to use the packages provided by ownCloud directly. The team also initiated the development of guidelines for removal of packages on request by upstream projects like ownCloud.
With software such as ownCloud, where the release cycles are very fast, the traditional packaging model does not seem to work very well anymore. Software updates are released nearly monthly and these regular updates require package maintainers to keep always up-to-date with the fast-paced ownCloud development. That’s why we at ownCloud have decided to maintain our packages for a wide variety of operating systems in a central place, thanks to the Open Build Service. Unfortunately, as of today there is no way yet to make those automatically updated packages easily available in Ubuntu and other distros, even if that technically would be an easy task.
Maybe the time has come to discuss again whether the traditional packaging model is still suitable for every kind of software. New models like the app stores have shown that a closer collaboration of software vendor and distributor can provide a better end user experience and perhaps the Linux distributions can take some cues from it. A solution which combines the benefits of centralized control and distribution with a transparent process and the ability for Open Source projects and ISV’s to quickly deliver software to their end users should be possible.
An ambitious approach has been proposed by the systemd developers though it is far from being reality, relying on advanced technologies which are years from wide adoption. Of course the Open Build Service which we use provides another approach, far closer to the current software distribution model. It solves much of the current problems thanks to abilities like connecting different Build Services together and transparently supporting a wide variety of OS’es, not limited to Linux either, ownCloud uses OBS to build its Windows packages too. Adoption by more Linux distributions (even if only by running one instance for a limited subset of software) would make life for upstream projects like ownCloud far easier.
But whatever solution will gain steam, the key factor will have to be that it is open and inclusive enough for the various distributions to rally around. We look forward to what the global Free and Open Source Software community comes up with!