October 2, 2015
As of October I'm switching things up a bit, and giving the freelance life a shot again.
It's a bit of a scary step! If you know anyone who might need a PHP programmer for a short or long-term project, perhaps you can consider me!
My resume is right here at: http://evertpot.com/resume.html. My end game is to work regularly for a small set of recurring customers, but any step that helps me get there is very appreciated!
Install ownCloud on openSUSE Tumbleweed for Banana Pi M1
October 1, 2015
There's a tutorial how to create an openSUSE Tumbleweed SD card with MATE. You can follow this tutorial without installing MATE but keep it headless. You can download the image from openSUSE-Tumbleweed-BananaPi-headless-20150928.tar.xz (username: root, password: linux) and continue this tutorial.
Here we'll see how to install ownCloud on openSUSE for Banana Pi M1.
At the end of this tutorial will be a link to the image with ownCloud. Please use an SD card minimum 2GB and re-partition the SD card or use a USB stick to save ownCloud data directory.
Let's start with the procedure.
1. Install ownCloud from the repository. Choose the repository because you can have automatic updates.
zypper install owncloud
Don't be scared because this is factory repository. This is the official from ownCloud and it's the only one that is for ARM boards.
This will install all nessesary files. It will install apache2 and mariadb. At the end, it'll ask you if you want to see info about seting up mariadb.
You can start it using:
During first start empty database will be created for your automatically.
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:
'/usr/bin/mysqladmin' -u root password 'new-password'
'/usr/bin/mysqladmin' -u root -h
Alternatively you can run:
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
Regarding the servers apache and mariadb. If you're the only one user for ownCloud and don't have problem with speed, then you can use sqlite. If you have more users for the instance, then it's better to use mariadb. It's the same with apache. For lighter installations, you can use lighttpd or ngnix. Here I used apache2 but about database, it's up to you. You can either use sqlite or setup a mariadb darabase.
To setup a mariadb database, follow the commands.
CREATE DATABASE owncloudb;
GRANT ALL ON owncloudb.* TO ocuser@localhost IDENTIFIED BY 'dbpass';
2. Change the file php.ini.
and change the strings (you can search by pressing control+w).
upload_max_filesize = 25G
max_file_uploads = 200
max_input_time = 3600
max_execution_time = 3600
session.gc_maxlifetime = 3600
memory_limit = 512M
3. Start the webserver.
systemctl enable apache2.service
4. Create the data directory
It is recommended to use a data directory located on another partition of your SD card or a USB stick. The image requires minimum 2GB SD card, so you won't have enough storage to save your data.
Let's say you have a USB and you mounted under /mnt/USB folder. Create a directory and also give the right permissions.
chmod -R 0770 /mnt/USB/owncloud_data
chown wwwrun /mnt/USB/owncloud_data
5. Final ownCloud installation.
Open your browser to the IP of your Banana Pi
Set a username/password for administrator. Choose a username other than admin, root, administrator, superuser because of your safety.
Then you have to set the date folder (remember our example is /mnt/USB/owncloud_data)
Choose if you want mariadb or sqlite.
If it's mariadb, then you should create the database
CREATE DATABASE owncloudb;
GRANT ALL ON owncloudb.* TO ocuser@localhost IDENTIFIED BY 'dbpass';
and you're all set.
You can download the file openSUSE-Tumbleweed-20150930-BananaPi-ownCloud-8.1.3.tar.xz and just setup ownCloud as described on fifth step.
ownCloud Contributor Conference Videos Coming Online!
September 30, 2015
A few weeks ago we went home after rocking a great ownCloud Contributor Conference in Berlin! The event kicked off with two great keynotes and a series of lightning talks and workshops. The keynotes and lightning talks were recorded and we promised to get them online as soon as possible. Today, we published both exciting keynotes and the first handful of lightning talks! Read on to find out where to watch the awesome.
We covered some of the announcements from the keynotes earlier but now you get to watch the full talks by theater director Angela Richter and ownCloud project leader Frank Karlitschek yourself!
Angela showed us how the ‘supernerds’ show, featuring well known whistle blowers like Julian Assange and Edward Snowden, mixed theater and live television with hacking the mobile phones in the audience, using their private data to show the impact of pervasive surveillance. It was an exciting talk with some interesting twists.
Frank introduced the User Data Manifesto 2.0, Security Bug Bounties and the ownCloud Proxy app in his keynote following Angela.
We’ve put most of the lightning talks from the first day up on YouTube as well. You can find them in the Conference 2015 playlist following the keynotes. We will publish more videos the coming weeks, you can subscribe to our YouTube Channel to be notified when they appear.
Check out for example the talk on Encryption 2.0 or the state of ownCloud Security 2015. Find out what happened with LDAP since last year, how we plan to deal with terrabyte files in the future or how to build a community around your app! Those and many more talks can be seen, starting with Thomas Hildmann from the TU Berlin welcoming us to the university below.
Thanks to the CCC Video Operation Center for providing video and audio equipment and the streaming infrastructure.
ownCloud security development over the years
September 29, 2015
A deep look at the numbers
It has been over three years now since ownCloud decided in 2012 to issue security advisories for each vulnerability at owncloud.org/security/ following industry best practice. We take this very seriously and create advisories even for very minor issues.
What I have noticed is that people aren’t certain how to take this massive list of advisories or CVE identifiers or they take it as a sign of a bad security track record. If we’d stop putting so much effort into finding and fixing security problems, which would decrease the number of advisories, ownCloud wouldn’t necessarily become more secure. And in fact we are also constantly working on improving and hardening our code base even more.
But advisories do contain information about the security of a project. If there are very few or none, you can guess that the project is not being audited for security issues. Alternatively, perhaps security problems aren’t reported, which takes away the ability for their users to deal with security vulnerabilities. But if there are a lot of security advisories, you have to dig a little deeper to find out what the real state of security is.
And, to illustrate what I mean, let me share the following image by @altonncf:
What this statistic is showing you that statistics are a dangerous thing as it is easy to correlate wrong data to get to wrong conclusions. I recommend to take a look at the Black Hat 2013 talk “Buying into the Bias: Why Vulnerability Statistics Suck” which explains in-depth why analyzing Vulnerability Statistics is difficult.
That does not mean you can’t get a lot of information from a list of vulnerabilities, and in the rest of this blog I will do just that. Comparing the different kind of problems found with the way they were found and plotting that over time will give us some insight in how ownCloud has become what is, in my opinion, the most secure open source file sync and share solution on the market.
Let me first share the definition of some terms we use in the following graphs:
- Vulnerabilities which may allow an adversary to gain complete control over the server or all files on it. This includes for example Remote Code Executions or SQL Injections.
- Vulnerabilities allowing the adversary to gain complete control over a single user session. This includes for example Cross-Site-Scripting vulnerabilities.
- Vulnerabilities that can only be exploited in very rare cases or have marginal impact.
When talking about ownCloud one has to differentiate between the “ownCloud Server” on its own which is the release you can download from https://owncloud.org/install/ as well as “community applications” such as the calendar or contacts application.
Generally speaking, “ownCloud Server” includes everything which is also supported by ownCloud, Inc., the company behind the ownCloud project that employs a lot of the core maintainers to work on “ownCloud Server”. Community applications are however not supported by ownCloud, Inc. and do usually receive not too many commits by employees of ownCloud, Inc. That does not mean we don’t look at security vulnerabilities in them, but they are lower priority and I would discourage using too many community apps on a security critical system.
Of course, you could set up multiple ownCloud instances in separate virtual machines or completely separate systems, some hosting the more sensitive data in a minimal setup, other data being hosted in a more full-featured installation. Our Federated Cloud Sharing technology can help you mesh these systems together so they act, to the end user, as a single ownCloud!
Let’s take a look at the amount of vulnerability reports we have received since 2012, please note that these numbers are not necessarily identical to the amount of advisories as an advisory might have fixed multiple vulnerabilities.
As can be seen over the years the amount of discovered vulnerabilities has gone down significantly which implies that finding security vulnerabilities has gotten much harder over the years. This is, for example, caused by the massive amount of security hardenings that we perform for each release.
What can also be seen is that a significant amount of vulnerabilities are in fact located within the community apps and not the ownCloud Server itself. Meaning that people who do not have these apps installed (including users of the Enterprise Edition) are not affected by these vulnerabilities.
When talking about vulnerabilities it is always important to look at who reported the problem. Was it the vendor who is actively searching for security vulnerabilities or are all vulnerabilities reported by third-parties?
Our statistics clearly prove that most issues are discovered internally. This gets even more visible if we’re going to break this down for each year.
As can be seen in 2012 and 2013 while most bugs are discovered internally there is still a substantial amount of external reported vulnerabilities.
Starting with 2014 and 2015, all critical vulnerabilities have been solely discovered internally and the amount of externally reported vulnerabilities has rapidly decreased as ownCloud heavily increased investment into improving security.
Furthermore, many of these “Critical” issues only occur in very specific environments and sometimes require very unlikely pre-requirements. One of these vulnerabilities, for example, required to be able to control the responses of “dropbox.com” domain (which we connect against using HTTPS and certificate pinning!) as well as having a mounted Dropbox mount in the user profile. One can arguably say that this kind of vulnerability is very hard and unlikely to be exploited in real life. We have anyways fixed this issue and created an advisory for it.
What do these numbers mean? As I wrote previously one should always take statistics with a grain of salt, but we internally have concluded that:
- Finding security bugs has effectively got way harder over the time and we’re working on continuing this trend.
- Critical security issues have got way harder to spot and usually require a deep understanding of the ownCloud code base to be able to discover a critical security issue.
On the other hand, this also implies that everybody who complains about ownCloud being insecure because of having so many advisories is ignoring that most of these issues are in fact discovered internally and fixed in a transparent way. Many vendors tend to not disclose their security problems which makes them look better if one simply looks at factors such as amounts of the advisories.
While this numbers do in no way indicate that ownCloud is a perfectly secure solution, it does show that we really care about security and looking at numbers only is an unsuitable way to compare the security of products.
By the way, we do run a Bug Bounty program at HackerOne and if you believe to have found
a security vulnerability we would like to encourage you to submit it to us. You’ll get a bounty for each valid and qualifying
report – so far, we have received hundreds of reports but only one minor issue in the ownCloud server resulted in a combined
USD 50 payout so I’m feeling quite confident about our security right now. This issue did not affect the integrity or data
security of the instance and only leaked the installation path of the ownCloud instance. (usually
Material Design and File Copy in the Latest ownCloud Android App – a Tale of Community
September 28, 2015
We just made the ownCloud Android Client version 1.8 available on the Google Play Store and other stores, see our website. This new version introduced three major new features: Material Design, the file copy feature and a text file preview function. Besides that, there are several bug fixes and smaller features like an update to the latest ownCloud Server share API and many other user interface improvements and performance enhancements.
To celebrate this release, we’ve asked some of the most active community contributors to share what they have been working on and how it will impact your experience with the app.
Starting with the new design of the app, we asked AndyScherzinger for his thoughts. His work on Material Design, the new ‘design language‘ for Google’s Android platform, was his first contribution to ownCloud and he was glad to give some deeper insight in what was achieved. The description of the new features below comes directly from him! Click on the screen shots to see full versions.
Action bar and drawer
The first obvious part that shows you the newly added material design is the new action bar and its drawer.
Besides the general style we introduced two minor changes here, showing the user of the active account and adding icons to support the identification of the different actions.
The revamped dialogs are simply a design change from a visual point of view. We restyled all dialogs throughout the app which means we had to work on the alert dialogs, pop-ups and so on. For the file menu we did not just materialize the style but also added the file name so you can identify the file for which you are about to choose an action and it also brings the dialog in line with the iOS app.
With this release we ship an all new icon set for the general icons within the app (e.g. on the action bar) and also the new icons introduced in ownCloud 8.2. These icons keep the app visually consistent with the web front-end and also add to the overall Material Design.
Development Challenge: Dialogs and Buttons
So that is it for the visual changes. Since I worked on the code changes needed to move to Material Design I would now like talk about the challenges we faced during this process and share with you the things we learned down the road.
We integrated the latest version of Google’s AppCompat library which offers you the ability to implement features of newer Android versions in a backwards compatible way. So the first thing we did after integrating the new library version was switching to the AppCompat theme to have material design activated for all the Android versions we support (Ice Cream Sandwich onwards). Testdriving the change on a device running lollipop seemed fine but checking out the new design on a non-Lollipop version showed the buttons in a non-material design and also the dialogs were not rendered correctly, see screen shot.
You won’t see these glitches in our release. We had to re-implement the dialogs and buttons using the AppCompat provided button and dialog implementation to get this issue solved.
Further things to come & Call to actions
We aren’t finished with our work on materializing the app’s design. So you can expect further changes. Things we are currently working on are:
- floating action button
- highlighting the primary action button
- visually consistent style of the check boxes through out the app
These are just some things to expect in the future Material wise and like mentioned before this has been my first contribution. During the time we moved to Material Design I had a lot of support from the community and the ownCloud team – being it discussions with other developers and designers, test support from QA or prioritization and feedback from scrum masters. I was just looking for self hosted cloud storage solution that also offers mobile clients and both the Open Source Approach and the support from the community gave me a change to give back and say thank you by contributing to its development.
This won’t be my last contribution (see bullet list above) and due to my experience during my first contribution I can only recommend to everyone who is thinking about it to visit the issue trackers on Github, start a discussion and give it a try.
So have fun with this new release and stay tuned for the things to come in the future!
File Copy and text file preview
The second major feature in this Android App release is the File Copy feature. This allows you to copy files around in ownCloud from within the client. This was developed by stoyicker, initially as part of a project for his masters at University. We’ll let him describe how he got involved and why:
I began collaborating to ownCloud for Android along some friends for one of the subjects in my master program. We began by studying, among others, the Google Play entry and the GitHub Issues section to create somewhat of a set of features and fixes to find items to work on.
After completing our first item, we showed our scrum board to some people in ownCloud and got positive comments. Things went on, and we merged things like a Gradle build script (conversation here).
With time, the subject finished but I decided to stick around for a little bit longer to finish merging some of the items that I had developed and were still hanging, like text file preview or file copy.
You can see the pull request for file copy here – it was a large piece of work and took quite a while to be reviewed, tested, improved and included.
As mentioned by Jorge, besides the file copy feature, he contributed also to the text file preview function which is part of this release.
We want to thank both Andy and Jorge for their contributions – and, of course, the many other contributors who make the ownCloud Android client as awesome as it is, including another regular contributor, tobiasKaminsky who has no less than 14 open and 32 closed pull requests on his name…
The upcoming ownCloud Android Client release is slated for shortly before the end of the year and will include some more major contributions by community members. Among them some significant improvements to the auto-upload feature (based on work by LukeOwncloud) and updates to the synchronization capabilities of the client.
You can see what is planned here and the team is always looking forward for more input. Also, I’d like to point out that testing and reviewing are actually serious bottlenecks in getting improvements in the Android client. There are no less than 35 open pull requests at the time of this writing. Some of those are quite technical improvements from new contributors (like these) and testing such takes time.
You’ll understand that help with reviewing, catching bugs and testing of the many improvements is very much appreciated! Even if you’re not a super experienced Android developer, it is very helpful to look at the code proposed in the pull requests and just ask questions about pieces you find odd or where you suspect a problem might hide. Questions are never stupid and every problem found by re-examining the code saves time testing and reviewing for final inclusion.
But besides that, the team also very much welcomes small papercuts and visual improvements to the Android app. The smaller a PR is, the easier it is to review and get it merged quickly – something to keep in mind for any new contributor!
The team has designated over a dozen items as “contributions are welcome“. These are great to get started with and we certainly look forward to your pull requests!