Request: Removal of "ownCloud" package from ubuntu
marc.deslauriers at canonical.com
Wed Oct 22 15:16:55 UTC 2014
On 2014-10-22 10:18 AM, Lukas Reschke wrote:
> Hi list members,
> On behalf of the ownCloud project (www.owncloud.org) I’m requesting that “ownCloud server" is removed from the Ubuntu packages: http://packages.ubuntu.com/trusty/owncloud (including all versions) - Let’s hope that this is finally the right ML for this kind of request.
> These packaged versions are all vulnerable to multiple critical security bugs and no security fixes have been backported, for a reference of security bugs please visit http://owncloud.org/security/advisories/
> Those security bugs allows an unauthenticated attacker to gain complete control about the web server process.
> We would highly appreciate if those insecure packages could get removed. On a related note, even the Debian project has decided to only package the most recent release of ownCloud via their backports repository (https://packages.debian.org/wheezy-backports/owncloud)
> Furthermore, we’re also offering DEB packages via OBS by ourself: http://owncloud.org/install/
> Is there anything I can do to get this done? - We’re faced with more and more users which have those versions installed and this is very troubling.
As I mentioned to you by email, it's not possible to remove packages from the
Ubuntu archive release pocket.
You can either do one of following things:
1- Create updated packages for older releases and get them approved by the SRU team.
2- Backport specific security fixes to the versions that shipped and get them
sponsored by the security team.
3- Create package updates that basically remove all functionality (ie: an empty
package). This has a serious impact on users and would need to possibly get
accepted by the SRU team or the technical board before it would get approved
into the archive.
Does anyone from the SRU team care to comment on what would be acceptable?
More information about the ubuntu-devel