Request: Removal of "ownCloud" package from ubuntu
lukas at owncloud.com
Wed Oct 22 16:35:22 UTC 2014
Marc, I’m somewhat confused by that reply; so it is actually Ubuntu’s stance to include totally outdated software with known security vulnerabilities. If upstream complains then you’re going to force upstream to provide patches? At least for me that sounds really unusual.
While we're pretty much Ubuntu fans here, doing the packaging for every distribution would just be way too much time for us. That’s why we have created even our own repositories at OBS: To be completely independent with our releases. ownCloud is evolving really fast and it makes not really much sense to freeze versions at the moment :-)
Our only intention here is to prevent Ubuntu and ownCloud users from using insecure versions and being at risk unnecessarily. I think this both has the potential to harm our reputation and we should work together to resolve this.
From my side, my work is done here, I have informed the responsible persons via multiple channels and if they have no intentions to fix the problems on their own we can very well life with that and will just add a big security warning to our installation guide. That will take much less time to do and has the same result for us.
I want to use this opportunity and state that with different distributions (such as Debian) it was absolutely not a problem to get the freezed packages removed. Debian is currently only shipping the newest ownCloud version via their backports.
If there is anything I can do to have this resolved on another way without investing hours to fix packages: I’m open for any suggestion. - I do not really want to add a warning to our installation guide, but is this the only way to protect our users I’ll do it.
> On 22 Oct 2014, at 17:16, Marc Deslauriers <marc.deslauriers at canonical.com> wrote:
> As I mentioned to you by email, it's not possible to remove packages from the
> Ubuntu archive release pocket.
> You can either do one of following things:
> 1- Create updated packages for older releases and get them approved by the SRU team.
> Procedure: https://wiki.ubuntu.com/StableReleaseUpdates
> 2- Backport specific security fixes to the versions that shipped and get them
> sponsored by the security team.
> Procedure: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
> 3- Create package updates that basically remove all functionality (ie: an empty
> package). This has a serious impact on users and would need to possibly get
> accepted by the SRU team or the technical board before it would get approved
> into the archive.
> Does anyone from the SRU team care to comment on what would be acceptable?
More information about the ubuntu-devel