Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Ubuntu, ownCloud, and a hidden dark side of Linux software repositories

Chris Hoffman | Nov. 10, 2014
The version of ownCloud in Ubuntu's Universe repositories is old and full of "multiple critical security vulnerabilities." It's no secret. The ownCloud project itself asked Ubuntu to remove it so users wouldn't have vulnerable server software. Ubuntu suggested to ownCloud they should take over maintaining it instead. OwnCloud thought that was ridiculous--they just want to write software and not maintain it in every distribution's repositories.

The version of ownCloud in Ubuntu's Universe repositories is old and full of "multiple critical security vulnerabilities." It's no secret. The ownCloud project itself asked Ubuntu to remove it so users wouldn't have vulnerable server software. Ubuntu suggested to ownCloud they should take over maintaining it instead. OwnCloud thought that was ridiculous--they just want to write software and not maintain it in every distribution's repositories.

Ubuntu is finally taking action and uploading an empty package that will disable the vulnerable ownCloud server software on Ubuntu 14.04 systems. But this whole weeks-long ordeal demonstrates a serious weakness with the way Linux software is packaged, distributed, and updated.

Why is there vulnerable software in Ubuntu's repositories?
Most Linux users generally get their software through their Linux distribution's software repositories. Linux users are told this is the best, most secure way to get software. You can easily install it from a centralized source, and your Linux distribution is then responsible for updating it for you and getting you timely security updates.

That's how it should work, but that's not how it always works. In this case, ownCloud is included in Ubuntu's "Universe" repository, which is full of community-supported software. Canonical and the main Ubuntu developers haven't committed to supporting this software with security updates.

The Ubuntu Software Center provides a little warning about this, but most Linux users won't see it. The Universe repository is enabled by default, so most Linux users have no idea that most of the software in the Ubuntu Software Center isn't officially supported by Ubuntu with security updates.

The dark side of community-supported development
The Ubuntu community--in this case, whoever uploaded and packaged the software in the first place--is responsible for putting together updated, secure ownCloud packages so users can get those security updates.

The developer who was working on ownCloud seems to have lost interest, so updates haven't been issued since January. There's no indication they'll issue an update.

This is a dark, hidden truth about the way most Linux distributions' software repositories work. You're dependent on a community member to get you any security updates, and they have no real obligation to you. They may move onto something else and leave vulnerable software on your system.

As Canonical's Marc Deslauriers explained on the mailing list: "The owncloud package in Ubuntu is in universe, which means it's maintained by the Ubuntu community. Someone needs to step up and take care of it. If nobody does that, then it unfortunately stays the way it is."

ownCloud and Ubuntu go back-and-forth
To fix this problem, ownCloud took the highly unusual step of sending a message on the Ubuntu mailing list, asking the Ubuntu developers to remove the package from the repositories. They have no legal right to demand this, of course--it's open-source software. But they'd like to prevent their users from using this old, vulnerable software.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.