Their proposal seemed simple. After all, Ubuntu's developers could issue a new version of the package that was entirely empty. OwnCloud would be removed when a user updated their system, Those users could then install ownCloud from the packages ownCloud provides for Ubuntu, which are created by the openSUSE build service. ownCloud would be responsible for updating their users' systems with the security updates in a timely fashion.
Ubuntu's developers initially balked at this. Why, this isn't the way the system works! The package is now locked-in for the stable release and shouldn't have any major changes, even though it's a fundamentally insecure piece of server software. Actually removing it would be highly unusual. They proposed that ownCloud should take over maintenance of the ownCloud packages in Ubuntu and keep them up-to-date. At the very least, it was ownCloud's job to create an empty package and go through the bureaucratic process to push it out.
OwnCloud's developers thought this was crazy. They want to focus on creating software, and they already provide a single place where Linux users can get packages and updates for various Linux distributions. They don't want to spend time packaging their software for a myraid of different Linux distributions and maintaining it in various different repositories. As ownCloud's Lukas Reschke explained:
"From my side, my work is done here, I have informed the responsible persons via multiple channels and if they have no intentions to fix the problems on their own we can very well life (sic) with that and will just add a big security warning to our installation guide."
During the back-and-forth, Ubuntu users were left with that old, vulnerable server software for weeks longer.
OwnCloud isn't in Ubuntu 14.10's repositories, but it is in Ubuntu 14.04's repositories. Thankfully, Ubuntu is now in the process of pushing out an empty package to remove the vulnerable version of ownCloud. Kubuntu's Jonathan Riddell stepped up to do the necessary work, defusing the situation.
This happens regularly
This isn't a one-time problem, although it is a big deal this time because it's a piece of server software we're talking about--software that's exposed directly to the Internet where it could be compromised.
In the past, I have personally reported several security bugs directly to Ubuntu in Launchpad. In the most egregious case, the version of Java added to the Multiverse repository in partnership with Sun--complete with glowing talk in the media how Sun was "working directly in partnership with Canonical" on the packaging--was left as an old, vulnerable package. Ubuntu just didn't think it was their job to provide updated, secure versions of Java for the current Ubuntu release, even when they released that security update for the future, in-development releases of Ubuntu. Here's the sad bug report from 2007.
Sign up for CIO Asia eNewsletters.