On 2014-10-22 12:35 PM, Lukas Reschke wrote:
> Marc, I'm somewhat confused by that reply; so it is actually Ubuntu's stance to include totally outdated software with known security vulnerabilities.
The owncloud package in Ubuntu is in universe, which means it's maintained by
the Ubuntu community. Someone needs to step up and take care of it. If nobody
does that, then it unfortunately stays the way it is.
> If upstream complains then you're going to force upstream to provide patches? At least for me that sounds really unusual.
I'm not forcing you do to anything. If you want the packages to be fixed or
removed, someone needs to do it. Perhaps try and find a volunteer?
>
> While we're pretty much Ubuntu fans here, doing the packaging for every distribution would just be way too much time for us. That's why we have created even our own repositories at OBS: To be completely independent with our releases. ownCloud is evolving really fast and it makes not really much sense to freeze versions at the moment :-)
>
> Our only intention here is to prevent Ubuntu and ownCloud users from using insecure versions and being at risk unnecessarily. I think this both has the potential to harm our reputation and we should work together to resolve this.
As I said, it's not possible to simply remove the package once a release has
been made. I've listed the different options that are available to get this
resolved. All of them require some work.
> From my side, my work is done here, I have informed the responsible persons via multiple channels and if they have no intentions to fix the problems on their own we can very well life with that and will just add a big security warning to our installation guide. That will take much less time to do and has the same result for us.
>
> I want to use this opportunity and state that with different distributions (such as Debian) it was absolutely not a problem to get the freezed packages removed.
It was removed before Wheezy came out. We can likely do the same with Utopic,
I've just pinged someone to see if it can be removed in time.
> Debian is currently only shipping the newest ownCloud version via their backports.
Actually, Debian seems to have reintroduced the ownCloud package, and it is now
available in jessie and sid.
>
> If there is anything I can do to have this resolved on another way without investing hours to fix packages: I'm open for any suggestion. - I do not really want to add a warning to our installation guide, but is this the only way to protect our users I'll do it.
Someone has to step up and invest the hours required to go through the usual
procedures to fix the current packages, either by updating them, or by replacing
them with empty packages. If you're not willing to do that, you'll need to find
someone who will.
Is there anyone on this list who would like to volunteer?
Marc.
>
> Thanks,
> Lukas
>
>
>> On 22 Oct 2014, at 17:16, Marc Deslauriers <marc.deslauriers@canonical.com> wrote:
>>
>> As I mentioned to you by email, it's not possible to remove packages from the
>> Ubuntu archive release pocket.
>>
>> You can either do one of following things:
>>
>> 1- Create updated packages for older releases and get them approved by the SRU team.
>>
>> Procedure: https://wiki.ubuntu.com/StableReleaseUpdates
>>
>>
>> 2- Backport specific security fixes to the versions that shipped and get them
>> sponsored by the security team.
>>
>> Procedure: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging
>>
>>
>> 3- Create package updates that basically remove all functionality (ie: an empty
>> package). This has a serious impact on users and would need to possibly get
>> accepted by the SRU team or the technical board before it would get approved
>> into the archive.
>>
>> Does anyone from the SRU team care to comment on what would be acceptable?
>>
>> Marc.
>
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel