ownCloud should be removed

Bug #1384355 reported by Marc Deslauriers on 2014-10-22
286
This bug affects 5 people
Affects Status Importance Assigned to Milestone
owncloud (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

Upstream ownCloud developer Lukas Reschke has requested that the ownCloud packages be removed from Ubuntu.

Please remove the ownCloud package from Utopic, and put the sync blacklist in place.

See:
https://lists.ubuntu.com/archives/ubuntu-devel/2014-October/038516.html

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in owncloud (Ubuntu):
status: New → Confirmed
Jonathan Riddell (jr) wrote :

package removed from utopic and blacklisted.

Changed in owncloud (Ubuntu Utopic):
status: New → Fix Released
Jonathan Riddell (jr) wrote :

Uploaded to precise
owncloud_5.0.4debian-0ubuntu1~ubuntu12.04.1
and to trusty
owncloud_6.0.1+dfsg-1ubuntu1.1

awaiting approval from ~ubuntu-sru

These updates remove the owncloud package and point to the OBS package or the Juju charm.

TEST CASE:
Install owncloud
check you can view it through a web browser
upgrade to this update
when you view it through a web browser you should get a static page which points to OBS or juju

Changed in owncloud (Ubuntu Precise):
status: New → Fix Committed
Changed in owncloud (Ubuntu Trusty):
status: New → Fix Committed
Jonathan Riddell (jr) on 2014-10-28
summary: - ownCloud should be removed from Utopic
+ ownCloud should be removed
Martin Pitt (pitti) wrote :

This looks good to me, thanks! I wonder if we should turn the owncloud-{mysql,sqlite} packages into empty ones too? Might be confusing otherwise? But fine to approve as-is as well (with my tech board hat on).

Thanks for these updates!

Steve Langasek (vorlon) wrote :

The SRU making this a stub package should include a debconf note, so that users know at the time they install the package that the functionality has been removed. This should not be left for the admin to identify post-upgrade.

Charles Peters II (cp) wrote :

First I should note that we could use Debian's packages as a start for updating these packages. http://snapshot.debian.org/package/owncloud/

Debian versions available:
5.0.13+dfsg-2 or 5.0.14.a+dfsg-1
6.0.4+dfsg-1 or 6.0.3+dfsg-2

Ubuntu versions:
6.0.1+dfsg-1ubuntu1 trusty
5.0.4debian-0ubuntu1~ubuntu12.04 precise

Owncloud versions with release dates:
Version 7.0.2 August 28th 2014
Version 6.0.5 August 28th 2014
Version 5.0.17 June 23rd 2014

The proposed package suggests updating with OBS or juju and that would upgrade to either 7.0.1 (juju) or 7.0.2 (OBS) depending on the choice.
The 5.x and 6.x versions of owncloud still have supported upstream packages which are less likely to break things:
http://download.opensuse.org/repositories/isv:/ownCloud:/community:/5.0/xUbuntu_12.04/
http://download.opensuse.org/repositories/isv:/ownCloud:/community:/6.0/xUbuntu_14.04/

The trusty package also points to https://jujucharms.com/precise/owncloud/. One might wonder if the juju charm won't work for trusty.

I have tried to identify the CVE patch sets without much success thus far.

Support for the 5.x series will likely be ending within 6 months and it will require more work to update security patches included in 5.0.17.

Would the SRU team accept an updated package based on the Debian's 6.0.4+dfsg-1 package for trusty?

Charles Peters II (cp) wrote :

I should correct one error:
Owncloud 6.0.6 was released Oct 22. 2014

https://owncloud.org/releases/Changelog shows something different than https://owncloud.org/releases/Changelog. Sorry for the error.

Charles Peters II (cp) wrote :

Sorry for the errors...
https://owncloud.org/releases/Changelog shows the Release "6.0.6" Oct 22. 2014
https://owncloud.org/changelog/ shows Version 6.0.5 August 28th 2014

Jonathan Riddell (jr) wrote :

I've reuploaded added a debconf setting to tell the user that it has been removed on install

I don't think it's practical to update these packages, I've tried and you just get lost in a maze of twisty dependencies all alike because owncloud likes to ship many dependencies as part of the package.

Hello Marc, or anyone else affected,

Accepted owncloud into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/6.0.1+dfsg-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Chris J Arges (arges) wrote :

Hello Marc, or anyone else affected,

Accepted owncloud into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/5.0.4debian-0ubuntu1~ubuntu12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of owncloud from trusty-proposed was performed and bug 1390947 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and tag 1390947 "bot-stop-nagging". Thanks!

tags: added: verification-failed
Jonathan Riddell (jr) wrote :

I tried to upgrade in trusty and indeed apt hangs when reloading apache after the upgrade. I just used apt full-upgrade on the terminal. More investigation needed.

Jonathan Riddell (jr) wrote :

New owncloud 6.0.1+dfsg-1ubuntu1.2 uploaded to trusty-proposed, in unapproved queue awaiting approval by ~ubuntu-sru. This removes any apache config in the postinst script which is now irrelevant and was causing the hang in apt.

I have tested precise by settings up a virtualbox precise install of kubuntu, installing owncloud and viewing it through a web browser. I then installed 5.0.4debian-0ubuntu1~ubuntu12.04.1 from precise-proposed. It notified me via debconf that it was gone and reload the web browser showed a message saying it was gone.

Hello Marc, or anyone else affected,

Accepted owncloud into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/6.0.1+dfsg-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
Mathew Hodson (mathew-hodson) wrote :

Tagging verification for precise done based on comment #14.

tags: added: verification-done-precise verification-needed-trusty
removed: verification-needed
Chris J Arges (arges) wrote :

Looking for somebody to test trusty/proposed before this gets released. Thanks!

Jonathan Riddell (jr) wrote :

I made a new ec2 server running Ubuntu Trusty and installed owncloud on it. I could set up owncloud and log in.

I then enabled trusty-proposed and installed owncloud 6.0.1+dfsg-1ubuntu1.2.

It successfully gave me the debconf notice that it was removed. Looking at the owncloud web page again it showed me the notice that it had been removed.

successful removing in trusty

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package owncloud - 6.0.1+dfsg-1ubuntu1.2

---------------
owncloud (6.0.1+dfsg-1ubuntu1.2) trusty; urgency=medium

  * SRU: remove ownCloud package due to request from upstream
    this package has security issues which can not easily
    be updated in the Ubuntu archive. LP: #1384355
 -- Jonathan Riddell <email address hidden> Mon, 27 Oct 2014 16:50:38 +0100

Changed in owncloud (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for owncloud has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package owncloud - 5.0.4debian-0ubuntu1~ubuntu12.04.1

---------------
owncloud (5.0.4debian-0ubuntu1~ubuntu12.04.1) precise; urgency=medium

  * SRU: remove ownCloud package due to request from upstream
    this package has security issues which can not easily
    be updated in the Ubuntu archive. LP: #1384355
 -- Jonathan Riddell <email address hidden> Mon, 27 Oct 2014 17:36:59 +0100

Changed in owncloud (Ubuntu Precise):
status: Fix Committed → Fix Released
EJO1974 (ejo1974) wrote :

Thank you for removing an unsafe package from my server where I accidentally installed the repository version instead of the version from Suse servers!

But no thanks (except for this report which I of course never saw before) for no warning of any kind this was about to happen and absolutely no thanks for including the data folder including all files (documents etc.) which were stored by users on this server.

Wasn't it possible to just replace the landing page location for the https://host/owncloud so end users could migrate their information in a normal way instead of simply destroying all data stored in the Owncloud folders?

To me this looks very much like a "cowboy action"...

Felix Geyer (debfx) wrote :

Your data is still in /var/lib/owncloud/data/

Logan Rosen (logan) on 2014-12-13
Changed in owncloud (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers