ownCloud should be removed

Status changed to 'Confirmed' because the bug affects multiple users.

package removed from utopic and blacklisted.

Uploaded to precise
owncloud_5.0.4debian-0ubuntu1~ubuntu12.04.1
and to trusty
owncloud_6.0.1+dfsg-1ubuntu1.1

awaiting approval from ~ubuntu-sru

These updates remove the owncloud package and point to the OBS package or the Juju charm.

TEST CASE:
Install owncloud
check you can view it through a web browser
upgrade to this update
when you view it through a web browser you should get a static page which points to OBS or juju

This looks good to me, thanks! I wonder if we should turn the owncloud-{mysql,sqlite} packages into empty ones too? Might be confusing otherwise? But fine to approve as-is as well (with my tech board hat on).

Thanks for these updates!

The SRU making this a stub package should include a debconf note, so that users know at the time they install the package that the functionality has been removed. This should not be left for the admin to identify post-upgrade.

First I should note that we could use Debian's packages as a start for updating these packages. http://snapshot.debian.org/package/owncloud/

Debian versions available:
5.0.13+dfsg-2 or 5.0.14.a+dfsg-1
6.0.4+dfsg-1 or 6.0.3+dfsg-2

Ubuntu versions:
6.0.1+dfsg-1ubuntu1 trusty
5.0.4debian-0ubuntu1~ubuntu12.04 precise

Owncloud versions with release dates:
Version 7.0.2 August 28th 2014
Version 6.0.5 August 28th 2014
Version 5.0.17 June 23rd 2014

The proposed package suggests updating with OBS or juju and that would upgrade to either 7.0.1 (juju) or 7.0.2 (OBS) depending on the choice.
The 5.x and 6.x versions of owncloud still have supported upstream packages which are less likely to break things:
http://download.opensuse.org/repositories/isv:/ownCloud:/community:/5.0/xUbuntu_12.04/
http://download.opensuse.org/repositories/isv:/ownCloud:/community:/6.0/xUbuntu_14.04/

The trusty package also points to https://jujucharms.com/precise/owncloud/. One might wonder if the juju charm won't work for trusty.

I have tried to identify the CVE patch sets without much success thus far.

Support for the 5.x series will likely be ending within 6 months and it will require more work to update security patches included in 5.0.17.

Would the SRU team accept an updated package based on the Debian's 6.0.4+dfsg-1 package for trusty?

I should correct one error:
Owncloud 6.0.6 was released Oct 22. 2014

https://owncloud.org/releases/Changelog shows something different than https://owncloud.org/releases/Changelog. Sorry for the error.

Sorry for the errors...
https://owncloud.org/releases/Changelog shows the Release "6.0.6" Oct 22. 2014
https://owncloud.org/changelog/ shows Version 6.0.5 August 28th 2014

I've reuploaded added a debconf setting to tell the user that it has been removed on install

I don't think it's practical to update these packages, I've tried and you just get lost in a maze of twisty dependencies all alike because owncloud likes to ship many dependencies as part of the package.

Hello Marc, or anyone else affected,

Accepted owncloud into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/6.0.1+dfsg-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Marc, or anyone else affected,

Accepted owncloud into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/5.0.4debian-0ubuntu1~ubuntu12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of owncloud from trusty-proposed was performed and bug 1390947 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and tag 1390947 "bot-stop-nagging". Thanks!

I tried to upgrade in trusty and indeed apt hangs when reloading apache after the upgrade. I just used apt full-upgrade on the terminal. More investigation needed.

New owncloud 6.0.1+dfsg-1ubuntu1.2 uploaded to trusty-proposed, in unapproved queue awaiting approval by ~ubuntu-sru. This removes any apache config in the postinst script which is now irrelevant and was causing the hang in apt.

I have tested precise by settings up a virtualbox precise install of kubuntu, installing owncloud and viewing it through a web browser. I then installed 5.0.4debian-0ubuntu1~ubuntu12.04.1 from precise-proposed. It notified me via debconf that it was gone and reload the web browser showed a message saying it was gone.

Hello Marc, or anyone else affected,

Accepted owncloud into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/owncloud/6.0.1+dfsg-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Tagging verification for precise done based on comment #14.

Looking for somebody to test trusty/proposed before this gets released. Thanks!

I made a new ec2 server running Ubuntu Trusty and installed owncloud on it. I could set up owncloud and log in.

I then enabled trusty-proposed and installed owncloud 6.0.1+dfsg-1ubuntu1.2.

It successfully gave me the debconf notice that it was removed. Looking at the owncloud web page again it showed me the notice that it had been removed.

successful removing in trusty

This bug was fixed in the package owncloud - 6.0.1+dfsg-1ubuntu1.2

---------------
owncloud (6.0.1+dfsg-1ubuntu1.2) trusty; urgency=medium

  * SRU: remove ownCloud package due to request from upstream
    this package has security issues which can not easily
    be updated in the Ubuntu archive. LP: #1384355
 -- Jonathan Riddell <email address hidden> Mon, 27 Oct 2014 16:50:38 +0100

The verification of the Stable Release Update for owncloud has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package owncloud - 5.0.4debian-0ubuntu1~ubuntu12.04.1

---------------
owncloud (5.0.4debian-0ubuntu1~ubuntu12.04.1) precise; urgency=medium

  * SRU: remove ownCloud package due to request from upstream
    this package has security issues which can not easily
    be updated in the Ubuntu archive. LP: #1384355
 -- Jonathan Riddell <email address hidden> Mon, 27 Oct 2014 17:36:59 +0100

Thank you for removing an unsafe package from my server where I accidentally installed the repository version instead of the version from Suse servers!

But no thanks (except for this report which I of course never saw before) for no warning of any kind this was about to happen and absolutely no thanks for including the data folder including all files (documents etc.) which were stored by users on this server.

Wasn't it possible to just replace the landing page location for the https://host/owncloud so end users could migrate their information in a normal way instead of simply destroying all data stored in the Owncloud folders?

To me this looks very much like a "cowboy action"...

Your data is still in /var/lib/owncloud/data/