[Owncloud] daily builds
Daniel Molkentin
danimo at owncloud.com
Tue Oct 9 13:23:43 UTC 2012
On 10/09/2012 03:13 PM, Klaas Freitag wrote:
> X-been-here-security-owncloud.com: security at owncloud.com
> On 09.10.2012 14:48, Lukas Reschke wrote:
> Hi,
>> In the past we had multiple serious security vulnerabilites and we
>> sometimes needed 2 weeks to release a new version. This is horrible!
> Hmm, I am not an expert in this space, but from my former life I know
> that it often took way longer to prepare security updates for known
> problems in the distros, but the CVEs were very well kept secret.
>
> Can somebody briefly explain or point to docs on what the usual
> proceeding is if somebody discovers or silently reports a security
> whole to a closed list like this? Or what our idea of an ideal process
> would be?
Lukas has written it down somewhere. He might known the URL.
>> Another point is that our users are often using old versions, we should
>> really show a **BIG** update warning like Wordpress does. Just check
>> yourself how many people use old versions:
>> http://goo.gl/u6URG
> Well, there are two principal ways to deal with that:
> 1. owncloud tells the admin that its old and offers to update itself
> 2. we work with the distributors to quickly provide updates.
Also, bigger companies usually go with a dev/stage/prod 3-tier setup.
They usually cannot just press an update button without ruining things.
But that should not be our primary concern. Let's be pragmatic. For
instance, Google Chrome packages (even if installed manually) adds a
repo and a cron job that pulls only the particular repo for updates,
thus making sure that the latest version is applied. I'd like to see
something like this for ownCloud (even if optional).
> Probably we will strive for 1. but have to help with 2. as well. 1. is
> very dangerous and needs deep testing. So easier for us is 2.
> Hmm, will it? We (the client) needs to know and consider that. And if
> we apply changes here, we should also rename it to status.txt, ie. not
> require php to get it.
Yes, we kind of decided that over your head . The reason is that it's
quite a bad case of information disclosure. The client - in the future,
will need to authenticate first, then check the file. We can then also
use it for more elaborate client policy stuff, since we know the user
it's targeted for. It would then not be a txt file either.
PS: Someone please set this list to list-reply...
--
www.owncloud.com - Your Data, Your Cloud, Your Way!
ownCloud GmbH, GF: Markus Rex, Holger Dyroff
Schloßäckerstrasse 26a, 90443 Nürnberg, HRB 28050 (AG Nürnberg)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/owncloud/attachments/20121009/06c1de74/attachment.html>
More information about the Owncloud
mailing list