Unfortunately, the article links to the b.m. Nextcloud Security Scan page with outdated NC 13 docs.
Luckily, since 2019-11-26 the a.m. scan page has a link to the latest docs.
NOTE: The URL input field of the Nextcloud Security Scan page seems to be correct and one can get an actual security report as should be appropriate. However, the line âhardening tips in our hardening guideâ of same page is pointing to outdated content.
This is rather unfortunate and may hurt the security awareness of the NC user community.
Obviously, Nextcloud at least sometimes appears as if far too lazy in updating their online documentation and this can be quite misleading.
Only today I became aware of this unfortunate situation after lending a hand to someone calling for protection against brute-force attacks who was following outdated documentation apparently.
@Jospoortvliet I would hope that both the user community and Nextcloud GmbH seek to improve this situation as soon as possible and as sustainable as reasonable.
@Paradox55 Thank you. However, I addressed this in the a.m. advice already.
Do not hesitate to either establish a new thread in the bruceforcsettings category yourself or make a comment to my proposals there. I am happy to learn & improve.
Note that on every doc page on the top right there is a link where you (âthe user communityâ) can improve the documentation (âEdit on GitHubâ). Thanks!
Thank you. I am aware of this and did some little contrib of my own in the past already. You could until today find this merged in some admin manual and other pages, presumably.
In principle maybe yes. In practice I cannot consent and see the responsibility at Nextcloud GmbH as a business and the acc. P&R and IT Sec personal involved. Nevertheless I took the effort to CC one of them specifically in the above already or did you miss this detail?
BTW do not blame the messenger.
Addendum
I gave it a try and it did not check out for me.
The page https://scan.nextcloud.com/ is located on a server of its own and outside the Wordpress GitHub structure of nextcloud/nextcloud.com apparently. Me briefly scanning GitHub was not helping or I am too lazy.
@j-ed I am an imbecile and not worth to commit as mentioned above.
q.e.d.
scan.nextcloud.com doesnât seem to have a high priority. It can be very useful (e.g. like the certificate check at ssllabs) but only if it is working⊠we shouldnât have feature that we are not able to maintain.
Documentation is a good point. There was even a talk about it on the last conference:
Even if new features are announced and some time available, there is nothing or very little about them in the documentation (e.g. end-to-end encryption).
@tflidd â Thank you for your fair and reasonable answer.
However, learning the below from a presumed member of Nextcloud GmbH and ourcommunity leader of this forum:
And learning this from a.m. web page of Nextcloud GmbH currently::
Check the security of your private Nextcloud server
Privacy does not exist without security.
To help you keep your data yours, this scan analyzes the
security of your server and gives you an overview of what to improve.
I feel some obligation in my private capacity a a member of this home user forum and may stress my current concern again by a rephrase:
By scan.nextcloud.com one by official invitation of Nextcloud GmbH can get a security audit report. However, the line âhardening tips in our hardening guideâ of same page is pointing home users and admins of private NC servers to outdated content which may hurt the security awareness of the NC user community.
NC 13 as linked by a.m. URL is clearly outdated and not supported any more, apparently
This is rather unfortunate and Nextcloud GmbH should provide the appropriate update to the a.m. official online content in due time at their earliest convenience.
I am just a community member and this is just an impression I got from the official discussions and bug reports on public feedback.
Donât expect too much. Itâs just supposed to checks things that are visible from outside, e.g. if the version is up to date and if the data-folder is not readable. You could still run unpatched php versions, run an openly accessible database, weak passwords, âŠ
If the feature is kept in future versions, an update for each version should be part of the release procedure, like it was on the list in the past:
As the most deployed self-hosted file sync and content collaboration platform, Nextcloud offers the widest range of add-on capabilities and integrations in the industry. https://nextcloud.com/compare/
In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.
As a contributor, ensure that you give full credit for the work of others and bear in mind how your changes affect others. It is also expected that you try to follow the development schedule and guidelines.
What do you suggest? A quick scan from outside can reveal some basic stuff, not detailed configuration problems or permission settings. A deeper scan could get legally difficult, and even then itâs doubtful. Itâs more efficient to check directly on the system with on-board tools and then itâs quickly more general than just Nextcloud and more about how to secure a linux webserver.
@tflidd - - The webadmin should update the page â(C) 2018 â (C) 2019â and repair the link (NC 13 â NC 16).
Hi there, always good to have a lively discussion.
IMHO your technical analysis is quite correct and the scan service provided by Nextcloud GmbH seems to be reasonable. Please note I never gave any concern of my own on these aspects.
IMHO by mainly (or may I say: only?) addressing the technical aspects of the a.m. scan itself you may have almost completely misunderstood my approach from the beginning. Unfortunately, you may have missed my several core points, which â without any difference in priority by the below sequence â are:
The a.m. URL shows a page which is outdated (e.g., (C) 2018) and providing a quite misleading link to completely outdated NC 13 documentation.
As a home user when âexpected that you try to follow the ⊠guidelinesâ one may stick to the letter and thus may fall into the trap of outdated documentation, false advice and outdated links, unfortunately.
Nextcloud being a prospering FOSS project by âhard work and enthusiasm of thousands of peopleâ can become a sustainable success by always seeking to improve where reasonable, I presume.
My standing concern as well as my recent reply to your âDonât expect too much?â was not intended to question your expertise or the expertise of Nextcloud GmbH or others. IMHO there is no need to defend anything and this is a free world. However, a real world with real challenges and with utter facts like good ambitions paired with too many requests and too few resources or else mishaps. Marketing may advertise the some job but generally shall not define the job to devs or the business as a whole, I presume.
No offence and please let me ask you again freely and openly:
Would you call my a.m. concern unreasonable and a solution being not feasible by the web admin responsible in handling the many Nextcloud GmbH advertising and marketing online pages?
I guess you wouldnâtâŠ
@kesselb â Hi good proposal and did you establish an issue?
IMHO this good idea may be misleading, unfortunately. Please note your proposal is not new to me and the last time I was not alone in the assumption that the issue cannot be placed as was expected. Furthermore, you may learn of my CC to a marketing person of the Nextcloud GmbH in the beginning of this thread. Please take the effort and read my thread as a whole, if I may.
AFAIK the a.m. page is outside the context of this repo due to:
@kesselb â Please be aware I was pinging at somebody in the background for some time already. And about eight (8) days ago I got a nice and friendly reply from Nextcloud GmbH and they assured me that somebody will address my a.m. issues and will check the web page accordingly.
As already written in this forum multiple times, you have to press the âtrigger re-scanâ-button and reload the page to get the right version displayed. The date stamp in front of the button shows from what date the displayed information is, like e.g.:
