Beware to fall into the trap of outdated docs and false advice

You could give it a try GitHub - nextcloud/nextcloud.com: 🌏 Our website :wink:

1 Like

@j-ed Did you?

:smiling_imp:

In principle maybe yes. In practice I cannot consent and see the responsibility at Nextcloud GmbH as a business and the acc. P&R and IT Sec personal involved. Nevertheless I took the effort to CC one of them specifically in the above already or did you miss this detail?
:smirk:

BTW do not blame the messenger.
:innocent:


Addendum

I gave it a try and it did not check out for me.

The page https://scan.nextcloud.com/ is located on a server of its own and outside the Wordpress GitHub structure of nextcloud/nextcloud.com apparently. Me briefly scanning GitHub was not helping or I am too lazy.

@j-ed I am an imbecile and not worth to commit as mentioned above.
q.e.d.
:innocent:

3 Likes

scan.nextcloud.com doesn’t seem to have a high priority. It can be very useful (e.g. like the certificate check at ssllabs) but only if it is working… we shouldn’t have feature that we are not able to maintain.

Documentation is a good point. There was even a talk about it on the last conference:

(https://www.youtube.com/watch?v=Cpug8Iqw3f8)

Even if new features are announced and some time available, there is nothing or very little about them in the documentation (e.g. end-to-end encryption).

1 Like

@tflidd — Thank you for your fair and reasonable answer.

However, learning the below from a presumed member of Nextcloud GmbH and our community leader of this forum:

And learning this from a.m. web page of Nextcloud GmbH currently::

Check the security of your private Nextcloud server

Privacy does not exist without security.
To help you keep your data yours, this scan analyzes the
security of your server and gives you an overview of what to improve.

I feel some obligation in my private capacity a a member of this home user forum and may stress my current concern again by a rephrase:

By scan.nextcloud.com one by official invitation of Nextcloud GmbH can get a security audit report. However, the line “hardening tips in our hardening guide” of same page is pointing home users and admins of private NC servers to outdated content which may hurt the security awareness of the NC user community.

This is rather unfortunate and Nextcloud GmbH should provide the appropriate update to the a.m. official online content in due time at their earliest convenience.

CC @j-ed @jospoortvliet

I am just a community member and this is just an impression I got from the official discussions and bug reports on public feedback.

Don’t expect too much. It’s just supposed to checks things that are visible from outside, e.g. if the version is up to date and if the data-folder is not readable. You could still run unpatched php versions, run an openly accessible database, weak passwords, …

If the feature is kept in future versions, an update for each version should be part of the release procedure, like it was on the list in the past:

1 Like

You say: Don’t expect too much?

As the most deployed self-hosted file sync and content collaboration platform, Nextcloud offers the widest range of add-on capabilities and integrations in the industry.
https://nextcloud.com/compare/

In the Nextcloud community, participants from all over the world come together to create Free Software for a free internet. This is made possible by the support, hard work and enthusiasm of thousands of people, including those who create and use Nextcloud software.

As a contributor, ensure that you give full credit for the work of others and bear in mind how your changes affect others. It is also expected that you try to follow the development schedule and guidelines.

Nextcloud code of conduct

Come on, yes we can. Stay positive and meet the endeavours, I would say.

Happy hacking.
:sunflower:

What do you suggest? A quick scan from outside can reveal some basic stuff, not detailed configuration problems or permission settings. A deeper scan could get legally difficult, and even then it’s doubtful. It’s more efficient to check directly on the system with on-board tools and then it’s quickly more general than just Nextcloud and more about how to secure a linux webserver.

1 Like

@tflidd - - The webadmin should update the page “(C) 2018 → (C) 2019” and repair the link (NC 13 → NC 16).

Hi there, always good to have a lively discussion.

IMHO your technical analysis is quite correct and the scan service provided by Nextcloud GmbH seems to be reasonable. Please note I never gave any concern of my own on these aspects.

IMHO by mainly (or may I say: only?) addressing the technical aspects of the a.m. scan itself you may have almost completely misunderstood my approach from the beginning. Unfortunately, you may have missed my several core points, which – without any difference in priority by the below sequence – are:

  1. The a.m. URL shows a page which is outdated (e.g., (C) 2018) and providing a quite misleading link to completely outdated NC 13 documentation.
  2. As a home user when “expected that you try to follow the … guidelines” one may stick to the letter and thus may fall into the trap of outdated documentation, false advice and outdated links, unfortunately.
  3. Nextcloud being a prospering FOSS project by “hard work and enthusiasm of thousands of people” can become a sustainable success by always seeking to improve where reasonable, I presume.

My standing concern as well as my recent reply to your “Don’t expect too much?” was not intended to question your expertise or the expertise of Nextcloud GmbH or others. IMHO there is no need to defend anything and this is a free world. However, a real world with real challenges and with utter facts like good ambitions paired with too many requests and too few resources or else mishaps. Marketing may advertise the some job but generally shall not define the job to devs or the business as a whole, I presume.


No offence and please let me ask you again freely and openly:

Would you call my a.m. concern unreasonable and a solution being not feasible by the web admin responsible in handling the many Nextcloud GmbH advertising and marketing online pages?

I guess you wouldn’t…
:nerd_face:


@kesselb – Hi good proposal and did you establish an issue?

IMHO this good idea may be misleading, unfortunately. Please note your proposal is not new to me and the last time I was not alone in the assumption that the issue cannot be placed as was expected. Furthermore, you may learn of my CC to a marketing person of the Nextcloud GmbH in the beginning of this thread. Please take the effort and read my thread as a whole, if I may.

AFAIK the a.m. page is outside the context of this repo due to:

Please not again blaming me and shooting the messenger, if I may.


I admit my growing impression of preaching into the wind and a growing feeling of becoming a little lost here.
:roll_eyes:

Facta non verba.
:face_with_monocle:

Happy hacking.
:sunflower:

Afaik the best place to report issues with scan.nextcloud.com is https://github.com/nextcloud/nextcloud.com/issues. Probably they are prefixed with scan.nextcloud.com: https://github.com/nextcloud/nextcloud.com/issues?utf8=✓&q=is%3Aissue+scan.nextcloud.com.

2 Likes

@kesselb – Please be aware I was pinging at somebody in the background for some time already. And about eight (8) days ago I got a nice and friendly reply from Nextcloud GmbH and they assured me that somebody will address my a.m. issues and will check the web page accordingly.

However, today the page https://scan.nextcloud.com/ is down due to an outdated was updated with both a link to the latest docs & a new certificate.

Good Bad news for NC and not my cup of tea, I presume.
- :roll_eyes: - :smiley:

@tflidd Please do not shoot the messenger (again).
:innocent:


UPDATE: The page is online and the new certificate is valid until 24. Februar 2020 obviously.
:+1:


Happy hacking.
:sunflower:

https://scan.nextcloud.com/

Certificate is valid again and even the link is now correct.

I’m running nextcloud snap 17/edge and on version 17.0.1 build date 11-24. this scanner reports that i’m " Running Nextcloud 12.0.0.29"

As already written in this forum multiple times, you have to press the “trigger re-scan”-button and reload the page to get the right version displayed. The date stamp in front of the button shows from what date the displayed information is, like e.g.:

3 Likes

Maybe you have to click the rescan button? It is located under the test results.

why cant it just do it right the first time?

anyway will try

Look, people here already explained several times and the reading of the page is quite fair.
:roll_eyes:

Some Info on the technical background :warning:

One could presume that a first-click immediate scan would bring some confusion to persons reading the report due to the according scanning time and would bring an unreasonable and quite unnecessary work load to the server doing all the extra scans always. Furthermore, the current way of implementation provides anybody a quick result of the extistance of a former scan and usually it would be only the owner of such cloud instance or some user with a certain interest who would actively trigger a rescan, I presume.
I hope one could follow and understand this technical details.
:lab_coat:

However, for the benefit of this user forum I will seek to explain explicitly:
:nerd_face:


https://cloud.example.com

Running Nextcloud 15.0.4.1 ← Info on NC server version at the time of the last scan

  • Latest patch level ← Info on the patch level at the time of the last scan

  • Major version still supported ← Info on the version at the time of the last scan

  • Scanned at 2018-10-13 02:05:14 ← Info on the date & the time of the last scan .

:arrows_counterclockwise: – trigger rescan ← GUI button to trigger rescan .


IMHO one cannot want much more and the explanations are quite obvious and fairly reasonable.
:nerd_face:

I may reiterate:

  1. You get a brief report of the results at time of the last scan
  2. By using the trigger rescan GUI button one gets a new report with current results in due time.

IMHO very clear and quite informative and last not least a free service.
:innocent:

Happy hacking.
:sunflower:

:warning:

Similar with false advice ref the Cache in Nextcloud server config:

" Unfortunately the Internet is full of that double backslash comments. "
:nerd_face:

@petervagyok – IMHO an excellent advice. THX !!
:+1:

NOTE to ALL:

Please think first, act second only and always have the protection of your data in mind.
:innocent:


This is the home user forum and although you may ask freely and virtually anything, it may depend what you get answered for free. Any enterprise should ref. to Nextcloud GmbH as there shall be professional support available:

  1. Customers and Partners (mainly) closed portal — https://portal.nextcloud.com/
  2. An Enterprise Subscription from Nextcloud is available with email and phone support.

NOTE: Please be aware I am not affiliated with Nextcloud GmbH and my views are the free views as both a volunteer and a EU citizen and appear in a private capacity solely.


Happy hacking.
:sunflower:

I am with you on that, but this starts with a simple Google search (something a lot of people will do probably to find information) and here I get several results that are outdated:

It seems like some SEO is needed for that. :grinning:

1 Like

@alfred – Good point.
:+1:

@system – Please note and consider some improvements in your own interest as Nextcould GmbH, I presume.

Happy hackin.
:sunflower:

FYI