Linux packages status


#24

@jospoortvliet

RHEL (server & client in EPL7 repo)

You probably mean “EPEL” (instead of EPL)? :wink:


#25

@morph027 you state explicitly on the page that your packages are not ‘official’. Now you can argue back and forth on that, but this is a community - you’re undeniably part of it, providing these packages for loads of people, and we have no ‘official’ stamps for packages, pro or con :wink:

You maintain recipes in a public git repo on gitlab, which would be a big requirement if there ever was one for being ‘official’. Another would be getting contributions, having a team - I’m sure you’d welcome PR’s, though.

What I’m saying is - I don’t want to tell you what to do but I kindly suggest the big disclaimer about this not being ‘official’ isn’t really needed… :wink:


#26

Nice to know, going to remove this :wink:

But as said before, with the new updater, packages aren’t necessary anymore IMHO. It just works :wink:


#27

Agreed. But we don’t have automatic updates yet - once we have that I really think it is better if people don’t use packages but use the zip file, from a security point of view…


#28

But it will be impossible to have an automatic updater unless a lot of stuff changes. Right now, if you follow the secure directory guide, it kills the updater from working. You have to log in as root and chown things back to apache. Then you can run the update. Then you have to chown it all back.


#29

Our current security hardening guidelines do not recommend changing ownership or permissions on the files of Nextcloud as the security benefit is largely absent.

See this PR for a bit of information on this. Essentially I believe the issue is that it is so easy to work around the limitation of non-writable application files that it makes no difference while it DOES create a higher barrier to updating which is a far more dangerous situation.

Feel free to engage in the issue above but please provide facts and links to them rather than opinions as this is a well researched topic and Lukas knows his stuff.


#30

FYI I updated the fipo with links to docker, QNAP image and VM… I also linked to it in our install page. It is easier to keep this up to date than the website…


#31

It is not official QNAP store. It is community store. I wouldn’t recommend it for newbies.


#32

Ah, I did not know that, thanks!


#33

You guide was changed after I had already followed it during my original install. The commit history of that PR shows as much.

You should be a little more concious of how recent changes are when trying to tell someone that they did something wrong.


#34

How should this be handled properly? Until NC 12 there are still the old hardening tips, you would have to notify people upgrading from NC 11 to NC 12. Would be a point for the release note which in the end nobody reads and people will come here and complain anyway.

Feel free to share your ideas on how to improve the documentation, make suggestions, you can even contribute -> https://github.com/nextcloud/documenation
The community is indispensable for improving the documentation, the developers know a lot about the code but only the users know which parts are hard to understand or which information is missing.


#35

The choco package already points to all proper sources. Else it would not have been approved by the mods there. Also this is my package :slight_smile:


#36

When I wrote my post back on May 5th, I was unaware that the hardening guide had just been changed (April 26th I believe). So my comments were based around the hardening concepts that have been in place since the early days of ownCloud as they were replicated here with Nexcloud until just recently.

Now, with a new clean install, there are no issues to address.

For anyone coming from an older Nextcloud install or an ownCloud upgrade, then it should be pretty easy to document what permissions are required and publish that information so the person upgrading can handle it.

Instead, the process just pukes out a generic “permission bad” type error and there is no clean documentation stating what the permissions are expected to be.

But because the updater has to be comparing something in order to give an error in the first place, then there should be something that can be documented.


#37

I know it was already submitted there, I said as much in my post. But the point of my comment to @jospoortvliet was to make sure it was officially supported there.


#38

I know it was already submitted there, I said as much in my post. But the point of my comment to @jospoortvliet was to make sure it was officially supported there.

As far as I understand, the Nextcloud guys do not want to be responsible for the complete ecosystem that they create. Which is understandable. Imagine Microsoft being directly responsible for all games that can be played on a Windows machine (I know the comparison is a little off…).
So the responsibility is passed on to the community members of the distros when we talk about Linux. The distros have official repos. For Windows/Chocolatey I guess it will be the responsibility of the Chocolatey community do maintain the package. Though, chocolatey.org is community driven and there is nothing really “official” there. There are core team packages which basically just means that people make pull requests on github, which are then synced to a dedicated server. The one doing the pull request stuff would probably still be me and I find it easier to just have a task running on my PC that regularly checks for updates on the Nextcloud servers. The closest thing that comes to an “official” package on chocolatey.org is a package that is maintained by the Nextcloud devs personally. Which, as mentioned, they don’t want to do.

I think the Nextcloud guys would not want to have it handled differently and I don’t think it would make sense any other way. But if anyone has any specific suggestions to improve the package, I’ll be glad to help.


#39

You are extremely correct. We are building a HUGE ecosystem with over 70 apps already - for which we also can’t be all responsible. We don’t want to be the limiting factor and hold back the community, instead we want to empower people!

That has downsides, sadly the repo of @morph027 is down at the moment for example :frowning: hope it comes back up soon :wink:


#40

Sorry for that, internet seems to be down and i’m on vacation with no remote hands available… :wink:


#41

Well, when you’re back, you have something to do… I know the feeling, am on holiday in Portugal right now :wink:


#42

Found some, forgot about grandma taking care of the plants … powercycling the dsl modem was enough, repo should work again :wink:


#43

I guess you get significant downloads, seeing 2.1K clicks on your repo URL :wink:

wish we could get this into debian/Ubuntu proper :heart_eyes_cat: