Both the Built-in Code Server and the Docker Containers from Collabora are affected.
Well⊠if collabora decides to introduce that into their product, I could accept it. Though I would wish to having the opportunity to turn it off (and it shouldnât be turned on by default, too).
But if the joint venture of NC and Collabora contains the same thing it really IS against everything NC stands for. My data belongs to me. It shouldnât be in NC Office at all.
Maybe the devs of the Built-in Code Server can patch it out, Iâm almost sure thatâs technically possible. Donât know about the legal side of it though, maybe they arenât allowed to change the product, when they re-distribute it⊠But it would certainly be welcome if they could do do that.
Yes, thatâs the whole issue. It was possible to remove the welcome screen using a configuration option before (it was enabled by default), and they have silently removed the option to remove the welcome screen and changed it to a compile time option without any discussion with the community whatsoever.
I completely understand that they donât want companies to freeload, but as pointed out by many users here and in the github issue, it seems like this move is not about companies and is targeting/nagging private users.
I also feel that this is against everything nextcloud stands for and nextcloud should consider sending out a notice or temporary remove it until this is resolved. Even if we trust collabora, but if their host gets compromised there is a possibility to inject remote code into every running code instance when a User sees the screen. Thats a HUGE security risk in my opinion.
I hope that they donât just change it to local content, they should bring back the option to disable the welcome screen, way better, disable it by default.
Thanks for your post @bb77
Emphasis added - youâre right of course. Clearly this is an open-source project; and CODE is a development edition - it is under development, not everything that we do there is perfect at the first cut as I said:
In the iterim (as the github ticket points out) it is easy to use an older state for the meantime, and/or compile online yourself. There are some thoughts on how to better address this issue https://github.com/CollaboraOnline/online/issues/4489 and little benefit in two duplicate threads.
And of course we love to get helpful feedback =) there is no need to pre-emptively despair =)
What else ? it seems obvious to me that we made a mistake here by not making it easy to disable the remote fetching of resources. That is something we can and will fix. However - it is worth noting that eg. Google Chrome, Firefox, LibreOffice all call-home to check to see if there are updates unless you configure that off in each client - so some of the suggested replacements also need configuration.
@mmeeks please stop trying to argue this.
The mistake was not âby not making it easy to disable the remote fetching of resources.â
The mistake was silently removing a configuration option. Bring back the configuration option - thatâs the whole mistake! It would be nice if it was disabled by default (and would fit into the nextcloud concept) but at LEAST bring it back.
As you pointed out, other opensource projects do this as well, and each one you pointed out has an option to disable this, and in some of them itâs disabled by default.
@erfus Ok you made your point very clear.
Though I think we should put into consideration that mistakes can happen⊠and @mmeeks has my highest respect admitting that this was done in a wrong way and thus will be changed.
Nothing more to add here, I guess.
I too respect that they are admitting a mistake, and thanks for the explanations to @mmeeks but they only admit half of it.
Removing the remote content would bring back the security, and that would be great and should be first goal.
But this issue is also about introducing a nag-screen and silently removing the option to disable this. This is just not ok in my opinion, what should keep them from expanding this? As pointed out, their arguments donât make much sense regarding large enterprises, it feels like they are tightening down on private users. Iâm afraid that this could only be a beginning. There should be no reason for a âwelcomeâ screen, I donât know of any project which has such a welcome screen.
I donât know of any project which has such a welcome screen.
Ehm⊠Nextcloud does
Shows the first time a user logs in. I do think itâs a sane and valuable thing to have, but I also get that the Collabora one is pretty in your face in public links (we donât do that on public links).
Iâve discussed it with Michael and he promised to do a quick change to remove the remote ping the welcome does until weâve come up with a better solution that gives users useful info and doesnât nag.
Please understand this was meant to be helpful, both for users AND to help Collabora get valuable user feedback. Give them some credit, they give all their code away for private use (and for lots of corporate use, too) - unlike any other online office solution.
And they have some technical limitations we donât have - like, if they didnât want to show it on public links, thatâs not so easy as Collabora is stateless and doesnât know much about where it is displayed. So we have to find some middle ground here that is a win-win for everyone and that is technically feasible. Give us some time to do that.
K?
I donât care at all if there is a welcome screen or not or if it can be activated or deactivated. In my opinion it is part of the source code and must not be loaded from another source. This is the actual problem.
I think not that the welcome page of every Nextcloud is loaded from https://nextcloud.com I think the servers of Nextcloud GmbH are simply too bad (performance) for that
@jospoortvliet Perhaps you can communicate this to Collabora Online.
I agree. I think that would be a good option to only display the collabora-welcome-thing to only registered user of the nextcloud instance.
Showing it on public links/shares just seems to be unprofessional.
If itâs about making a wish, I would leave out the welcome page altogether. If you really work with the software productively, you donât need it or it just annoys you. There is an info or help button somewhere. That should be enough for normal users.
Why has Google become so big? Because it didnât clutter the page with unnecessary stuff. But some applications try to take users for fools. As if you donât know how to get the information when you need it.
Good applications do not need a welcome page.
Well, Nextcloud allows you to disable the welcome screen. So did Collabora in the past, until they have decided to remove the option to disable the welcome screen.
I think it is time for a true community-build of Collabora Online. Since disabling this welcome screen is still a build-time option we only need to come up with a build infrastructure to create packages without this nonsense. Right now there is no fork needed, just a hoster for the builds. But who knows what kind of tracking technique theyâll force on us through the next CODE release, so itâs best if builds were in the hand of the community anyway.
Does anybody have any experience in setting up cloud builds through GitHub pipelines? As soon as we have community packages we could easily create community docker images as well.
by trying to hijack there software build process you achieve exactly what they want to preventâŠ
I always argue against split communities as one strong community is much better then 2 half-strong⊠Developing a full blown Office Suite is really hard job (even Collabora just adopts LibreOffice and turns it into Webservice) and community split makes it even harder (see OpenOffice vs. LibreOffice; OwnCloud vs Nextcloud) - it may result in better Software/Community but it takes ages and lot of hard work
@jospoortvliet If there is a way to work together with Collabora in a good way to stop user tracking and prevent companies from using Collabora for free I hope we can go this wayâŠ
As a small-business/home user I have to say that I donât fully understand the logic of this âCODEâ release. For me it is just the âfree officeâ more or less integrated into Nextcloud. It works normally well (otherwise I would not use it), and I really donât understand, why Collabora tries so hard to make it look like a very unstable âdevelopement releaseâ.
I think Collabora must have a problem with the business model (which is typically selling support contracts to bigger companies), and thats why they try this weird âCODE is so unstable and we want to nag you to buy the âCOOLâ Version, which you can only buy when you are a big companyâ thing.
But it wonât be solved like this. If you need to sell more: Try to sell. Make it very easy for small companies etc. to buy the âgoodâ version, give them something extra so that it is worth it.
In general I can say that âoffice on your own cloud serverâ was a pain in the last years, especially when coming from a perfectly working Google Docs (the paid company version). Annoying installation (compared to nextcloud), problems after every update (files donât open, or download instead of openâŠ), nag screens/nerdy âdevelopementâ stuff, and now even security risks with externally loaded code.
Arguably, any company that runs Nextcloud should be using the paid options. Sure, 6 euros per user and month or whatever the standard version works out to is money, but itâs not a lot of money. Not if you compare to the likes of Office 365 thatâs in the double digits per month.
Using community-supported open source in a company is not a great idea. It works, but youâre not helping. Nextcloud needs money to continue, and so does Collabora. Combining Nextcloud and a paid Collabora puts pricing still below Office 365 (which it should be since Nextcloud and Collabora is absolutely a lesser solution too, itâs just under your control and not in an American datacenter.) The solution still feels more than a little wonky and hobbyist, very âopen source-eyâ compared to behemoths like Google and Microsoft though. Hell, with Office 365 you get things like excellent mobile apps and world-leading email solutions, all this has to be done yourself for a Nextcloud. So you really need to have a reason to separate your solution from any provider before going this route - or, youâre a hobbyist like me who enjoys this stuff.
But the CODE server (or indeed any edition) should absolutely not be calling home, for any reason. At the very least such a thing has to be an opt-in. In fact, GDPR mandates that privacy stuff of any kind is opt-in, so this may in fact violate that, but like others Iâm not a GDPR expert.
@KimmoJ
You are totally right.
If someone is paying Microsoft Office, then simply using Nextcloud and Collabora Online is not worth it. Paying extra is always more expensive than single vendor (one product). Microsoft is using its monopoly to subsidize the cloud through Microsoft Windows 10 and Microsoft Office.
And when youâre tracked, you tell yourself you might as well use Microsoft with the better applications. GDPR ? Does not matter or is a problem of Microsoft Office and Collabora Online.
I would draw a distinction between what a company should do (ie pay for support for critical applications) and freeloading FOSS. FOSS does have a meaning. It loses that meaning if code is being quietly sabotaged to strong arm people into paying for something that is free and open source. Then it is no longer FOSS. The whole idea that someone can freeload something that is by definition âfreeâ is a contradiction in terms.
This isnât the first time one of these office suites has done something underhanded to Nextcloud users either. Some of you may recall immediately after Nextcloud finished ONLYOFFICE integration, ONLYOFFICE disabled mobile editing without letting anyone know. Pulled the tablecloth right out from under everyone.
I get that they need income. We all do. I strongly encourage my clients to maintain support contracts for any and all business critical software they use. What theyâve done here is not okay from either a FOSS or a security standpoint.
Yes. I fully agree with you.
In the end, Nextcloud GmbH is also a company that prefers to report on the nice things rather than the not-so-nice things on its homepage https://nextcloud.com. For me, it is important with free software that one informs honestly and transparently to all customers. And smart users will always be able to find out in the source code anyway. At Microsoft, we donât even have that option.
An update - weâve crunched to build & test a set of releases: packages, docker, richdocuments-code etc. that shipped a few minutes ago. These address the tracking concern here. As a stop-gap now we serve the welcome screen locally - while we work on getting this right in future - see the ticket for more details.
I hope that calms some of the concerns.