Although I really cannot imagine Nextcloud GmbH putting hundreds of thousands non-premium users at risk, this can be read as âYou wonât receive newest security fixes as fast as paying customersâ.
I think someone has thoughtlessly phrased this sentence and it is explicitly up to Frank as head of Nextcloud GmbH to make it clear to the public that all channels will receive at least urgent security fixes at the same time.
And frankly there is no logistical reason for paying and non-paying users to receive security patches at different times. Thatâs just introducing unnecessary complexity where they should just release a patch to everyone.
I hope you are right that it was just a PR person making a pitch and they donât actually do it that way. Some clarification from higher up would be nice.
Security and hardening consulting and early access to security patches
If thatâs true (and otherwise, why are enterprise customers being told this?) thatâs actually quite dangerous, as those receiving the early access to security patches would potentially have knowledge of vulnerabilities still affecting community users.
So basically back in November, Jos explained how the higher the update channel, the slower you get updates and fixes. Now we recently find this nugget stating that enterprise users get âearly accessâ to security fixes, which seems contradictory.
Yes, thatâs what I was guessing. Thing is, I also find this confusing when the Enterprise version is itself advertised as â100% open sourceâ, and Nextcloud has a declared position against having a proprietary version.
Like a double rainbow, it doesnât mean anything good. The way I read it, it can mean one of two things:
Someone is going out of their way to hold back security fixes from the open source code
Itâs all marketing BS and security patches are available to everyone at roughly the same time
I find the latter to be more likely. Itâs probably misworded by a non-technical person and what they really mean is there are people internally doing extra security analysis on the enterprise code which is not really different from the open code.
The advantage an enterprise user can have, Nextcloud probably knows the configuration and can give you a heads-up when they are fixing something, so you are prepared. And if there are problems during roll out of the patch, they receive assistance from the Nextcloud team. Perhaps some of the larger customers get more detailed warnings before, what options or modules to turn off temporarily since they are more exposed. And if there are running systems to be tested with the new patch, itâs perhaps theirs.
For community users, the announcement comes suddenly, there can be confusion if your setup is concerned (think about the nginx configuration change recently).
I actually donât know, itâs just what I suppose. I donât think that they keep fixes from the community but they provide more support for their customers that they can be faster and more efficient.
Now a lot of people are still replying that theyâre unhappy that the production channel has disappeared. Iâve tried to explain that it didnât do what you all thought it was doing - it has always just been broken (except for the thing @tessus mentioned, thatâd be nice to find a solution for, that you can stay on a stable release, but Iâd rather see that done in the command line so you can use the updater to go to any version rather than just to the one we offer. But itâs a feature that needs developing, simple as that).
So we didnât take anything away that actually existed, just the IDEA of something
@jospoortvliet That being the case, it would probably be best to fix the misleading description that literally says the enterprise channel gets security patches earlier.