I’d say that providing up to date packages is a great idea and I’d like to invite distributions to do that.
So distributions with a rolling model or a short release cycle like Arch, openSUSE Tumbleweed, Fedora or Debian Unstable/Testing could easily include Nextcloud packages and - please, guys and girls, do. Anything we can do to help, ask us!
For a more LTS focused distribution there are two problems:
long term bug and security fixes are something very few volunteers want to work on (most barely fix bugs in the stable release but only in development versions…).
Nextcloud can’t skip upgrades. And I don’t think it is OK running people through 5-10 upgrades at once at the end of the period.
It won’t be easy to find people willing to do bug and security fixes for 10 years. I sure won’t be willing to force volunteer developers to backport every fix for that long. A low barrier to contribution to Nextcloud is important to us.
We want to make it possible to skip releases, so that concern might go away in a future release, but we’re talking at least 2-3 releases from now, I think. An alternative would be to built a hacky way to skip upgrades which risks users’ data - something we would get very upset about (again). Users’ data is holy, not risking it is rule 1 of Nextcloud.
Ubuntu LTS support (5 years) only applies for packages from main. There are likely some unsupported packages: ubuntu-support-status --show-unsupported.
NC releases receive security updates for 18 months, that’s a considerable period of time. If you can skip major upgrades this would mean you must do a upgrade every 18 months. But how to implement this into the distribution packages? Would it help to provide a NC LTS with a support cycle of let’s say 2 years, and cut support a bit for other versions? To comply with the release cycle of Debian/Ubuntu it should be rather 3 years. Or they have to do a major NC upgrade at mid-term?
Not sure, but i remember RHEL’s support is not covering software like owncloud. So I don’t know of examples where 10 years would apply. Never the less: That’s the question that distributions answer when packaging software. I don’t think that known security issues would just remain unfixed in Debian stable. The seperate Debian LTS team might just drop support for Nextcloud. As with a direct Nextcloud installation you would have to upgrade, in this case your distribution from LTS to old-stable or stable.
Still for me the question remains, will you threaten downstreams with trademarks again?
You could save space by using “folks” while being even more inclusive
It would be great if you wouldn’t mix things up. Owncloud was distributed via the “universe” repository. It’s not officially supported, and also practically there is not LTS support at all. You can’t blame other distributions for Ubuntu having such a nontransparent security support policy (VLC player and Chromium are also in “universe”).
Not in principle, but we haven’t done it before either. Only if people do stuff that would make Nextcloud look bad - for example, things that threaten user data, or adding spyware. But that’s always been a rule in our trademark guidelines.
RHEL’s support doesn’t cover Nextcloud or ownCloud, the idea is that those companies get paid by customers for support of their software on RHEL.
So your company deploys RHEL 7.2, which has 10 years RH support. You then buy Oracle version whatever, which also has 10 years for that RHEL release. And you get Software X, also 10 years supported with Oracle version whatever and RHEL 7.2. Now you have a platform you can use for 10 years, and you pay gold for that to Oracle, RH and the vendor of Software X because they need money to pay their engineers to work with stuff so old nobody sane wants to touch it with a 10 foot pole.
This isn’t solving anything. The problem has never been to find a repository/bugtracker/infrastructure to develop packages. The problem is NC’s attitude towards downstreams users who just want to apt-get install nextcloud and know it’ll work.
allow migration from one stable version to the other (even if the migration script is written by the distro maintainer).
There is currently still code that can’t deal with this. Also distro maintainers in the past did not write migration scripts but they are of course free to do so
do not threaten people if they don’t maintain your software the way you would like them to.
There never were threats but people were displeased with communication and like you pointed out some distro maintainers turned off the check while not writing migration scripts so they broke people’s installs.
If I may, I believe the 2 issues of
1.Having a “stable” system
2.Making sure no obsolete NC installs are left around
can be addressed.
You have a lot of packages that require frequent updates: anti-virus systems, etc.
In Debian for example, there is a repository called “stable-updates”, for packages matching the following (from Debian website):
-The update is urgent and not of a security nature. Security updates will continue to be pushed through the security archive. Examples include packages broken by the flow of time (c.f. spamassassin and the year 2010 problem) and fixes for bugs introduced by point releases.
-The package in question is a data package and the data must be updated in a timely manner (e.g. tzdata).
-Fixes to leaf packages that were broken by external changes (e.g. video downloading tools and tor).
-Packages that need to be current to be useful (e.g. clamav).
So if the package maintainer manage to convince NC belongs in stable-updates, then they can get their more frequent updates without compromising the whole system stability.
I assume similar mechanisms exist for other distributions?
If you mean, with point 2, that one should be able to skip a release on upgrading, this is work-in-progress but quite hard. 12 will most likely make big steps in that direction, not sure if it’ll be ready yet, though.
With regards to the other points - we’ve had stable releases since we started, that is what 9, 10 and 11 are. And when did we ever threaten people? If you refer to the packaging debates earlier with Debian - well… First, we might still be unhappy if a distribution isn’t careful with user data, or seems to be going in that direction. Bu we’re a different project, different management i particular. So we won’t be making our own packages anymore nor will we tell people to use those. Entirely up to the distribution now. That should be blindingly obvious by now - we don’t and won’t be packaging.
And if a distribution breaks packaging, well, we have no expertise doing better. We might suggest to use another distro… Which is what I’d currently recommend - if you want packages, use a distro which provides and maintains them. Simple.
@jospoortvliet - Sorry this took a while but there was a bit of $life in the way for a couple of months and we wanted to be rigorous with the packaging from the start rather than go through the major refactoring again that we had with owncloud.
There are now nextcloud 10 packages that have been approved and in the testing repositories for Fedora and EPEL7
It is in the EPEL7 repos so easy to install on CentOS/RHEL 7
Due to PHP version limitations I can’t build this there on EL6
Do note that with the min PHP version being bumped in nextcloud 12 to 5.6 there cannot be an EPEL7 package for that then.
I’m not 100% sure if I’ll continue to maintain nextcloud 11 in EPEL7 for as long as it gets updates or if it’ll be retired at that point - but that’s still some way off and I’ll have an article with the options available to people nearer the time of that event.
This is indeed very very bad. Nextcloud 10 is EOL with the last public release in August, it shouldn’t even have landed in a new Fedora release! This just confirms the low quality (aka Red Hat playground) of this distribution to allow something like that.
It would be better to remove the package and use the official tarball to be on the safe side.