Hello,
Since few weeks/months my ownCloud client on Linux has started to complain about unsupported server version installed in OPI appliance:
The server version 6.0.7 is old and unsupported! Proceed at your own risk.
How bad is this? Any security risk/exposure caused by 6.0.7?
And of course the most important - is new, updated ownCloud server coming to OPI device soon?
ownCloud web page suggests that ver. 6 and 7 are unsupported, and that ver. 8, 8.1, 8.2 and 9 are for production use.
Best regards,
-DarS
Unsupported version of ownCloud server
Hi DarS,
We are currently working on a general upgrade of the software on OPI and with that is a planned upgrade of the Owncloud component. There have though been some problems with precisely the Owncloud software that have delayed this. (They don't support upgrades between more than one major revision and further more they have removed both the calendar and contacts UI into separate applications)
So you will hopefully get an upgrade on this in the short future.
Regarding security there are, of course, always risks with running elderly software with known problems. With that said, there are to our knowledge no known exploits being widely used against OC.
/Tor
We are currently working on a general upgrade of the software on OPI and with that is a planned upgrade of the Owncloud component. There have though been some problems with precisely the Owncloud software that have delayed this. (They don't support upgrades between more than one major revision and further more they have removed both the calendar and contacts UI into separate applications)
So you will hopefully get an upgrade on this in the short future.
Regarding security there are, of course, always risks with running elderly software with known problems. With that said, there are to our knowledge no known exploits being widely used against OC.
/Tor
Thanks! I'm therefore waiting for this upgrade to come.
In the meantime I bumped into another security-related issue, namely the certificates.
One of the client applications (perhaps the ownCloud client, but it also could be calendar or email client, as I tested bunch of them recently) complained about SHA-1 Certificate:
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1
I did not have time to investigate further, but I understand that SHA-1 is set for discontiniance from 2017. So I guess our devices would require new set of OPI certs in coming months.
Regards,
-DarS
In the meantime I bumped into another security-related issue, namely the certificates.
One of the client applications (perhaps the ownCloud client, but it also could be calendar or email client, as I tested bunch of them recently) complained about SHA-1 Certificate:
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1
I did not have time to investigate further, but I understand that SHA-1 is set for discontiniance from 2017. So I guess our devices would require new set of OPI certs in coming months.
Regards,
-DarS
Have you looked into the OwnCloud fork called NextCloud? It seems to be a situation very similar to the OpenOffice/LibreOffice split a while back where the business people went one way and the technical people went the other. The technical people started NextCloud. At this point it is supposedly a drop-in replacement. It might be a better fit as an upstream source.
Murtagh
Murtagh
Hi DarS,
Regarding the certificate, this is an issue that we are aware of. Currently we are looking at updating our certificate chain, but there are a lot of dependencies that comes along with that...
We are also trying to get a certificate that is signed by a "trusted" CA, so that browsers and other applications does not complain about the certificate.
/PA
Regarding the certificate, this is an issue that we are aware of. Currently we are looking at updating our certificate chain, but there are a lot of dependencies that comes along with that...
We are also trying to get a certificate that is signed by a "trusted" CA, so that browsers and other applications does not complain about the certificate.
/PA
Hi murtagh,
We are of course aware of the NextCloud fork of Owncloud. We however decided to first look into the upgrade of the old Owncloud to a newer version. Further more we would like the dust to settle a bit before we evaluate the situation and then decide if a change would be the right thing to do.
With that said Nextcloud seems to address many of the "issues" we have with the Owncloud organization. (Such as the split in an enterprise vs community edition, the CLA for contributions and other rubbish.)
/Tor
We are of course aware of the NextCloud fork of Owncloud. We however decided to first look into the upgrade of the old Owncloud to a newer version. Further more we would like the dust to settle a bit before we evaluate the situation and then decide if a change would be the right thing to do.
With that said Nextcloud seems to address many of the "issues" we have with the Owncloud organization. (Such as the split in an enterprise vs community edition, the CLA for contributions and other rubbish.)
/Tor
I know this may start a religious war - but would you consider separating the caldav/carddav out of owncloud/nextcloud/andthenextfalloutafterthenextcloud?
I'm considering installing a Baikal server just so that I can break the dependency between Owncloud and having an up to date caldav server.
I am looking at Baikal (on a different machine) as it is the same Sabre stuff under the covers and is now part of Sabre.
But I'm not an expert
So if you could do it on the opi I would obviously prefer it 
Just an idea to throw into the pot.
/J
I'm considering installing a Baikal server just so that I can break the dependency between Owncloud and having an up to date caldav server.
I am looking at Baikal (on a different machine) as it is the same Sabre stuff under the covers and is now part of Sabre.
But I'm not an expert
So if you could do it on the opi I would obviously prefer it Just an idea to throw into the pot.
/J
No fear of getting into a war with us, thoughts and comments are always welcome.
The 'owncloud/nextcloud/....' business is definitely worrying, and we have many times thought of what and how we can live without that.
One option is just as you say to break the functionality into separate software, and while it might be fairly straight forward doing that on a single system to make it work, it is a lot more to think about before it can be rolled out in production.
But we are looking and thinking about this kind of things.
/PA
The 'owncloud/nextcloud/....' business is definitely worrying, and we have many times thought of what and how we can live without that.
One option is just as you say to break the functionality into separate software, and while it might be fairly straight forward doing that on a single system to make it work, it is a lot more to think about before it can be rolled out in production.
But we are looking and thinking about this kind of things.
/PA
Hi,
I have just posted an updated on what we are currently up to, including the update "plan".
http://community.openproducts.com/2017/ ... d-updates/
/PA
I have just posted an updated on what we are currently up to, including the update "plan".
http://community.openproducts.com/2017/ ... d-updates/
/PA