June 30, 2016 at 05:39 #918
Since few weeks/months my ownCloud client on Linux has started to complain about unsupported server version installed in OPI appliance:
The server version 6.0.7 is old and unsupported! Proceed at your own risk.
How bad is this? Any security risk/exposure caused by 6.0.7?
And of course the most important – is new, updated ownCloud server coming to OPI device soon?
ownCloud web page suggests that ver. 6 and 7 are unsupported, and that ver. 8, 8.1, 8.2 and 9 are for production use.
July 6, 2016 at 15:45 #919
We are currently working on a general upgrade of the software on OPI and with that is a planned upgrade of the Owncloud component. There have though been some problems with precisely the Owncloud software that have delayed this. (They don’t support upgrades between more than one major revision and further more they have removed both the calendar and contacts UI into separate applications)
So you will hopefully get an upgrade on this in the short future.
Regarding security there are, of course, always risks with running elderly software with known problems. With that said, there are to our knowledge no known exploits being widely used against OC.
July 18, 2016 at 07:59 #923
Thanks! I’m therefore waiting for this upgrade to come.
In the meantime I bumped into another security-related issue, namely the certificates.
One of the client applications (perhaps the ownCloud client, but it also could be calendar or email client, as I tested bunch of them recently) complained about SHA-1 Certificate:
The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1
I did not have time to investigate further, but I understand that SHA-1 is set for discontiniance from 2017. So I guess our devices would require new set of OPI certs in coming months.
July 20, 2016 at 09:35 #926
Regarding the certificate, this is an issue that we are aware of. Currently we are looking at updating our certificate chain, but there are a lot of dependencies that comes along with that…
We are also trying to get a certificate that is signed by a “trusted” CA, so that browsers and other applications does not complain about the certificate.
July 19, 2016 at 20:11 #924
Have you looked into the OwnCloud fork called NextCloud? It seems to be a situation very similar to the OpenOffice/LibreOffice split a while back where the business people went one way and the technical people went the other. The technical people started NextCloud. At this point it is supposedly a drop-in replacement. It might be a better fit as an upstream source.
July 20, 2016 at 09:57 #927
We are of course aware of the NextCloud fork of Owncloud. We however decided to first look into the upgrade of the old Owncloud to a newer version. Further more we would like the dust to settle a bit before we evaluate the situation and then decide if a change would be the right thing to do.
With that said Nextcloud seems to address many of the “issues” we have with the Owncloud organization. (Such as the split in an enterprise vs community edition, the CLA for contributions and other rubbish.)
September 14, 2016 at 14:32 #930
I know this may start a religious war – but would you consider separating the caldav/carddav out of owncloud/nextcloud/andthenextfalloutafterthenextcloud?
I’m considering installing a Baikal server just so that I can break the dependency between Owncloud and having an up to date caldav server.
I am looking at Baikal (on a different machine) as it is the same Sabre stuff under the covers and is now part of Sabre.
But I’m not an expert 🙂 So if you could do it on the opi I would obviously prefer it 😉
Just an idea to throw into the pot.
September 16, 2016 at 10:54 #931
No fear of getting into a war with us, thoughts and comments are always welcome.
The ‘owncloud/nextcloud/….’ business is definitely worrying, and we have many times thought of what and how we can live without that.
One option is just as you say to break the functionality into separate software, and while it might be fairly straight forward doing that on a single system to make it work, it is a lot more to think about before it can be rolled out in production.
But we are looking and thinking about this kind of things.
January 5, 2017 at 19:43 #948
Any progress on this? When are we going to get updated ownCloud server?
January 13, 2017 at 15:45 #961
You must be logged in to reply to this topic.