Ubuntu, ownCloud, and a hidden dark side of Linux software repositories
The version of ownCloud in Ubuntu’s Universe repositories is old and full of “multiple critical security vulnerabilities.” It’s no secret. The ownCloud project itself asked Ubuntu to remove it so users wouldn’t have vulnerable server software. Ubuntu suggested to ownCloud they should take over maintaining it instead. OwnCloud thought that was ridiculous—they just want to write software and not maintain it in every distribution’s repositories.
Ubuntu is finally taking action and uploading an empty package that will disable the vulnerable ownCloud server software on Ubuntu 14.04 systems. But this whole weeks-long ordeal demonstrates a serious weakness with the way Linux software is packaged, distributed, and updated.
Why is there vulnerable software in Ubuntu’s repositories?
Most Linux users generally get their software through their Linux distribution's software repositories. Linux users are told this is the best, most secure way to get software. You can easily install it from a centralized source, and your Linux distribution is then responsible for updating it for you and getting you timely security updates.
That’s how it should work, but that’s not how it always works. In this case, ownCloud is included in Ubuntu’s “Universe” repository, which is full of community-supported software. Canonical and the main Ubuntu developers haven’t committed to supporting this software with security updates.
The Ubuntu Software Center provides a little warning about this, but most Linux users won’t see it. The Universe repository is enabled by default, so most Linux users have no idea that most of the software in the Ubuntu Software Center isn’t officially supported by Ubuntu with security updates.
The dark side of community-supported development
The Ubuntu community—in this case, whoever uploaded and packaged the software in the first place—is responsible for putting together updated, secure ownCloud packages so users can get those security updates.
The developer who was working on ownCloud seems to have lost interest, so updates haven’t been issued since January. There’s no indication they’ll issue an update.
This is a dark, hidden truth about the way most Linux distributions’ software repositories work. You’re dependent on a community member to get you any security updates, and they have no real obligation to you. They may move onto something else and leave vulnerable software on your system.
As Canonical’s Marc Deslauriers explained on the mailing list: “The owncloud package in Ubuntu is in universe, which means it's maintained by the Ubuntu community. Someone needs to step up and take care of it. If nobody does that, then it unfortunately stays the way it is.”
ownCloud and Ubuntu go back-and-forth
To fix this problem, ownCloud took the highly unusual step of sending a message on the Ubuntu mailing list, asking the Ubuntu developers to remove the package from the repositories. They have no legal right to demand this, of course—it’s open-source software. But they’d like to prevent their users from using this old, vulnerable software.
Their proposal seemed simple. After all, Ubuntu’s developers could issue a new version of the package that was entirely empty. OwnCloud would be removed when a user updated their system, Those users could then install ownCloud from the packages ownCloud provides for Ubuntu, which are created by the openSUSE build service. ownCloud would be responsible for updating their users’ systems with the security updates in a timely fashion.
Ubuntu’s developers initially balked at this. Why, this isn’t the way the system works! The package is now locked-in for the stable release and shouldn’t have any major changes, even though it’s a fundamentally insecure piece of server software. Actually removing it would be highly unusual. They proposed that ownCloud should take over maintenance of the ownCloud packages in Ubuntu and keep them up-to-date. At the very least, it was ownCloud’s job to create an empty package and go through the bureaucratic process to push it out.
OwnCloud’s developers thought this was crazy. They want to focus on creating software, and they already provide a single place where Linux users can get packages and updates for various Linux distributions. They don’t want to spend time packaging their software for a myraid of different Linux distributions and maintaining it in various different repositories. As ownCloud’s Lukas Reschke explained:
“From my side, my work is done here, I have informed the responsible persons via multiple channels and if they have no intentions to fix the problems on their own we can very well life (sic) with that and will just add a big security warning to our installation guide.“
During the back-and-forth, Ubuntu users were left with that old, vulnerable server software for weeks longer.
OwnCloud isn’t in Ubuntu 14.10’s repositories, but it is in Ubuntu 14.04’s repositories. Thankfully, Ubuntu is now in the process of pushing out an empty package to remove the vulnerable version of ownCloud. Kubuntu’s Jonathan Riddell stepped up to do the necessary work, defusing the situation.
This happens regularly
This isn’t a one-time problem, although it is a big deal this time because it’s a piece of server software we’re talking about—software that’s exposed directly to the Internet where it could be compromised.
In the past, I have personally reported several security bugs directly to Ubuntu in Launchpad. In the most egregious case, the version of Java added to the Multiverse repository in partnership with Sun—complete with glowing talk in the media how Sun was “working directly in partnership with Canonical” on the packaging—was left as an old, vulnerable package. Ubuntu just didn’t think it was their job to provide updated, secure versions of Java for the current Ubuntu release, even when they released that security update for the future, in-development releases of Ubuntu. Here’s the sad bug report from 2007.
Ultimately, the multitude of different Linux distributions with their own package repositories and formats creates problems. Packages are often created and maintained by users who may walk away at any time. There’s no way around this—and it’s a serious problem on Linux.
Thankfully, common server software like Apache and desktop software like Firefox have more attention paid to them. For example, these are part of the “Main” repository on Ubuntu, where Canonical commits to providing timely security updates for them. Beware server software supported by the community.