ownCloud 9 is Here
-
@scottalanmiller said:
@jospoortvliet said:
well, if you are running a broken CURL or openSSL, we warn you. If those come with your platform, even if we support that platform, it is still broken, so we warn you. I don't see how that is bad...
PHP wasn't broken, though. That was the issue that was more key. PHP was fully up to date on a fully updated install, fully supported by the correct vendor and yet still the alert.
perhaps we're mixing up things here. Let's go back to the image we're talking about:
There is a cURL warning. The system uses an outdated NSS version. There might not be a newer version from your vendor, but that does not make it any less outdated or insecure - bug your vendor. You have a problem with us warning you about issues in a platform, even if we support that platform? Sorry, that's a no-fix. We warn of issues, even if we can't fix them.
There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.
We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.
Now the 'no internet access' error above it - this is most likely caused by the cURL version. What the error warns about is simple: ownCloud tries to connect to https://www.owncloud.org - if it can't, it gives this warning. There can be 100 reasons why it can't connect: a broken DNS, no network connection, a broken PHP, the wrong moon phase and many more. Some of these we can detect and give more detailed errors (that's why we warn about cURL and PHP there!), others we can't detect. Doesn't mean there is no problem, so we'll still tell you about it. What you do with it - well, Google the problem, ask on a forum or, if you have a support contract, call our support.
Again, you want us not to warn even though there IS something broken, even though we can't figure out exactly what it is? Wow! I hear this from our support team too - some admins want warnings to disappear without having to actually solve the problem. Well, the customer is always right I guess, but I wouldn't hire somebody with the attitude of ignoring problems rather than fixing them. No offense.
Then about the term 'supported platforms' you seem to consider 'vague' from me. First, I didn't know what centOS version was being used so perhaps I was to quick saying it might not be supported. Supported is CentoS 7. But the term 'support' seems mis-understood here, too.
Let me be clear: nobody gets any support until they PAY. Then they get a contract. If you have no contract, the term 'support' means the same as it means when you hear it from Ubuntu, KDE, LibreOffice and everything else which is free and from a community of volunteers: it means we do our best to run on these platforms. NOTHING MORE. We certainly don't promise these platforms are awesome and great for our software. Those platforms might suck and in that case, we give you warnings. We feel no obligation to fix those problems - you, as sysadmin, can, if you like. You probably should, but - that is not our call. If we fail in anything, well, you can file a bug or help us fix it - we're an open source project (until somebody pays us, then we're ownCloud, Inc. and they get to yell at us all they want).
I hope that that is clear and sane.
Of course, if this level of transparency makes you feel uncomfortable or unable to trust us, there are plenty of projects out there who would be happy to not spend any resources and time on warning their users about security or performance issues at all and paper over any problems of the underlying platform. I know there is no other open source file sync and share which has a decent security vulnerability disclosure policy, for example - and no publicity about security bugs might mean there are none, at least to some people. Good that there is choice, right?
-
@jospoortvliet said:
There is a cURL warning. The system uses an outdated NSS version. There might not be a newer version from your vendor, but that does not make it any less outdated or insecure - bug your vendor. You have a problem with us warning you about issues in a platform, even if we support that platform? Sorry, that's a no-fix. We warn of issues, even if we can't fix them.
Are you confident that you are checking that correctly? Is the RHEL version not patched? Have you confirmed that? If so, then okay, good catch. But from the other things, I'm guessing that this is based on an incorrect assumption and is a false alarm. The track record thus far of crying wolf has already made me sceptical of claims like this.
Do you have information on what this version is not patched?
-
@jospoortvliet said:
Then about the term 'supported platforms' you seem to consider 'vague' from me. First, I didn't know what centOS version was being used so perhaps I was to quick saying it might not be supported. Supported is CentoS 7. But the term 'support' seems mis-understood here, too.
Looking for a version that doesn't cause ownCloud to ever consider saying that maybe we are on an outdated and unsupported OS. I want the version that ownCloud stands behind and takes ownership of working on. I want the version that the conversation that happened won't happen on.
-
@jospoortvliet said:
Now the 'no internet access' error above it - this is most likely caused by the cURL version. What the error warns about is simple: ownCloud tries to connect to https://www.owncloud.org - if it can't, it gives this warning.
Exactly, that's what's wrong. You are testing a certification via HTTPS, not testing Internet access. Then you report that Internet access is not working. Those are two different things. This is pretty basic - don't check one thing and report something else. This is an ownCloud bug, very clearly.
-
@jospoortvliet said:
There can be 100 reasons why it can't connect: a broken DNS, no network connection, a broken PHP, the wrong moon phase and many more. Some of these we can detect and give more detailed errors (that's why we warn about cURL and PHP there!), others we can't detect. Doesn't mean there is no problem, so we'll still tell you about it. What you do with it - well, Google the problem, ask on a forum or, if you have a support contract, call our support.
If you reported what failed instead of something that didn't fail, this would be different. Saying that Internet access doesn't work is simply wrong. That's not what failed. I'm unsure how to clarify this.
If a user calls and tells me that the firewall is down, but actually they didn't turn their computer on yet, that's simply wrong. Wrong is wrong. You aren't getting failed Internet access and reporting something vague, that's fine. You are getting successful Internet access and reporting something false, that's a bug.
-
@scottalanmiller said:
@jospoortvliet said:
Now the 'no internet access' error above it - this is most likely caused by the cURL version. What the error warns about is simple: ownCloud tries to connect to https://www.owncloud.org - if it can't, it gives this warning.
Exactly, that's what's wrong. You are testing a certification via HTTPS, not testing Internet access. Then you report that Internet access is not working. Those are two different things. This is pretty basic - don't check one thing and report something else. This is an ownCloud bug, very clearly.
Well, it won't work - it won't be able to do what it says, like installing apps from apps.ownCloud.com because it just tried to connect there and failed. That's enough for not working, I'd say. Not saying there's no room for improvement here, feel free to file an issue or submit a patch - but it isn't so horribly wrong as you seem to imply.
-
@scottalanmiller said:
@jospoortvliet said:
There is a cURL warning. The system uses an outdated NSS version. There might not be a newer version from your vendor, but that does not make it any less outdated or insecure - bug your vendor. You have a problem with us warning you about issues in a platform, even if we support that platform? Sorry, that's a no-fix. We warn of issues, even if we can't fix them.
Are you confident that you are checking that correctly? Is the RHEL version not patched? Have you confirmed that? If so, then okay, good catch. But from the other things, I'm guessing that this is based on an incorrect assumption and is a false alarm. The track record thus far of crying wolf has already made me sceptical of claims like this.
Do you have information on what this version is not patched?
It gives pretty specific information but if it isn't patched or not - that's a question for our security guy who maintains these issues. If you know for sure that this version is perfectly fine, file a bug and we can fix this. For now, I'll trust our security guy.
-
@jospoortvliet said:
Again, you want us not to warn even though there IS something broken, even though we can't figure out exactly what it is?
I never said that in the least. I want you to fix your bug where you report the wrong thing. Simply report the truth, don't hypothesize and act like the issue couldn't be the most obvious thing.
And likewise, I'm telling you that you have a bug. A bug that you've stated yourself that you have in your description. Do you not want us telling you when ownCloud has a very obvious problem and just ignore it?
We have been telling you that you have issues and you are making excuses to act like the system should be wrong, should throw false errors, etc. I want real errors as a best case, no errors as an acceptable case, and never false errors. Nothing is worse than false errors.
So if you consider all ownCloud reporting as false and don't want to know when you have bugs, then absolutely turning the errors off completely would be an improvement.
-
@jospoortvliet said:
For now, I'll trust our security guy.
The same guy who is confused about these other issues? Sorry, that's a total fail. We are reporting that you have problems and your response is that WE need to fix it? You are diminishing my faith very quickly.
-
@scottalanmiller said:
@jospoortvliet said:
Then about the term 'supported platforms' you seem to consider 'vague' from me. First, I didn't know what centOS version was being used so perhaps I was to quick saying it might not be supported. Supported is CentoS 7. But the term 'support' seems mis-understood here, too.
Looking for a version that doesn't cause ownCloud to ever consider saying that maybe we are on an outdated and unsupported OS. I want the version that ownCloud stands behind and takes ownership of working on. I want the version that the conversation that happened won't happen on.
Ah, ok. Honestly, I don't know. I run openSUSE 13.2, I don't have these issues. So that one certainly works. I guess SLE and LEAP might work, too. It surprises me too that these errors occur on the latest CENTOS, isn't that based on the latest RHEL? Amazing that these are so outdated, or, indeed, perhaps there's a bug in ownCloud which incorrectly states these things. Again, if you are sure of that - file a bug. Please forgive me for assuming our software does what it should do until I see evidence to the contrary.
-
@jospoortvliet said:
Well, it won't work - it won't be able to do what it says, like installing apps from apps.ownCloud.com because it just tried to connect there and failed. That's enough for not working, I'd say. Not saying there's no room for improvement here, feel free to file an issue or submit a patch - but it isn't so horribly wrong as you seem to imply.
But it IS working. I can't fathom how this isn't the most apparently and simple problem ever.
User: "My car doesn't work."
Mechanic: "But you just drove it here."
User: "Yeah, but I meant to drive somewhere else."Um... WTF!?!?!
This is simply a false report. It's plain and simply a bug.
Shouldn’t' you guys file a bug since you guys have known that you have it and have been leaving it? Why do you need us to file a bug report for something you've known about?
-
@jospoortvliet said:
Ah, ok. Honestly, I don't know. I run openSUSE 13.2, I don't have these issues. So that one certainly works. I guess SLE and LEAP might work, too. It surprises me too that these errors occur on the latest CENTOS, isn't that based on the latest RHEL?
Not based on, it actually IS the latest RHEL. They are one and the same. And Jared tested against fully up to date as of today. That's why we are so frustrated. You say that ownCloud doesn't want to maintain distros but the errors being thrown suggest that you expect us to maintain our own stack of binaries and not use enterprise platforms.
Imagine if we threw errors on Windows saying that all kinds of things that are at the latest version are old. Not are susceptible to flaws, that's one thing, but actually old when they are current. We've be considered insane. It's no different here. Whoever put these in clearly doesn't understand how Linux works and it is very worrying.
-
@jospoortvliet said:
Amazing that these are so outdated, or, indeed, perhaps there's a bug in ownCloud which incorrectly states these things.
See, this is part of the problem. They are not outdated, they are current. ownCloud is redefining outdated differently that the industry sees it. We see this as completely current. These are the absolute current versions in RHEL.
If you are looking for versions newer than these it means that ownCloud actually doesn't understand what RHEL is and, yet again, this is concerning. Why are you expecting something more current? The "contract" between RHEL/CentOS and its users is that these versions never change, they only get security patches. So if you think that these versions are old, it means you have a fundamental disconnect with using CentOS or RHEL as your platform.
Do you see the problem here? ownCloud should know that this is how RHEL works if they support or recommend it. What end users do you expect to ever not get these errors?
-
@jospoortvliet said:
Please forgive me for assuming our software does what it should do until I see evidence to the contrary.
But we've done so already. You know it isn't working, you've even stated what the bugs are in some cases. You've pointed out that ownCloud isn't familiar with the OSes that they recommend. How much evidence do you expect us to provide?
-
@jospoortvliet said:
There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.
Ah, but it does. It makes this a bug. It makes this ownCloud's problem. Why are you throwing an error for a fully updated, fully supported PHP version? Don't try to claim that it isn't. What it is not is not supported by PHP. If you mention PHP's support, that means we have a disconnect. We are in IT, not home hobbyists. Our support is from Red Hat, not PHP. Who gets support from PHP? Seriously?
This is a scary disconnect from how IT and Linux work. Here are some problems:
- ownCloud doesn't understand their target platform.
- ownCloud is throwing errors on things it doesn't understand.
- ownCloud is stating that things are old that are not. PHP on CentOS is fully up to date, it's just a different family. The patch level on it is very current. It is a misunderstanding of the versions levels causing the issue.
All of these things are worrisome. Very, very worrisome when you claim that you trust your internal "security" guy who is missing these very, very basic concepts of the platforms he's supposed to be your expert on!!
-
@scottalanmiller said:
@jospoortvliet said:
Again, you want us not to warn even though there IS something broken, even though we can't figure out exactly what it is?
I never said that in the least. I want you to fix your bug where you report the wrong thing. Simply report the truth, don't hypothesize and act like the issue couldn't be the most obvious thing.
And likewise, I'm telling you that you have a bug. A bug that you've stated yourself that you have in your description. Do you not want us telling you when ownCloud has a very obvious problem and just ignore it?
We have been telling you that you have issues and you are making excuses to act like the system should be wrong, should throw false errors, etc. I want real errors as a best case, no errors as an acceptable case, and never false errors. Nothing is worse than false errors.
I'm sorry, what? I've agreed that the wording on one of the warnings is unclear - it should probably state "ownCloud failed to connect to ownCloud.org" rather than "this server has no working internet connection". Despite the bad wording, it is still not a 'false error': there IS a problem with the server configuration and the lack in clarity of the error message is sad but bugs happen and this minor wording problem can be fixed with a very simple pull request on github. And if a customer would have this problem, they have a phone number to call.
The other errors - perhaps you don't trust them, that's fine. I do unless I see evidence to that points out that they're wrong, that's all I said. And I still don't see how you can claim that warning about outdated PHP or cURL versions is a bad thing.
As you stated:
I think that throwing alerts for PHP while saying that you support the platform that you alert on is a bad combination. Don't call CentOS 7 fully patched "out of date" while saying you support the platform. Just say you don't support it and move on.
That is caused by a mis-understanding we had about the term 'support'. I think I explained what I mean with it - and how it couldn't mean anything else unless we're talking about a customer-vendor relationship. Which, here, we're not - ownCloud is an open source, volunteer-run project and you're users who use it for free. When we say 'support' - don't expect more than you can expect from any other open source platform. And thus, yes, a 'platform' which we 'support' can be a 'problem'.
-
@jospoortvliet said:
We could disable these errors - it might make you feel better but it would make your platform equally insecure. That is called a false sense of security. Gosh, I expected that you'd appreciate the fact that we won't do that.
Honestly, I find your attitude offensive. This is pathetic. The errors are wrong and that's obvious. Your security guy is a fraud and you are clearly trying to cover for him. I'm sure your a small company and he's a friend but I'm sorry, he's making you look bad and you are making the company look worse.
These aren't real errors, the security issue isn't a problem. Sorry if I trust Red Hat engineering more than a random guy who clearly doesn't understand the platform. Feel free to prove me wrong but you crossed a line here and I don't feel that ownCloud has any clout to stand on here and needs to prove itself anew. This is a ridiculous, offensive statement.
-
@scottalanmiller said:
@jospoortvliet said:
There is a PHP version warning. That PHP version is old and no longer supported by the PHP project. Yes, it there might not be a newer version from your vendor for your platform. That does not make it any less outdated etc etc etc.
Ah, but it does. It makes this a bug. It makes this ownCloud's problem. Why are you throwing an error for a fully updated, fully supported PHP version? Don't try to claim that it isn't. What it is not is not supported by PHP. If you mention PHP's support, that means we have a disconnect. We are in IT, not home hobbyists. Our support is from Red Hat, not PHP. Who gets support from PHP? Seriously?
This is a scary disconnect from how IT and Linux work. Here are some problems:
- ownCloud doesn't understand their target platform.
- ownCloud is throwing errors on things it doesn't understand.
- ownCloud is stating that things are old that are not. PHP on CentOS is fully up to date, it's just a different family. The patch level on it is very current. It is a misunderstanding of the versions levels causing the issue.
All of these things are worrisome. Very, very worrisome when you claim that you trust your internal "security" guy who is missing these very, very basic concepts of the platforms he's supposed to be your expert on!!
Look, these are warnings. If you're confident there is no problem, you can ignore them. This is the community edition of ownCloud: it is for common home users, not for large enterprises. These warnings are meant to help home users who run ownCloud on their raspberry pi to get a more secure setup. If this is confusing a professional sysadmin - well, I expect them to be able to figure out what to do more than home users.
The enterprise edition comes with a phone number to dial in these cases. I think you're taking this a little too serious, to be honest. We're trying to be helpful and easy to use here.
-
@jospoortvliet said:
Let me be clear: nobody gets any support until they PAY. Then they get a contract.
Yeah, I get it, you want to make money. Of course. But the first rule of getting people to pay for support is demonstrating that you care about making a good solid product, fixing things when they are wrong, not ignoring when people trying to help you and understanding how the product is supposed to work.
-
@jospoortvliet said:
Look, these are warnings. If you're confident there is no problem, you can ignore them.
This is not a professional response to being informed clearly that there is a bug.
You just told me to ignore a bug. Are we 100% clear that that's what's going on? Is that how ownCloud feels about security issues? Sweet them under the rug? Be wrong and hope that users ignore them?