OwnCloud vs Nextcloud?
Nextcloud forked OwnCloud last month and made its first release this month. <http://www.zdnet.com/article/nextcloud-adds-enterprise-support-and-ios-appliance/> Includes links to "Related Stories". Does anyone have any insight into which would be worth adopting? Or something else? - it looks as if more devs went with Nextcloud - both are trying to make a commercial go of it. I fear that this doesn't match my desire for open source from an open project. - I cringe at PHP. Especially since I'd like to expose my installation to the internet.
On 11/07/16 10:19 AM, D. Hugh Redelmeier via talk wrote:
Nextcloud forked OwnCloud last month and made its first release this month.
<http://www.zdnet.com/article/nextcloud-adds-enterprise-support-and-ios-appliance/> Includes links to "Related Stories".
Does anyone have any insight into which would be worth adopting? Or something else?
This is the big blog post announcement: http://karlitschek.de/2016/06/nextcloud/
- it looks as if more devs went with Nextcloud
Yes, it seems like all the key people, including some of the founders of the project, are going with NextCloud. That seems very likely to be the future. However, they'll need a bit of time. As an ownCloud user, I expect to move to NextCloud some time, but not today or tomorrow -- maybe later in 2016 or in 2017, as they get things in order.
- both are trying to make a commercial go of it. I fear that this doesn't match my desire for open source from an open project.
"Commercial" is too broad -- from what I gather, the NextCloud fork exists specifically to do a better job at governance of the project from a software freedom perspective, to avoid too much control in the business side. For example, from that blog post ( http://karlitschek.de/2016/06/nextcloud/ ): - We will no longer require a contributor license agreement from contributors. - We no longer do dual-licensing - The new trademark will be hold by an independent foundation. - We no longer do internal development planing behind closed doors. Everything will happen in the open. These are the kinds of things they've forked over, getting that relationship *right* between a free software project and a corporate sponsor. There are commercial approaches, like Automattic's with WordPress, where you have a separate foundation and a pretty healthy relationship with a primary corporate sponsor. Apparently, large chunks of the ownCloud community found there wasn't that proper governance and relationship through ownCloud Inc. -- at least, that's how I've understood it.
- I cringe at PHP. Especially since I'd like to expose my installation to the internet.
PHP isn't inherently a problem, especially for sure a vibrant and strong project like this. I'd be worried about some module written by a single developer or something, but NextCloud/ownCloud being PHP itself is less important that the health and strength and approach to security of the project and its developers. *shrugs*
On Mon, 11 Jul 2016 10:36:23 -0400 Blaise Alleyne via talk <talk@gtalug.org> wrote: <snip so many cool stuff here>
There are commercial approaches, like Automattic's with WordPress, where you have a separate foundation and a pretty healthy relationship with a primary corporate sponsor. Apparently, large chunks of the ownCloud community found there wasn't that proper governance and relationship through ownCloud Inc. -- at least, that's how I've understood it.
- I cringe at PHP. Especially since I'd like to expose my installation to the internet.
PHP isn't inherently a problem, especially for sure a vibrant and strong project like this. I'd be worried about some module written by a single developer or something, but NextCloud/ownCloud being PHP itself is less important that the health and strength and approach to security of the project and its developers. *shrugs*
imho, it is too early to have a real opinion either way (re own/next) just on a side note though, I love PHP - as in fanatically :) - I made this https://wishes.me - just because i like php :) and facebook, wordpress and so many other top projects are all php :) (I do also love bash, and python oh, heck, okay also perl *bleh* okay i love lots languages, yes, even java :) )
| From: Blaise Alleyne via talk <talk@gtalug.org> Thanks for you very useful response. | On 11/07/16 10:19 AM, D. Hugh Redelmeier via talk wrote: | > Nextcloud forked OwnCloud last month and made its first release this month. | However, they'll need a bit of time. As an ownCloud user, I expect to move to | NextCloud some time, but not today or tomorrow -- maybe later in 2016 or in | 2017, as they get things in order. Yeah. But what do you think needs to get in order? Infrastructure? Is it likely inferior to the ownCloud product that it started with? Is it likely that a lot of changes will happen at the start such that it is better to wait for things to slow down? Are you waiting for them to shake-down their new processes? | For example, from that blog post ( http://karlitschek.de/2016/06/nextcloud/ ): | - We no longer do dual-licensing They have no choice with this one since the only license that gets them the source is the GPL one. | - We will no longer require a contributor license agreement from contributors. Since they cannot dual-license, there is no point in a CLA. | - The new trademark will be hold by an independent foundation. | - We no longer do internal development planing behind closed doors. Every= | thing | will happen in the open. Sounds good. We'll see how it plays out | These are the kinds of things they've forked over, getting that relations= | hip | *right* between a free software project and a corporate sponsor. Technically, forks of dual-licensed software is a Good Thing for Free Software fans. | > - I cringe at PHP. Especially since I'd like to expose my | > installation to the internet. | | PHP isn't inherently a problem, especially for sure a vibrant and strong project | like this. I don't use PHP so my opinion isn't reliable. Historically it has been too hard to write secure code in PHP. Or perhaps it was the culture. I know that things have gotten better over the years. Culture is pretty resistant to change.
On Mon, Jul 11, 2016 at 11:44:58AM -0400, D. Hugh Redelmeier via talk wrote:
I don't use PHP so my opinion isn't reliable.
Historically it has been too hard to write secure code in PHP. Or perhaps it was the culture. I know that things have gotten better over the years. Culture is pretty resistant to change.
Actually I think the right way to word it is: It is too easy to make it insecure in php. It is perfectly possible to write secure php code. It just happens to be stupidly easy to write insecure php. The fact everywhere in php that takes a file accepts anything that is a valid url and does "the right thing" with it, makes it possible to do things like: get an argument from the user include(argument) Sure if you for some reason want to have say 3 different things you can do with a selection, and then include the implementation of each of those 3 things so you can do something generic that uses one of those 3 methods, then that might seem like a good idea. Of course since you can't trust the user, and they could send you anything, not just what your page gives as options, they can now send you a url, instead of a filename that is local, and make you include that instead. So if you happen to think that's a good design for making something modular, and you don't realize php really means it when it says it is consistent and allows all types of file specifications everywhere, then you can easily write something very insecure without realizing it. Some of what has made php have a bad reputation does come down to some security issues in how it handles libraries and plugins, but a lot of the problems are really just that people don't know what they are doing and it makes it very easy to make something that "works" even if it is also very insecure in non obvious ways. You can do some of those stupidities in other languages, but usually you actually have to try a bit harder to get bitten. Trusting user input and using it directly is pretty much always a bad idea in any language. -- Len Sorensen
On 11/07/16 02:14 PM, Lennart Sorensen via talk wrote:
On Mon, Jul 11, 2016 at 11:44:58AM -0400, D. Hugh Redelmeier via talk wrote:
I don't use PHP so my opinion isn't reliable.
Historically it has been too hard to write secure code in PHP. Or perhaps it was the culture. I know that things have gotten better over the years. Culture is pretty resistant to change.
Actually I think the right way to word it is:
It is too easy to make it insecure in php.
It is perfectly possible to write secure php code. It just happens to be stupidly easy to write insecure php.
Yes, totally -- it's far too easy to write insecure code in PHP.
[...] a lot of the problems are really just that people don't know what they are doing and it makes it very easy to make something that "works" even if it is also very insecure in non obvious ways. You can do some of those stupidities in other languages, but usually you actually have to try a bit harder to get bitten. Trusting user input and using it directly is pretty much always a bad idea in any language.
Absolutely. Beyond that, PHP just makes it really easy to write code in general, and then really easy to do stupid stuff when you're writing code. It's a bad combination of democratizing web programming and bringing the masses in but also abandon moral and technical standards and traditions in the process... you just get a free for all where any schlub can hack together terribly insecure code... Thing is, I don't think you can generalize from a particular culture of PHP devs to say something about all PHP applications though. It's not like the ownCloud/nextCloud community is a bunch of unsophisticated people using PHP to cobble together some shoddy thing. The ownCloud/nextCloud developer community rose out of the KDE developer community (not like, Joomla! or something). Not that I've poured through the source code, but ownCloud feels sophisticated -- they've got top-knotch libraries employed, like SabreDAV, and support a ton of APIs and standards, which would be tough for an unsophiticated bunch to pull off, plus a fully-featured management CLI, which is another sign to me of a well-designed application. There are well-designed and sophisticated PHP-based applications, like SabreDAV, like Symfony, like ownCloud/NextCloud. It's possible to write secure, well-designed code in PHP, and some people choose PHP because of it's broad accessibility for hosting, not because they don't know how to write secure code. I'm not that old, but I've seen and worked with my fair share of terrifying PHP applications... ownCloud/NextCloud isn't one of them. *shrugs*
On Mon, 11 Jul 2016 23:13:25 -0400 Blaise Alleyne via talk <talk@gtalug.org> wrote: <snip>
There are well-designed and sophisticated PHP-based applications, like SabreDAV, like Symfony, like ownCloud/NextCloud. It's possible to write secure, well-designed code in PHP, and some people choose PHP because of it's broad accessibility for hosting, not because they don't know how to write secure code.
I'm not that old, but I've seen and worked with my fair share of terrifying PHP applications... ownCloud/NextCloud isn't one of them. *shrugs*
just while on the topic of insecure php code... I started php dev in 2000 and some of the code from that time, up to 2005, is not all that secure. (not even oop) this is from that time, and maintained for intranet (not internet) use up to 2009 - https://github.com/andrecoetzee/Accounting-123 even if you look at the php code from the early 2000's you will see that the only obvious security issues are global variables, for the rest of it, **not bad security** for that time period Of course, as time (and experience) sets in, one and all learns a lot and code from after 2012 looks a lot different :) So, I guess what I am saying is that PHP sometimes has a bad reputation also because it is so commonly used, like c, c is just as easy and just as flexible, actually I think some of my old c code has a lot more security issues than my old php code Andre
On 11/07/16 11:44 AM, D. Hugh Redelmeier via talk wrote:
| From: Blaise Alleyne via talk <talk@gtalug.org> | On 11/07/16 10:19 AM, D. Hugh Redelmeier via talk wrote: | > Nextcloud forked OwnCloud last month and made its first release this month.
| However, they'll need a bit of time. As an ownCloud user, I expect to move to | NextCloud some time, but not today or tomorrow -- maybe later in 2016 or in | 2017, as they get things in order.
Yeah. But what do you think needs to get in order? Infrastructure?
Well, for example, I went to look at doing an install last week, and they've got a tarball, but with my ownCloud installs I've got the ownCloud Debian repo configured. I know there have been issues that the ownCloud community has been confronting in the best way to provide updates... but I'd rather not be unpacking *.tar.gz and figuring out whatever NextCloud's unique upgrade process is every time there's a bug fix or security release. I'd rather wait until they have their recommending update method / repo situation sorted out, so it's easier to maintain an installation. (Admittedly, I spent all of 5 minutes checking this out before deciding to check back again in a few months -- maybe I've missed something.)
Is it likely inferior to the ownCloud product that it started with?
I doubt the application itself is inferior, since it's probably identical to the community edition. More the apt versus tarball type consideration.
Is it likely that a lot of changes will happen at the start such that it is better to wait for things to slow down?
Less of a concern there... my hunch would be that a ton of their effort would be immediately spent on things *other* than creating a bunch of changes to the functionality of the program. Plus, it's a lot of the same leading developers.
Are you waiting for them to shake-down their new processes?
Yeah, more this kind of thing -- I guess just waiting for the dust to settle a bit? I'm not sure specifically, but I think about OpenOffice.org/LibreOffice, or MySQL/MariaDB -- it's hard to tell in the days preceding a high profile fork just how it will pan out and when things will stabilize, and when there will be enough momentum/stability that you can have some confidence you know what the new thing is and that it has a solid future, or which project has the better future, etc. I think it's clear from all the defections that NextCloud is the future over ownCloud, but waiting to see things stabilize... I'm no expert here. Just a daily ownCloud user and sysadmin (probably soon to be a daily nextCloud user and sysadmin...).
D. Hugh Redelmeier via talk wrote:
Does anyone have any insight into which would be worth adopting? Or something else?
I'm using Radicale[0] for my CalDAV and CardDAV server and Seafile[1] for my active file sync service (i.e. Dropbox). [0]: <http://radicale.org/> [1]: <https://www.seafile.com/> -- Have an awesome day, and happy open-sourcing :-).
participants (5)
-
ac -
Blaise Alleyne -
D. Hugh Redelmeier -
Lennart Sorensen -
Myles Braithwaite