Get outdated ownCloud version removed from QNAP App Store?

tom42 · April 16, 2023, 10:13am

Hello ownCloud community,

via:

i learned today that it seems an ancient ownCloud 10.0.10 version released on 2018/09 is still offered for installation to QNAP users via https://www.qnap.com/en/app_center/con_show.php?op=showone&internalName=owncloudv10&version=10.0.10.1&qts=5.1.0&seq=68&os=qts

I think this is quite dangerous concerning security issues but also bugs which got fixed in newer ownCloud versions.

Maybe it could be in the interest of the ownCloud team to get this ancient version removed from the app store? Or at least a disclaimer added to the page that users are installing such an outdated version having known bugs and security issues?

Is there some one from ownCloud in contact with QNAP or is it possible for QNAP customers to write tickets?

rkaussow · April 17, 2023, 11:50am

Hi!

This app is not owned or maintained by ownCloud. It is like any other public package registry (DockerHub, npmjs, pypi, etc.) Anyone can create and publish packages there, and users should not blindly trust package sources on the internet.

IMO, there is nothing we can do (and that’s good) since this package is not owned by ownCloud. Imagine that someone can request a package deletion of e.g. a container image mynamespace/owncloud on DockerHub just because it is called owncloud.

What seems to be owned by us is https://www.qnap.com/en/app_center/con_show.php?op=showone&internalName=ownCloud&version=10.10.0.1&qts=5.1.0&seq=67&os=qts, which is also outdated. I will forward this internally to the team for discussion.

Thanks for bringing this up.

tom42 · May 13, 2023, 1:11pm

Hello,

thank you for your reply.

Maybe the ownCloud team as the vendor of the product still has the possibility to request either a removal or a mark as outdated if strong reasons are given (like security issues which exists for this 10.0.10 version) that because it’s not a random user requesting it but the actual vendor. And the info that the version is outdated is freely available and can be verified by QNAP.

I think it could be also damaging the reputation of ownCloud if users can installing a more then four year old version of ownCloud on their system that easily.

alfredb · May 13, 2023, 1:43pm

I wouldn’t see it that dramatic, at least it’s a 10.x! Of course, any newer version is better, more secure and so on. But it’s the maintainers alone job to care about the package. If he doesn’t, find someone who creates a newer package based on a core current version.

tom42 · May 13, 2023, 2:17pm

Hey,

i haven’t mentioned it explicitly but there actually already a (nearly) current version 10.10.0 available for QNAP systems in their app store.

So i think having two variants of ownCloud in the QNAP app store (one stone old and one nearly current) with users (like seen in Copy many files to a folder via browser fails) still installing the outdated version instead of the current is something quite problematic / really bad user experience :-/

system · August 28, 2023, 6:18pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.