Posts made by jospoortvliet

Hi all,

There's a big scare out there about ransomware and we turned 1 year old this month so perhaps some good news for private cloud owners:

• ️Supercharge ️ your collaboration with Circles 0.11, bringing better UX, activities & federation!
• Really cool app, Group Folders, coming with an update soon (tomorrow, I think, we'll try to blog about it on Monday)
• Developers, especially of Javascript web apps, will be interested in a guest blog by Buttercup.pw developer Perry MItchell about integrating Nextcloud and other WebDAV compatible cloud platforms as storage backend.
• And we did a post about migration from ownCloud - we wrote a migration script that makes it super easy.

Enjoy the weekend

Hi all!!!

Nextcloud is 1 year old and has become the most active open source private cloud project. We’d like to thank everybody who helped make this possible! I wrote a blog going over some of the highlights of our project over the last year, read it here.

Let me know your experiences with Nextcloud and thanks for being awesome, all of you!

See the announcement blog, in the Upgrading section:
Note that we do a staged roll-out: only 15% of the users on Nextcloud 11.0.3 on the Stable release channel currently receive an update notification for Nextcloud 12. If you wish to update with the updater even though there is no notification, you can set the channel to beta, reload the page and proceed to upgrade. After the upgrade set the channel back to stable!

https://github.com/nextcloud/updater_server/pull/65 -> due to a calendar/contact issue (which is really bad behavior of the clients but what can you do...) we decided to only increase the % when 12.0.1 is out. That should be in about 1-2 weeks.

Good news: Nextcloud 12 is out! With it come all the improvements we discussed for the beta, most in the area of better collaboration and communication. Here's a video with a overview of some of the new features. Read our blog to learn more:

Youtube Video

With it we announce something HUGE: a new architecture for scaling to hundreds of millions of users. It is called Global Scale and also brings benefits for smaller instances and even home users! You can learn all about it in our blog, the Global Scale webpage or the video below.

Youtube Video

I'd like to thank everybody who was part of making this happen, from the most active code contributor to the most casual tester! Without you, we would never have been able to deliver such a great product. #powerofcommunity

Coming VERY soon. Meanwhile, beta4 is out, keep testing!

Yeah, it works now - whatever it was it is solved

@dafyre said in Nextcloud 12 Beta 2 is out and you can earn a t-shirt by testing it :

I'm on 12-beta 1 and Collabora is working for me. I'll snapshot and upgrade to Beta 2.

Edit: Updated to Beta 2 and my Collabora still works!

Damn, doesn't work for me

I just blogged about our 2nd beta which is now available! We're still squashing bugs but it is time to really give this release a work-out so we're asking everyone to pitch in and test an upgrade. Most of us have upgraded our private instance (I just did, no problems here) and it is becoming harder to find bugs so - please, help out!

If you find a update/upgrade bug and report it and it's unique, there is a t-shirt in it for you

Learn more in our blog!

Oh and on my server, all apps were upgraded and not disabled except some that weren't yet compatible:
https://help.nextcloud.com/uploads/default/original/2X/6/6d56c2c1c1b687f82d851b019249c0a734922745.png
I updated the Collabora Online app but it isn't compatible (yet), neither are the other apps. Coming soon, hopefully!

And... Love the very detailed tips on mis-configuration:
https://help.nextcloud.com/uploads/default/original/2X/c/c903a9cf177ee352113b4e7753d8d20e5d4dc30c.png
and yeah, things were dog slow so clearly, this has to be updated

Hi all MangoLassians!!!
You can help test Nextcloud 12 beta today! Lots of good stuff coming, we've got a whole bunch of blogs and youtube videos...
https://nextcloud.com/blog/nextcloud-12-beta-introduces-the-next-generation-of-secure-collaboration/

Youtube Video

Hi friends,

Some great news over the last weeks about #nextcloud and other #opensource projects.

We published a blog 2 days ago about Sia integration in Nextcloud. Sia is a p2p storage tech that uses blockchain for contract & payment handling. It is pretty cool, fully open source, about 10x cheaper than other cloud storage technologies and, in short, something you must check out

Here is a video on how the integration works:
Youtube Video

I'd love to hear what you think!

We also did a blog about OpenID SSO integration thanks to Gluu, another open source project integrating in Nextcloud. Super cool, once again!

Of course we had our own news, with a great hackweek and the announcements of a whole bunch of partners like Univention, Daseq, Stylez and others. Find a full list of partners on our partner page.

We also had some customer stories of moving to Nextcloud like this Dutch company, a new provider in Netways & a nice Portknox March update.

Last but not least - the Nextcloud Conference is moving forward as well, announcing a call for papers. You are welcome to join and talk!

As always I'd love to hear what you think

Edit: yeah, I wrote 2p2 in the title silly mistake #208

@scottalanmiller said in What do you think, did we do this right?:

Can you ever hide the bad stuff from the bad guys? Bad guys will just run the product and get any announcement that is sent out no matter what. That's a given. But the most important thing is letting good admins know what to do, bad admins that don't update - that's their decision and risk.

Well, not fully of course, it is all open source. But the barrier to getting at the problem is a fair bit higher when there are hundreds of changes and some might or might not have a security impact vs you have 5 changes and you KNOW they impact security. It won't stop the NSA but might stop a script kiddie and at least give people more time to update.

I'm not saying it is a magic bullet, but it is widely considered security best practice to do it this way

Anyway, I'm hoping for automated minor updates to solve this in a more elegant way. We've decreased the target on the back of Nextcloud users significantly with our security scan - only 3% outdated systems is a quite small thing to put time and effort in if you're looking to do something like ransomware.

@scottalanmiller said in What do you think, did we do this right?:

Maybe a mechanism to push out REALLY emergency alerts to the majority of deployments would make sense in a future release? Not the normal update notifications, but something that makes it essentially impossible to ignore if the system is being used but only comes out for situations like this. It would still not hit 100%, but it might hit 90% of the people that you had to reach out to.

yeah, that's an idea. Separate security updates from the rest. The downside is that you can't "hide" the bad stuff from the bad guys. Right now, we release an update which has both bugfixes and security updates; then 2 weeks later we release the security advisories so admins can check if they had been pnwed before patching for example.

So you essentially have 2 weeks to update...

If the update is ONLY security stuff it is very easy for a bad actor to quickly look what's in there and start to exploit it.

Thanks for the replies, guys.

WRT the 3 weeks vs 90 days, yeah, this was a bit of a balancing act. We wanted to keep this under the radar as long as possible but of course people started tweeting and talking about it so black hats could pick up on it. We asked a few journalists who contacted us with questions to not talk about it and they were kind and responsible enough to keep quiet but we didn't expect to be able to keep it quiet for 3 months... In the end, three weeks is what the CERT's asked for and they're the experts so we went with that.

@scottalanmiller said in How Do You Rename a Note in NextCloud:

Hmmm... I wonder which is better. Maybe a little flag of some sort. Having something official would be good. And having something of a rating would be nice.

Yeah, we want to add a rating, but we keep debating the how/what of the rating

Will be there some day. And an 'official' flag exists, some apps have it, others don't.

@scottalanmiller said in How Do You Rename a Note in NextCloud:

Understood. Does appear that way, though.

True, we designed the app store in such a way that it doesn't really differentiate between apps that are included or those that need to be downloaded, other than in the "enabled' and 'disabled' sections.

You're proving that we succeeded. Also that it has downsides

this seems to be an issue with firefox, it works in chrome, but we're looking into it

EDIT: Even more fun, this is something to do with https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol and the OCSP server being down... Sigh. Not sure we can fix this...

Hi,

I'd like to hear some feedback. Many of you have been critical, in a constructive way, so this seems a good place to ask for honest, hard feedback!

It isn't a company thing, just me, privately, asking: did we handle the security scan thing right?

In very short:

• we discovered late last year there are tens of thousands of insecure oC and Nc servers on the web
• we discussed what to do:
  • can't contact them directly. Ppl would yell at us for doing a marketing scam, besides, we don't have their contact data.
  • can't just blog or write about it. Black hats would notice and attack while the users themselves clearly don't notice our blogs as they hadn't updated in some cases since 2012.
  • can't do nothing. Some day, somebody will find out and hack 200K servers in an automated fashion, putting the data online or using ransomware to collect big $$$.
  • we concluded we should contact the Computer Emergency Response Teams as it is their job to handle this.
• They reached out to providers who, in turn, contacted the server owners of the servers we had found (about 80K)
• we kept it all secret for 3 weeks to give ppl time to update, then did a media offensive to reach the 120K we couldn't reach directly.
• An estimated 45K updated since we started, right now 97% of Nextcloud servers is secure (and only 29% of oC servers, sadly many of them still didn't respond)

Now most ppl have been positive. But some providers didn't act very professionally:

• some simply forwarded the email, which contained info about all the insecure servers on their network (sigh)
• some called their users, scaring the s***** out of them
• some even threatened to shut down the servers
• others simply DID shut down the network connections (just a few, thankfully)
• and a few did absolutely nothing (not great either)

We had some people complain, saying that we should:

• warn users before we contact them
• not report them 'to the authorities' but contact directly (see above why we didn't)
• we just never should have done this in the first place, it harms users' privacy

Now I've given the arguments laid out above (plus results) to the folks who complained, but in quite a few cases, they continued to disagree. Now like anyone, my tendency is to assume them simply wrong but I also know I'm not perfect so I'm asking here.

Am I missing something? Or are some people just never happy?

@scottalanmiller said in How Do You Rename a Note in NextCloud:

It's also important for NC to see it. They have it as an included app that shows up and if customers lose data, that's not a good selling point for them on the system. They need to be aware, too.

note that it being on our apps.nextcloud.com site doesn't mean it is 'included'

But it is available so yeah, reason to have a good look and warn users. Thanks for the bugreport, I hope this can be fixed soon. Losing data is an absolute no-no.

Hi folks,

I've been not-so-active here for a while, mostly due to travel (Hi SCALE, hi Chemnitz) and of course our security scan - I'm not even sure if I posted here so for those who have been living under a rock (ahem): our blog and Der Spiegel article

Remember all those times I told you to update? Right

here some more reasons why you should update - the risks are REAL.

Meet us!

Anyhow, I wanted to invite you to meet us. We're at a bunch of events like CeBIT and more (see our events page) but of course the coolest would be to join us at a hackweek and a new one is coming! From March 25-31, we'll be having open doors in Stuttgart.

Ok, if you can't make it - I should remind you of the Nextcloud Conference in August. We opened a Call for Papers last week and contributors who want to join and need travel support should ping me. Oh, it helps if you submit a talk

@scottalanmiller certainly sounds like a bug, yeah. I never really used the app myself so I can't speak for it but I would suggest to file an issue