Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Nextcloud to 29.0.9 #2955

Closed
pachulo opened this issue Nov 7, 2024 · 8 comments
Closed

Update Nextcloud to 29.0.9 #2955

pachulo opened this issue Nov 7, 2024 · 8 comments
Labels
fix-in-beta

Comments

@pachulo
Copy link
Member

pachulo commented Nov 7, 2024

https://nextcloud.com/changelog/#latest29
@pachulo pachulo added the 29 label Nov 7, 2024
pachulo added a commit to pachulo/nextcloud-snap that referenced this issue Nov 7, 2024
@pachulo
nextcloud: update to 29.0.9
fec5961 
Fixes nextcloud-snap#2955
@pachulo
Copy link
Member Author

pachulo commented Nov 8, 2024

Updated my instance and hit this bug, so I think we will skip this version.

@mritzmann
Copy link

mritzmann commented Nov 10, 2024
edited
Loading

so I think we will skip this version

Isn't 29.0.9 a security release that should not be skipped?

From the 29.0.9 blog post, which is also in the security category:

we strongly recommend you to update to version 28.0.12, 29.0.9 or 30.0.2 respectively. Maintenance updates include important bug fixes, stability and security upgrades. It is a quick and safe process, as always!

@pachulo
Copy link
Member Author

pachulo commented Nov 10, 2024

we strongly recommend you to update to version 28.0.12, 29.0.9 or 30.0.2 respectively. Maintenance updates include important bug fixes, stability and security upgrades.

Yes indeed, but that's a canned message they usually write.

I can't see any security advisory in https://github.com/nextcloud/security-advisories/security/advisories or any fix with the security tag on the corresponding milestone.

It is a quick and safe process, as always!

And this part isn't always true, either. 🤣

Anyway, an option will be to move to the latest/stable channel, were we will be updating it to 30.0.2, which is not affected by this bug.

@mritzmann
Copy link

Yes indeed, but that's a canned message they usually write.

Indeed 🙈

I can't see any security advisory

I wouldn’t rely on the security advisories, as security advisories are sometimes (or always?) only made public after three months after patching. For me, this means every single patch release is essentially a security release.

Example Timeline for GHSA-9v72-9xv5-3p7c:

  • 28.03.2024: They fixed the security problem in Nextcloud v28.0.4
  • 14.06.2024: Three months later the Security-Advisories was publised

(A bit off-topic: Honestly, I still don’t fully understand how I’m supposed to manage this as the admin of a Nextcloud installation. On one hand, I want to keep my installation free of bugs, so I often prefer to skip faulty releases. But on the other hand, Nextcloud requires me to install every patch release because I can’t tell if it’s a security release or not.)

@pachulo
Copy link
Member Author

pachulo commented Nov 10, 2024
edited
Loading

I wouldn’t rely on the security advisories, as security advisories are sometimes (or always?) only made public after three months after patching. For me, this means every single patch release is essentially a security release.

That's indeed a very good point; at least we know it's not affected by any public vulnerabilities and we will have a new version in less than a month. And I know this is far from ideal.

(A bit off-topic: Honestly, I still don’t fully understand how I’m supposed to manage this as the admin of a Nextcloud installation. On one hand, I want to keep my installation free of bugs, so I often prefer to skip faulty releases. But on the other hand, Nextcloud requires me to install every patch release because I can’t tell if it’s a security release or not.)

Let me just tell you that you are not alone: I myself keep my instance on the latest-1 version, because regressions like this one are more likely to happen on the shinny major versions. But, as we have seen here, regressions also slip into the oldest versions.

Related to this: long ago I proposed the creation of a new channel: oldest-supported, where you, as a nextcloud admin, could forget about having to jump from channels and always got a version which has already had multiple point releases, lessening the chances of hitting regressions as much as possible (without having to buy Nextcloud enterprise I mean). But in the end we didn't find a solution which was not manual 😢 .

Anyway, would you be interested in collaborating in such chore @mritzmann ? Because back in the day my feeling was that I was like the only one using old channels and refreshing manually when I felt like.

@mritzmann
Copy link

I'm sorry, but I don't have enough resources (in terms of time) due to studying and so on 😮‍💨

@pachulo
Copy link
Member Author

pachulo commented Nov 12, 2024

I decided that, as not many of our users use the channels for old versions, we will be publishing this even with the PDF viewer regression anyway, because it's not such a big deal for me or @mritzmann .

@pachulo pachulo closed this as completed Nov 13, 2024
@pachulo
Copy link
Member Author

pachulo commented Nov 27, 2024

Well, more proof that this was not an easy call @mritzmann ... 😓 nextcloud/server#49498 (comment)

@pachulo pachulo mentioned this issue Nov 27, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fix-in-beta
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pachulo @mritzmann