We have 3.1.3 3.2 series bring a lot of advancements such as major engine update, Status feature, Virtual files (yet experimental on Linux for 3.2.0, I dont know for 3.2.2) https://nextcloud.com/blog/nextcloud-desktop-client-3-2-with-status-feature-and-virtual-files-available-now/ https://help.nextcloud.com/t/nextcloud-desktop-client-3-2-1-is-out-with-some-virtual-files-bugfixes/115102 3.2.2 is getting released now https://github.com/nextcloud/desktop/issues/3372 From to history we learned that .0 versions can be problematic, but now at second bugfix release i think it is time we get it in as update for our users. Changelog https://github.com/nextcloud/desktop/releases
CC people from previous update, Bug 28241
CC: (none) => brtians1, joequant, mageia, mageia
Thank you for the prompt & information. This looks good to assign to NicolasL.
CC: mageia => (none)Assignee: bugsquad => mageia
3.2.3 released 11 days ago
3.2.4 19 days ago. It is really about time we get 3.2.x out.
Assignee: mageia => pkg-bugs
i started to look but it does not build yet.
CC: (none) => mageia
Created attachment 12879 [details] fix-build.patch Fix for building on mga8
Created attachment 12880 [details] Spec changes Source is probably wrong as I had to download manually but didn't have time to search for correct link.
@Nicolas, maybe my patches will help a bit, I made it compile on mga8 with these.
Summary: nextcloud-client update to 3.2.2 => nextcloud-client update to 3.2.latest
3.3.3 is out since 9 days. As it is kind of third bugfix for 3.3 i think we should go for 3.3.latest now. https://nextcloud.com/blog/desktop-sync-client-3-3-improves-reliability-and-performance/ I dont think users need 3.2.x in between, correct me if I am wrong. @Christian, as you are interested in having a go at the server package, maybe you are also interested in trying to package this client?
Summary: nextcloud-client update to 3.2.latest => nextcloud-client updateCC: (none) => chb0
(In reply to Morgan Leijström from comment #9) > @Christian, as you are interested in having a go at the server package, > maybe you are also interested in trying to package this client? Hi I'll have a look.
Hi, I just succeeded to build nextcloud-client 3.3.3 Indeed, a few adjustments were needed with buildrequires, lib and patch. I tested it and it works. I have the src.rpm Let me know what else I should do now, when you have a chance.
Great, Christian! Now for mentor or another packager to help next step.
i am looking for the review today :)
modifications validated and pushed in cauldron. In mageia8 where do you want it ? updates ? backports ?
Does it require manual intervention for it to work for users who currently have nextcloud-client-3.1.3-1.mga8 installed?
CC: (none) => davidwhodgins
(In reply to Dave Hodgins from comment #15) > Does it require manual intervention for it to work for users who currently > have > nextcloud-client-3.1.3-1.mga8 installed? No. I have tested both new installation and update. Both work and update process is transparent for the user.
Great. Put it in updates testing, and i will test too, update, the 64 bit.
Then it should also go in core updates testing like nextcloud-client-3.1.3-1.mga8 did.
I meant it should go in core updates testing... :) to be released in core updates after testing
i just pushed it into mageia 8 updates_testing
Assignee: pkg-bugs => qa-bugs
Clean update; Had 3.1.3 installed and did not shut it down. Using drakrpm, updated to - lib64nextcloudsync0-3.3.3-1.mga8.x86_64 - lib64ocsync0-3.3.3-1.mga8.x86_64 - nextcloud-client-3.3.3-1.mga8.x86_64 - nextcloud-client-dolphin-3.3.3-1.mga8.x86_64 Logged out and in, 3.3.3 started (I use my own autostart script btw to start several apps with pauses and order between...). Using kwallet for password. It continued to run set up syncs from two servers, and the paused ones kept paused. Swedish locale, Plasma. Did not test: attaching to new server, new shares, etc ---- How can a user enable virtual files? I see in settings "Using virtual files plugin: off"
(In reply to Morgan Leijström from comment #21) > How can a user enable virtual files? https://docs.nextcloud.com/desktop/3.3/architecture.html#virtual-files $ cat ~/.config/Nextcloud/nextcloud.cfg | grep virt 1\Folders\10\virtualFilesMode=off Maybe i will play and set it on later, but it is still experimental.
MGA8-64, Gnome $ uname -a Linux localhost.localdomain 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 14:47:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux this is an upgrade from prior Nextcloud-client on machine The following 3 packages are going to be installed: - lib64nextcloudsync0-3.3.3-1.mga8.x86_64 - lib64ocsync0-3.3.3-1.mga8.x86_64 - nextcloud-client-3.3.3-1.mga8.x86_64 --- I rebooted machine It required me to re-validate with server, but after that it sync'd without issue. Works as designed for me.
MGA8-64, Gnome The following 3 packages are going to be installed: - lib64nautilus-gir3.0-3.38.2-1.mga8.x86_64 - nautilus-python-1.2.3-4.mga8.x86_64 - nextcloud-client-nautilus-3.3.3-1.mga8.x86_64 It appears to be integrating with Nautilus with no issues.
This update fixes CVE-2021-22895 (fixed in 3.3.1), CVE-2021-32728 (3.3.0): https://www.debian.org/security/2021/dsa-4974
Summary: nextcloud-client update => nextcloud-client update to 3.3.3 (fixes CVE-2021-22895 and CVE-2021-32728)Component: RPM Packages => SecurityQA Contact: (none) => security
MG8-64, Xfce Nextcloud Client Upgrade Installed - lib64nextcloudsync0-3.3.3-1.mga8.x86_64 - lib64ocsync0-3.3.3-1.mga8.x86_64 - nextcloud-client-3.3.3-1.mga8.x86_64 -- rebooted Working as designed
MGA8-64, Plasma Fresh build of Nextcloud Licent and Dolphin extensions The following 17 packages are going to be installed: - gcr-3.38.0-1.mga8.x86_64 - gnome-keyring-3.36.0-3.mga8.x86_64 - lib64cloudproviders0-0.3.1-1.mga8.x86_64 - lib64gcr-ui3_1-3.38.0-1.mga8.x86_64 - lib64gnome-keyring-3.36.0-3.mga8.x86_64 - lib64gnome-keyring0-3.12.0-12.mga8.x86_64 - lib64handy1_0-1.0.3-1.mga8.x86_64 - lib64nextcloudsync0-3.3.3-1.mga8.x86_64 - lib64ocsync0-3.3.3-1.mga8.x86_64 - lib64qt5keychain1-0.11.1-2.mga8.x86_64 - lib64qt5websockets5-5.15.2-1.mga8.x86_64 - libgnome-keyring-i18n-3.12.0-12.mga8.noarch - libhandy-common-1.0.3-1.mga8.x86_64 - nextcloud-client-3.3.3-1.mga8.x86_64 - nextcloud-client-dolphin-3.3.3-1.mga8.x86_64 - pinentry-gnome3-1.1.1-1.mga8.x86_64 - seahorse-3.38.0.1-1.mga8.x86_64 27MB of additional disk space will be used. Afterwards I was able to start nextcloud-client and set up a connection to the test server. Everything sync'd. Also the dolphin client worked as expected ... showing synchronization status on folders and files. Approving this.
MGA8-32, Mate $ uname -a Linux localhost.localdomain 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 15:03:25 UTC 2021 i686 i686 i386 GNU/Linux New install qtsvg5-5.15.2-1.1.mga8.i586: success libqt5svg5-5.15.2-1.1.mga8.i586: success libqt5quicktemplates2_5-5.15.2-1.mga8.i586: success libqt5quickcontrols2_5-5.15.2-1.mga8.i586: success libqt5webchannel5-5.15.2-1.mga8.i586: success libqt5keychain1-0.11.1-2.mga8.i586: success libocsync0-3.3.3-1.mga8.i586: success libcaja-gir2.0-1.24.1-1.mga8.i586: success qtquickcontrols25-5.15.2-1.mga8.i586: success libqt5websockets5-5.15.2-1.mga8.i586: success libnextcloudsync0-3.3.3-1.mga8.i586: success libminizip1-1.2.11-9.mga8.i586: success libqt5pdf5-5.15.6-1.mga8.i586: success libqt5positioning5-5.15.2-1.mga8.i586: success libcloudproviders0-0.3.1-1.mga8.i586: success libsnappy1-1.1.8-2.mga8.i586: success python3-caja-1.24.0-2.mga8.i586: success libqt5quickwidgets5-5.15.2-1.mga8.i586: success libre2_9-20201101-2.mga8.i586: success qtwebengine5-5.15.6-1.mga8.i586: success libqt5webenginecore5-5.15.6-1.mga8.i586: success libqt5webengine5-5.15.6-1.mga8.i586: success libqt5webenginewidgets5-5.15.6-1.mga8.i586: success nextcloud-client-3.3.3-1.mga8.i586: success nextcloud-client-caja-3.3.3-1.mga8.i586: success ~ ---rebooted Nextcloud was able to link to server and sync Caja recognized that nextcloud folders were updated Working as designed.
Whiteboard: (none) => MGA8-64-OK MGA8-32-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Thanks all :) And welcome to the party, Christian!
(In reply to Morgan Leijström from comment #30) > Thanks all :) > And welcome to the party, Christian! Thanks Morgan. Coming next, Nextcloud server ;). Stay tuned :)
Apprentice, do we have an advisory for this one written? https://wiki.mageia.org/en/How_to_create_an_update_advisory
(In reply to Morgan Leijström from comment #32) > Apprentice, do we have an advisory for this one written? > https://wiki.mageia.org/en/How_to_create_an_update_advisory Hi I have made a few comments on the change log to explain packaging updates. However, I have not pasted the release notes of this new 3.3.3 version. Should I?
Advisory based on above info committed to svn as ... type: security subject: Updated nextcloud-client packages fix security vulnerability CVE: - CVE-2021-22895 - CVE-2021-32728 src: 8: core: - nextcloud-client-3.3.3-1.mga8 description: | Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. (CVE-2021-22895) In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0421.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Dave Hodgins from comment #34) > Advisory based on above info committed to svn as ... > type: security > subject: Updated nextcloud-client packages fix security vulnerability > CVE: > - CVE-2021-22895 > - CVE-2021-32728 > ....... Thanks Dave for the work done. Should I do it next time or is there a dedicated team in charge? Actually, we might have another opportunity as 3.3.4 is out https://help.nextcloud.com/t/nextcloud-desktop-client-3-3-4-with-bugfixes-is-here/124024 or is it too early to propose it? Side note: I think it would be better, packaging wise, not to jump too many versions to track the potential changes required to build.
David Walser is effectively our security guru, and point out new security issues by starting new bugs or adding to existing. Dave and some other people jump in here and there :) But it is very good if the packager could regularly check for eventual security updates, and other updates too, for the packages he cater for, and start the packaging work by create bug, then package. And write Advisory or just propose an advisory text in the bug. As for update frequency it depends on what package, and severity of bugs. We dont have manpower to ship every version of every program we package - not only for packagers, but also for QA limitations. This nextcloud client took too long, we should have shipped one 3.2.x too. We have burnt us on both server and client x.x.0 versions, so always wait one or two bugfix releases. Mageia style is more reliability than cutting edge. But already 3.3.4? If you wish :) good repeat exercise, and i can test it. A few packages see several releases in our testing, like Thunderbird recently , kernels and some stuff even get built sometimes several revision before we even start a bug. For new packaging of nextcloud server i would not be surprised if we need more than one try.
Clarification "see several releases in our testing," I mean we sometimes test more than one update iteration in testing before we ship out.
Hi I just packaged 3.3.4 Actually, packaging wise, nothing to do after all the adjustments made to upgrade from 3.1. Nicolas, the src.rpm is available at the usual location. I just tested it on MGA8 Cinnamon, Gnome and KDE. Update went smoothly from 3.3.3. Of course, more comprehensive tests are required. I would be surprised if any issue, but it is never 100% granted. Advisory wise, I have not noted any CVE. Bug fixes reported in the announcement: desktop#3757 https://github.com/nextcloud/desktop/pull/3757 5[stable-3.3] prevent infinte recursion when closing a websocket in case of SSL errors desktop#3791 https://github.com/nextcloud/desktop/pull/3791 3[stable-3.3] Accept nc scheme in provider page And, just now, I am wondering whether it is the right place where to post this, or should I issue a new "bug" report?
Nice Christian. Yes please open a new report for 3.3.4, because this bug already resulted in shipment of 3.3.3.
(In reply to christian barranco from comment #36) > Thanks Dave for the work done. Should I do it next time or is there a > dedicated team in charge? In the bug report, there should be an advisory in one of the comments. For a security update, it should list each cve, along with a brief summary. For bugfix updates, it should list each issue that's fixed. There should also be a list of the rpm packages, and the srpm packages. That way qa knows what to install, and what to look for when testing. The srpm list is used when committing the formal advisory to svn. The svn advisory srpm list controls what gets moved from updates testing to updates when the update is "pushed". It's also used to generate the advisories that get published to https://advisories.mageia.org/index.html and the updates announce mailing list. The svn advisories must be very carefully formatted. Things like a trailing space on a line can cause it to be rejected by the push script. There are only a few people who take care of that. If you'd like to volunteer to help with that in addition to normal packaging, see https://wiki.mageia.org/en/Mgaadv and post a msg to the qa-discuss mailing list.