security updates for apps

hendrikvl

Not sure if this has been discussed before, as it seems a quite general question. I could not find it through a search though.

How fast are security updates applied, if you push them to the app store?

I realized that last week a new wordpress package was pushed (see this thread), but it has still not been installed on my cloudron. Even when clicking the Update-button for the app manually, nothing happens.

@girish: You write in the thread mentioned above "Note that unlike most other packages, we have a very large number of WP installs. For this reason, you may not see an update immediately. It will happen over the course of a week from the package announcement."

Does this refer to package updates with new features only? Or is this the case for security updates as well? I mean a week is rather long and might seem okay for new features, but security updates should be applied within a day IMHO.

girish

@hendrikvl Currently, we roll out the packages slowly over a week. This update has been a bit more slower because it also updates PHP to 7.3 as well and wanted to make sure it doesn't break any sites.

Maybe I misread the WordPress security issues because they were important but not critical enough to push updates over night. I mostly used the analysis from Wordfence.

Not sure what the best solution is but maybe we need something midway to give admin more control - if they want to update immediately, they should be able to. But automatic updates still happen as per our rollout flags. What do you think?

d19dotca

@girish I would love a manual way to update apps as soon as its available. I understand why you guys do it the way you do it, I’m just not a huge fan of having to wait in line for the update. Haha.

hendrikvl

@girish The release notes of wordpress 5.4.1 mention security issues at least.

My question was of more general nature though and I took this wordpress release as an example only. But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

Having more control as an admin would be nice of course. If I read about a security issue in an app of which I think it might affect my site, I should be able to update. As your post shows, you are quite quick in packaging a new version.

mehdi

Slowly rolling-out automatic updates, but allowing manual updates immediately, seems a great idea to me.

micmc

@d19dotca

Actually you can!
Click on the gear and go to Updates, check for updates, update.
That's it.

Andy

A Former User

@micmc That would just apply any updates already made available by the Cloudron team.

The point is making all upstream updates available for manual installation.

girish

@hendrikvl said in security updates for apps:

But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

The Cloudron update model is "pull based". Cloudron installations pull updates from cloudron.io periodically. There is no mechanism to push update from our side (intentionally). A pull model keeps the cloudron installations in total control, which is how we want it.

What we do now is that when a Cloudron installation asks for an update, we check for some simple flags to decide if it should be given an update or not. That's really it. Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

I will look into how we can provide the app update for all installations immediately but do automatic roll out over a week at the same time.

hendrikvl

@girish said in security updates for apps:

Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

That's what I meant with "push". Of course my Cloudron polls, but your server decides whether I receive an update or not.

So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply? Or would all Cloudrons which poll for an update receive it immediately?

girish

@hendrikvl said in security updates for apps:

So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply?

Yes, there is no priority queue for updates. All updates are treated the same.

will

@girish What about a menu in the settings for "update channels"?
You guys get data from all your customers, maybe pushing the updates to all us eager beavers causes more headaches than its worth. But I'd be clicking a button that fed me the updates asap for sure. I've email you guys a few times about pushing me a newly released Cloudron release manually. Having a "beta test" sign up sheet might be helpful. I'm in a position where all my nextcloud and bitwarden stuff is backed up externally, and everything else is backed up to those occationally. So if my Cloudron instance blew up I wouldnt be out much besides time.

girish

@will That's a good idea to implement release channels as it's known concept for users.

For the moment, I have pushed a change for the next release where you will always get the latest update when you check for updates manually. For automatic updates, it will follow our rollout plan.

will

@girish The manual check method is good enough for me. If you do the release channel thing thats cool. But for those of us that a hungry, an extra few clicks isn't a bother.