Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

security updates for apps

Scheduled Pinned Locked Moved Solved Support
updatessecurity
13 Posts 7 Posters 574 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H Offline
    H Offline
    hendrikvl
    wrote on last edited by girish
    #1

    Not sure if this has been discussed before, as it seems a quite general question. I could not find it through a search though.

    How fast are security updates applied, if you push them to the app store?

    I realized that last week a new wordpress package was pushed (see this thread), but it has still not been installed on my cloudron. Even when clicking the Update-button for the app manually, nothing happens.

    @girish: You write in the thread mentioned above "Note that unlike most other packages, we have a very large number of WP installs. For this reason, you may not see an update immediately. It will happen over the course of a week from the package announcement."

    Does this refer to package updates with new features only? Or is this the case for security updates as well? I mean a week is rather long and might seem okay for new features, but security updates should be applied within a day IMHO.

    1 Reply Last reply
    1
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #2

    @hendrikvl Currently, we roll out the packages slowly over a week. This update has been a bit more slower because it also updates PHP to 7.3 as well and wanted to make sure it doesn't break any sites.

    Maybe I misread the WordPress security issues because they were important but not critical enough to push updates over night. I mostly used the analysis from Wordfence.

    Not sure what the best solution is but maybe we need something midway to give admin more control - if they want to update immediately, they should be able to. But automatic updates still happen as per our rollout flags. What do you think?

    d19dotcaD H 2 Replies Last reply
    1
  • d19dotcaD Offline
    d19dotcaD Offline
    d19dotca
    replied to girish on last edited by
    #3

    @girish I would love a manual way to update apps as soon as its available. I understand why you guys do it the way you do it, I’m just not a huge fan of having to wait in line for the update. Haha.

    --
    Dustin Dauncey
    www.d19.ca

    micmcM 1 Reply Last reply
    0
  • H Offline
    H Offline
    hendrikvl
    replied to girish on last edited by
    #4

    @girish The release notes of wordpress 5.4.1 mention security issues at least.

    My question was of more general nature though and I took this wordpress release as an example only. But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

    Having more control as an admin would be nice of course. If I read about a security issue in an app of which I think it might affect my site, I should be able to update. As your post shows, you are quite quick in packaging a new version.

    girishG 1 Reply Last reply
    1
  • mehdiM Offline
    mehdiM Offline
    mehdi App Dev
    wrote on last edited by
    #5

    Slowly rolling-out automatic updates, but allowing manual updates immediately, seems a great idea to me.

    1 Reply Last reply
    5
  • micmcM Offline
    micmcM Offline
    micmc
    replied to d19dotca on last edited by micmc
    #6

    @d19dotca

    Actually you can!
    Click on the gear and go to Updates, check for updates, update.
    That's it. 🙂

    Andy


    https://marketingtechnology.agency
    For cutting edge web technologies

    ? 1 Reply Last reply
    0
  • ? Offline
    ? Offline
    A Former User
    replied to micmc on last edited by
    #7

    @micmc That would just apply any updates already made available by the Cloudron team.

    The point is making all upstream updates available for manual installation.

    1 Reply Last reply
    2
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to hendrikvl on last edited by
    #8

    @hendrikvl said in security updates for apps:

    But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

    The Cloudron update model is "pull based". Cloudron installations pull updates from cloudron.io periodically. There is no mechanism to push update from our side (intentionally). A pull model keeps the cloudron installations in total control, which is how we want it.

    What we do now is that when a Cloudron installation asks for an update, we check for some simple flags to decide if it should be given an update or not. That's really it. Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

    I will look into how we can provide the app update for all installations immediately but do automatic roll out over a week at the same time.

    H 1 Reply Last reply
    2
  • H Offline
    H Offline
    hendrikvl
    replied to girish on last edited by
    #9

    @girish said in security updates for apps:

    Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

    That's what I meant with "push". Of course my Cloudron polls, but your server decides whether I receive an update or not.

    So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply? Or would all Cloudrons which poll for an update receive it immediately?

    girishG 1 Reply Last reply
    0
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    replied to hendrikvl on last edited by
    #10

    @hendrikvl said in security updates for apps:

    So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply?

    Yes, there is no priority queue for updates. All updates are treated the same.

    W 1 Reply Last reply
    0
  • W Offline
    W Offline
    will
    replied to girish on last edited by
    #11

    @girish What about a menu in the settings for "update channels"?
    You guys get data from all your customers, maybe pushing the updates to all us eager beavers causes more headaches than its worth. But I'd be clicking a button that fed me the updates asap for sure. I've email you guys a few times about pushing me a newly released Cloudron release manually. Having a "beta test" sign up sheet might be helpful. I'm in a position where all my nextcloud and bitwarden stuff is backed up externally, and everything else is backed up to those occationally. So if my Cloudron instance blew up I wouldnt be out much besides time.

    1 Reply Last reply
    2
  • girishG Do not disturb
    girishG Do not disturb
    girish Staff
    wrote on last edited by
    #12

    @will That's a good idea to implement release channels as it's known concept for users.

    For the moment, I have pushed a change for the next release where you will always get the latest update when you check for updates manually. For automatic updates, it will follow our rollout plan.

    W 1 Reply Last reply
    3
  • W Offline
    W Offline
    will
    replied to girish on last edited by
    #13

    @girish The manual check method is good enough for me. If you do the release channel thing thats cool. But for those of us that a hungry, an extra few clicks isn't a bother.

    1 Reply Last reply
    2

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.