
Nextcloud introduces social features, joins the fediverse - Kye
https://nextcloud.com/blog/nextcloud-introduces-social-features-joins-the-fediverse/
======
nisa
As an admin of a 500 user instance I'm having mixed feelings about Nextcloud.
Sure it's GPL and free and it got a lot better than the old owncloud mess that
broke always but it's still somewhat a gamble. My install is just a no-
warranty, non-commercial use case and I wouldn't use it for any large
commercial installation without having at least one dedicated and skilled PHP-
dev on-site.

I came to resent their marketing blog posts. If you look it's just an alpha
version that just got hacked together, often with problems, often not fixed
long after the release. There still lot's of serious bugs in end to end
encryption for instance.

There does not seem to be a lot of work to improve the base features. Syncing,
ACLs, User Mangement leave a lot to be desired. It's not easy but they are in
a position where they really could be a perfect solution for a lot of people
and probably also charge good money for it - but at the moment it feels like
they just build alpha-grade fancy addons.

Me and probably most users would love a no-feature, we just fix the most
serious bugs on our github issues release-cycle. I'm fine when it's called
Nextcloud 16 and takes a year, hell take your time, but basic functionality
should be rock solid.

I also don't get why they ignore the existing open-source ecosystem. Make it
possible to integrate SOGo for Calenders and Mail - it's all webdav in the
browser anyway. SOGo at least has somewhat working ActiveSync. Same with
SAML/Shibboleth/Kerberos - some things got fixed, very late. No deployment
story for Active Directory or even Linux.

User management is a mess - the Circles app is a good idea that is crippled by
usability and functionality bugs... that possibility to have self-selecting
groups and decentralized management is a huge win for them, but they don't
seem to realize that this is an important use-case.

Nextcloud is very close to what would be ideal for a lot of smaller
organisations, but they somehow are unable to polish what they have but
decided to pile alpha-quality on alpha-quality code (and ignore the bug
reports)...

That beeing said, it mostly works but your users won't be happy.

~~~
jospoortvliet
Let's be honest, if we did a release with only stabilization, it might get us
more users. Not more customers. And it is customers who pay for the
development.

Everyone asks us to focus "on the basics" and then claim their pet feature
requests are, of course, basics. ACL's and user mgmt in your case, perfectly
fine features, but features nonetheless.

In the end, our development is guided by the community and customers. If
you're not either, we might not do what you want... That's the reality of any
open source project.

And you're right, for a large installation, you should obviously get an onsite
engineer, or, much better, a contract with us which is both cheaper and
better. That's what most larger installations do, and that is how we earn the
money to make Nextcloud better.

WRT the E2E, that sadly took a whole lot longer to get working than we had
expected. Of course, if you think it is important or need it, time and money
can speed it up, we have only so much of those.

~~~
nisa
Thanks for your work on Nextcloud! I really appreciate what it does. Also
thanks for taking the time to answer my rant ;)

On a positive note: Just upgraded to Nextcloud 15 without any issues in a few
minutes. I feel it's getting better with every release. You put in a lot of
work and I recently logged into an Owncloud 8 install and it's a night and day
difference.

I'm also aware that you owe me nothing. I'm fine with that. It's a discussion
forum here and I just wanted to write down my experience. I'm sure you'd
rather see solid pull requests instead of unwanted advice. Mea culpa.

~~~
guruz
It would be more fair to compare the LATEST Nextcloud with the LATEST
ownCloud. Both projects are going strong! Nextcloud is more community-focused,
ownCloud is more enterprisey.

~~~
jospoortvliet
Hi Markus,

I'd argue the opposite, actually, ownCloud is betting on providing hosting for
small and medium businesses, while Nextcloud targets large businesses.

And that is what reality shows. Nextcloud has far larger customers than
ownCloud, which breaks down at instances over 50K users. The only large-ish oC
setup is actually a bunch of separate universities.

Nextcloud is far more scalable. Thanks to Global Scale, our largest
installation has tens of millions of users on a single instance, and customers
like the German government (300K users) wouldn't be able to work with oC
unless they split up their users and create silos.

------
creshal
How about a working, documented plugin API? Or sync clients that _work_?
Instead of taping more random crap onto a base product that only barely works?

~~~
phito
This. Their sync on android sucks big time. I go to my gallery, select 20
pictures and send them to Nextcloud, only to find only 5 of them have been
actually uploaded. It happens every.single.time. Gonna switch to Seafile
really soon.

~~~
prophesi
Can't confirm this experience. I have auto-upload enabled, and I've never had
any issues with my pictures not syncing. Did you check the upload status on
your phone during this time? Pictures can get very heavy, and it might just
need more WiFi time to upload 20 of them.

~~~
kop316
I also have auto-upload enabled, and syncing works perfectly whether I am on
the same network or an outside network.

Perhaps the grandparent commentor is using an older version of the android
client or server?

~~~
berkes
I do see some issues with really large files. Files over 50Mb. My server has
limits imposed and the resulting error is not communicated back to me on the
app. The app merely states "Failed to upload". For me, this is the only issue
I ever get, but without knowing the cause it does feel very "random".

In my case, I managed to track it down and, by knowing what causes the sync
issue, I can avoid it, or ignore it. Could be that grandparent has this issue
too bu her/his server is set to much lower limits even?

~~~
kop316
That could be it. IIRC, the upper limit of file upload size was tied to RAM
(had something to do with PHP and how it handed uploads)?

------
bjt2n3904
End user of NC here, have it setup on a little Digital Ocean droplet. I
switched from OwnCloud shortly after the fork, and sync
contacts/calendar/notes between my desktop and android. Pleasantly surprised
with how well things work.

My favorite thing to do is upload a short video from my phone, and send my
family the share link. Much better than uploading to YouTube / Facebook. I
also do photography, and love how easy it is to share a gallery in a few
seconds. When I'm done in Lightroom, I just export JPGs to the directory, and
copy over the share link to the gallery app. Great user experience!

I'm glad NC is continuing development, and it's interesting that they're
adding federation to the client, but I'm not sure it's a feature I'd use.
Though I'd like to setup a mastodon instance for myself, there's too much
docker/nodejs bloat and hastle, and I've yet to successfully get an instance
online. (Even if I did, I'm not sure I'd use it very much.)

~~~
yogthos
I started using NC for docs and calendar. Really happy with it. things work
great and sharing things via links works great. Especially like how you can
add expiry to shared links.

------
cjslep
NextCloud, ForgeFed, ValueFlows, MoodleNet, Pleroma, Mastodon, PixelFed
("soon"), PeerTube, WriteFreely, Anancus... (so many more)

The ActivityPub grassroots is slowly growing.

~~~
api
How will these systems defend against spam, click farms, troll armies, and AI
assisted or powered sock puppeting when they get big and/or influential?

This is usually what kills federated and decentralized communication
platforms. They can work fine as long as they are too niche for bad actors to
target, but as soon as there is money to be made or political influence to be
had from targeting them they are destroyed by abuse.

It's a major threat for the centralized platforms, and those are easier to
defend.

Today's Internet is a battlefield in a global information war and new systems
must be designed accordingly. Unfortunately most efforts that I see in these
areas still make optimistic assumptions and underestimate the sophistication
and determination of bad actors.

~~~
Kye
Instances that don't police this get silenced or defederated. Much of the
fediverse is made up of small invite-only instances that share information on
bad actors like this. The bigger ones have mod teams and are generally run by
people who don't equivocate on keeping bad actors to protect ad revenue.

edit: This is, at a minimum, a good experiment to see if these kinds of
propaganda are inherent to social media or only possible because ad-funded
silos are loathe to ban obvious bad actors and not enable them with their
tools.

I'm on the side of blaming Facebook and Twitter. They didn't create
propaganda, but they sure did make it cheap and easy.

~~~
api
That's a start, but my concern is that the volunteer militia will get swamped
and burnt out when the real attacks come.

Right now Mastodon and other ActivityPub platforms are too small for a
Cambridge Analytica / Russian FSB or other similar caliber actors to bother
with. Twitter, Facebook, Instagram, etc. are where most of the users are so
that's where most of the effort will go.

If these platforms ever "tip" into mainstream adoption, prepare to be targeted
by organized crime gangs running financial scams, nation states, corporate PR
firms, and other organizations with hundred million to billion dollar budgets.

What I really wanted to do was to stress the fact that this is a battlefield.
One of the trends I see in the early 21st century is the dematerialization of
warfare. Wars can now be fought entirely online. Governments can be toppled.
Economies can be destroyed. Corporations can be imploded. All this can be done
with a mixture of cyber attacks and propaganda. As a result we are seeing the
redirection of military budgets toward these things. The sort of spam and
amateur brigading that most volunteers are used to dealing with on social
forums and platforms is nothing compared to what the big social media
platforms are facing now and _that_ is nothing compared to what's coming.
Billions of dollars are currently being spent by PR firms, advertisers, and
governments to develop increasingly advanced AI and big data powered
propaganda platforms to weaponize the Internet. In the future we'll probably
see fully automated AI driven propaganda, what I've started calling "con
artistry at scale."

Federated and decentralized platforms are very vulnerable in ways that silos
are not, and this has to be thought about. It's easy to create quiet
apparently friendly and normal Sybil nodes that passively suck down data and
then use that data to mount active attacks from other directions. Volunteers
may fight active attacks, but they may have no way of knowing which apparently
normal nodes are actually passive participants in those attacks. Also keep in
mind that "attacks only get better." With each attack the attackers learn, and
it's generally easier to attack than to defend (in cyber-security in general,
not just here).

~~~
teleclimber
I'm on masto regularly and the community is much more pleasant there (than say
Twitter). A lot of users attribute that pleasantness to decentralization. I
call BS. It's because it's a tiny self-selected group that wants the opposite
of what Twitter provides.

You're absolutely right: once this tips, and people join because that's what
you have to join to talk to people and not because they're looking for a real
change, then it'll be unbearable.

The best thing that can happen to fediverse is that it will continue to grow
incrementally, so that at each step they can see the missing moderation tools
and build them before it all blows up.

Personally I think we'll look back on these massively open networks where
everybody can reply to everybody as an anomaly.

~~~
athenot
> Personally I think we'll look back on these massively open networks where
> everybody can reply to everybody as an anomaly.

It's cyclical.

\- The internet and online communities (BBSes) started out decentralized.

\- Then came AOL / Compuserve / etc. Centralized platforms.

\- The web broke up those platforms and shuffled everything around.

\- Then the current Google / Facebook / Twitter megaplatforms arose and that's
the state we're in.

So it's logical that we're ready for a decentralized cycle but over time,
users will forget why decentralization is good and another big platform will
rise.

------
reacharavindh
These extra features and thus the complexity are the opposite of what I'd like
in a self-hosted file share system.

Why does everything have to be bloated into oblivion like this. We need more
purpose built software...

What i like? OpenBSD for firewalls, and public facing terminal servers. Just
lovely.

/rant.

~~~
arendtio
Most of those features are optional. So if you don't care about some
functionality just uninstall the specific 'App'. Sure that is not as secure as
not having those Apps in the first place, but I think, in general, Nextcloud
is moving into the right direction, as many of their use-cases require a
tightly integrated but wide set of features.

~~~
privong
> Most of those features are optional. So if you don't care about some
> functionality just uninstall the specific 'App'.

That's true, but unless there are new developers joining to create/support
these apps the addition of these new features may spread the developers too
thin. Personally I'd rather have a robust set of smaller features than a buggy
implementation of a lot of features. The latter is okay if it's just a "for
fun" type of project. But I use nextcloud to keep my calendar/contacts/file-
sync, so it's really not okay if the core functionality is unstable. So while
I can uninstall these apps, I personally worry that it means less attention
will be paid to the core features.

~~~
jospoortvliet
That is like saying ice cream makers should focus on the 'core' tastes,
claiming that that is banana and vanilla because you like those.

For you calendar and contacts are core for a file sync and share software?
Above somebody also asked us to focus on 'core', meaning adding ACL's and
probably dropping the calendar/contacts.

So it's like the fable where god decides to ask people what weather they want
and everyone wants something different so he decides to go back to doing
whatever the fuck he wanted. We just keep letting ourselves guided by
contributors and customers...

~~~
privong
> That is like saying ice cream makers should focus on the 'core' tastes,
> claiming that that is banana and vanilla because you like those.

From my point of view, I'm suggesting the ice cream makers should stop trying
to make paninis to go with the ice cream and instead focus on making sure the
ice cream cones don't have holes in the bottom.

I nearly lost all my files because server-side encryption went wonky. That's
core functionality that should, imho, be fixed before going off into
ActivityPub.

More generally, I have trouble being enthusiastic about "We added activitypub"
focus because of what it seemed to do to MediaGoblin. That project seemed to
be chugging along and making steady progress until it seemed they focused a
lot of their energy into ActivityPub. Since then, MediaGoblin hasn't really
had any of its functionality updated, as far as I can tell. They certainly
don't seem to have released a new version in over 2 years.

~~~
jospoortvliet
All for avoiding Panini's, but we're a Content Collaboration Platform - and
Nextcloud Social fits certainly well in that.

WRT server-side encryption, it gets work all the time, though it is mostly an
enterprise feature that gets love when enterprises pay for that. Very few
volunteers work on it, if any. Help is of course welcome, in the end - either
somebody pays for it, or somebody puts in free time.

This is true for every open source project, of course.

WRT MediaGoblin, no worries, it isn't like Nextcloud Social has all our
attention. I guestimate it is at most 5% of our engineering time, if that.
That is enough to make it work and improve it release over release, and we'll
put in more if there is customer interest or lots of community contributions,
but we always start such new things small. Talk started as a night-long-
hacking-to-prove-it-could-be-done and now has 3-4 engineers on it full-time,
because customers want to pay for it. Which also means it doesn't take away
from other things - if we didn't do it, we simply couldn't afford these
engineers in the first place. It isn't like they would work on server-side
encryption ;-)

~~~
privong
Okay, that makes sense and makes me feel better about it. Thanks for
responding and clarifying.

------
lwh
Ugh I just wanted a working file manager

~~~
Tharkun
Agreed. All this added complexity only serves to increase the attack surface
of something I _really_ want to keep safe and secure.

~~~
creeble
+1 on this. My whole reason for using NC has been to remove anything like
social features, and let me control sharing.

Maybe all this will be optional, but the direction seems opposite to my needs.
And the risks from 'extending' the network too.

~~~
jospoortvliet
It is all apps. You can even disable sharing. Heck, you can disable the Files
UI...

Note that most people use Nextcloud to work with others and features like
these are crucial to their productivity. In the end, we're guided by community
contributions and customer demand... Luckily you can disable things you don't
like :D

------
Arkanosis
« and soon Diaspora are part of this same network [ie. ActivityPub] » — I was
surprised to read that, and after a quick check, it's not looking like it'll
happen anytime soon, sadly.

diaspora* is one of the most famous and successful open, federated social
networks out there, yet it does not implement the protocol which is gaining
unprecedented traction across a large number of implementations. Hopefully,
Nextcloud implementing ActivityPub is yet another reason for diaspora* to
follow the move.

~~~
thomnottom
Is it really? Not being snarky here, but I joined diaspora early on and a year
or so after the untimely death of the co-founder the project felt like it was
going no where. 6 years later it feels like I never hear anything about it,
and ActivityPub is almost a must for any serious "open" social network now.

------
arendtio
Sounds great, but honestly I hoped that federated calls would finally make
it...

I mean, Federation is a core feature of Nextcloud and instead of finishing the
work on Talk, we have a second (probably similarly incomplete) feature now,
which needs to be polished for the next major releases.

I don't want to be negative here.

 _I love Nextcloud_ and the work that is being done around it! It is just that
sometimes I wonder about the priorities and in this case, I wish improving
existing things would have come before introducing new things.

Besides that, I am quite excited to try out the new social features :-)

------
pa7ch
I really like the upspin approach for federated self-hosting of userdata (for
lack of a better term) in that it builds a platform for it that apps like
nextcloud and others would build on top of.

I'm not saying its the right solution, but I think trying to get the layers
right to make self-hosting a wider and more reliable reality is only going to
happen by building the right opensource platforms/components first.

------
AdmiralAsshat
Are these guys courting VC funding? This looks less like a feature their users
actually asked for than a bullet point for a sales pitch.

~~~
Kye
They've been on Mastodon for over a year. I think they just wanted to be able
to see their Nextcloud stuff from there.

[https://mastodon.xyz/@nextcloud](https://mastodon.xyz/@nextcloud)

~~~
jospoortvliet
Yup. Also, VC funding? Heck no, we started Nextcloud because VC funding had
bankrupted and blown up ownCloud... I mean, seriously. It is now owned by a
German real estate agent...

~~~
unixhero
By the way. Thanks a lot for your work with Nedtcloud. It's really great.

~~~
jospoortvliet
Pleasure, thanks for the kind words!

------
Nux
I have been using NC for a few years now and I am mostly happy with it.
Contacts, calendars, sharing, photo auto uploads all work with my Android
phone.

My problem is the software is pretty slow and from a security perspective I'd
be hesitant to expose it to the greater internet. That's just my gut feeling.

~~~
SJk7TAy
I feel the same. Basically, I wouldn't like to publish the address of my
personal Nextcloud server to anyone (unless I am sharing a file privately with
a friend). Fortunately, the social features are not built into the Nextcloud
core, rather they are in a separate app. So we can just forget about it if we
don't like it.

~~~
jospoortvliet
If you're not sure about the security you can firewall it of course, but keep
in mind we pay 5K to anyone who can find a remote execute vulnerability in
Nextcloud (and smaller amounts for smaller bugs).

------
relouleco97
my org just moved to FileCloud from NextCloud and it's working out so far.
FileCloud is not opensource. but the base functionalities are solid especially
sync and user management.

------
dreamdu5t
Am I the only one that hates that the “fediverse” is not on the web?

We didn’t need a separate protocol/app and closed servers to do what are
actually just blog posts and replies.

~~~
SJk7TAy
What do you mean by "not on the web"? It is accessible on the web. Everybody
with a web browser can see public posts and replies. For writing new posts,
you need an account though. Here is the public account of Mastodon's founder:
[https://mastodon.social/@Gargron](https://mastodon.social/@Gargron)

~~~
dreamdu5t
It’s on the web like Facebook is on the web.

I can’t post or reply by creating a web page, and identity is not email or
dns, but specific to whatever mastadon instance I register with.

I already have a domain, blog, and email. Posts, replies, likes, etc. But
mastadon doesn’t work with the web, or my existing web identity - instead it’s
entirely based on federated ActivityPub servers plus various extensions.

~~~
gHacxZ5e
So get a blog that complies with ActivityPub or host a Pleroma instance with
an account that mirrors your blogposts / posts them on the fediverse.
Shouldn't be hard.

