Hacker News new | comments | ask | show | jobs | submit login
Japan to add millions of new nodes to federated Nextcloud network (nextcloud.com)
237 points by r3bl 6 months ago | hide | past | web | favorite | 64 comments

Not to derail but I've been running ownCloud at home since 2013 and have considered switching since the fork but wanted to see Nextcloud mature a bit more. Any long-time ownCloud users have experience with switching and can offer advice or info on some of the pitfalls, if any? What are upgrades going forward really like with incremental updates and major version releases etc?

I often end up holding ownCloud updates back in apt as there's always this sense of dread that I'll have trouble getting the app out of maintenance mode. Versions 9+ have been better but upgrades sucked in the beginning even as a home user not using disk encryption.

I have a personal one at home with few users but >1Tb in use, including wifey's rather hefty and my smaller photo collection which is sync'd from phones using Foldersync Pro on Android. I also have a work one that has ~30 users and about 1/2Tb and rising. I have also installed a system for a customer with >700 users for pushing lots of centrally managed .pdfs to tablets. Two of them are behind HA Proxy. All started off life as OwnCloud v8 and all are now NC v13.

I've never used apt, I always use source .tar.gz - it is just a web app. I keep a separate disc with data, html, tmp (for working etc source packages) and mount it to /srv/nextcloud. I then symlink /srv/nextcloud/html to /var/www/html/nextcloud to avoid surprises (where the hell is the bloody app!)

The config does need a bit of care but the docs are great. I do recommend that you add in redis etc and all the php caching etc. Also, get a Lets Encrypt cert on it.

Upgrades? I bit the bullet and tried out the auto upgrade button in the web interface on my largest install after doing a VM snapshot of course. I now always do it that way because in the past I generally end up re learning how to do it each time. You do need to get the file permissions correct for the web app to be able to update itself.

I have had problems and errors sometimes but the forums and docs have always given me a fix. Learn how to do a dump/restore of the database (you should ideally be using MariaDB and know a bit about it) and learn about the occ command eg:

# sudo -u www-data /var/www/nextcloud/occ status --output=json_pretty

The NextCloud desktop app works well on both Windows and Linux (I don't have any Mac experience) As I mentioned before, I use Foldersync Pro on Android for photos because you can do a one way sync, with deletes on the phone not being mirrored to the repository (phones have rather less storage than desktops or my servers).

Nextcloud user since v11 or so (small installation, <10 users). Updates have been painless, the web interface for updating has worked fine each time with nothing to clean up by hand. Its given me remarkably little problems after running it for ~18 months.

It's the same for me. With ownCloud I, too, dreaded updates. But since I switched to nextcloud, updates have become simple and easy

I set up owncloud in an rpi3 a couple months ago but really wasn't satisfied with the lack of apps - the lack of video conferencing to be specific among other things. Switching over to nextcloud was a couple hour affair because I had to rename tables and other nit picks.

I like nextcloud a lot more and it's performance is great, especially since I started using redis (that was a huge pain to install on the rpi though).

I only use Google Drive as an encrypted backup. I've replaced everything it did with nextcloud + collabra + talk.

Anecdata point: I had a lot of trouble setting up Nextcloud Talk with my own STUN & TURN servers. Even after I'd gotten that going, NCT video calls have been extremely unreliable, with it fully working only maybe 1 in 5 times, or worse. I still don't know why. Could be dependent on the kind of Internet each side is connected to (home network behind ISP router vs. coffee shop vs. corporate network with potential firewall, etc. etc.)

Where are you hosting your turn server and what software are you using?

I'm using coturn for TURN and STUN, and they are on the same VPS that hosts the Nextcloud code, version 13. If you actually want to help me solve the problems, send me a DM on github (username Pistos), and I can give you more of the technical details.

From what I understand of STUN and TURN, there is absolutely no point running STUN an TURN on the same server as Nextcloud - if you do, you could just as well skip running them in the first place. STUN and TURN only help if they are on a dedicated box, as close to a internet root server as possible, ideally in a big datacenter somewhere on the internet backbone. They can't be behind firewalls and layers of routers...

So your performance will already improve if you delete your local STUN and TURN and use the Nextcloud STUN as our free STUN runs in a big data center. Then you have to find a TURN somewhere that you can run also close to the backbone, or try using without...

Yes, running STUN and TURN properly is a pita.

I'm no super expert so check what I'm saying, but this is based on my best understanding of what these do and I had to write our documentation for customers about our Spreed High Performance Backend which, among other things, does STUN and TURN ;-) (Nextcloud marketing dude here)

> no point running STUN an TURN on the same server as Nextcloud

I just prefer to self-host as much as possible.

I reached out on to your IRC. I'll help, if I can.

I don't think Github has DMs.

Yep, you're right. My mistake. But we've been touch by other means.

I've had a small setup running for quite a while now. I let the package manager take care of updates (I'm using Arch ARM) and then log in through the web client to let it finish updating the database. I think I had one or two rough updates after migrating from owncloud to nextcloud, but since then it's been extremely painless. Not sure how things are now, but I remember dreading each update back when I was using owncloud.

I'm using ownCloud on one system and considering migrating it to another; should I switch to NextCloud instead? Seeking opinions.

For myself, my usage is small enough that I don't care if my "migration" is that I just copy over the two user's worth of data I have in the file sharing and set up the one shared folder I have again by hand. (It's a home cloud, not corporate.) In fact in some ways it'll be easier than what I was planning on doing.

try nextcloud.com/migration - but keep in mind that it is slowly getting harder and harder to switch. We try to keep it easy and smooth but ownCloud is backporting a lot of potentially breaking changes in their 'stable' branch, rewriting low-level code etc. Their engineers are of course new to the code base so they make, well, different choices than we would make :D

While feature-wise, we're still not really missing anything oC has, the underlying codebase is really diverging, we're not really merging any code from oC since a year now...

Migration will become a real, risky pita at some point I'm afraid. Apps are already dropping compatibility and mobile apps, too.

Thank you.

Like I said, a brute-force migration for me isn't too big a deal. Half the work for things like switching apps on my phone I'd have to do anyhow.

I just did a switch from oc 10 to nc 13. The docs work fine but are missing some potential table column additions (mostly with apps) which are needed to get things working smoothly. Thankfully the logs will tell you exactly what needs to be done.

You may want to consider Seafile. It is specialized in file synchronization (so no calendar, etc.) but I hapilly moved from Owncloud some time ago and it is great (=smaller, specialized)

I did a couple of upgrades of Nextcloud; one major and some minor, and the upgrade process is unbelievably fast, painless and stable. Never had any problem.

We have about 600 users, most of them use webdav. We just did a painless upgrade.

I wouldn't install from a repo, much better to let (own/next)cloud manage itself. I migrated from owncloud and glad I did so, I get all the enterprise features like SAML SSO for free.

Sounds impressive.

If Nextcloud continues to add features and get more traction, perhaps it can become a viable alternative to Google drive/mail/calendar?

Does anyone here have experience deploying Nextcloud in a business setting?

We are using NC with ~250 employees, works fine and runs smooth as butter, syncs to desktop well but many prefer to use the web interface. We are using LDAP auth, it powers our whole stack (Zimbra, OTRS, Debian/Ubuntu servers, Wifi, remote desktops, custom ERP, etc). Honestly, we have more problems with custom built software ($$$) than open source that is free for all. Sometimes I wish we could alter our internal workflows in a blink of an eye to leave out the greedy companies with whom we have software development agreements as legacy.

How well does calendar/contacts/email/docs syncing work with mobile devices?

Synchronizing calendar & contacts works great in my experience! I'm using DAVDroid for that.

In my experience, Nextcloud's file sharing features are great, working as expected. We use it mainly to share large files with business contacts, both directions. I haven't tried the desktop apps. We use the web interface and the mobile apps.

Set up nextcloud on my home network and share stuff with friends and family that way, never got into federation but that's pretty awesome! Especially since it supports encryption and privacy in a pretty easy to use way.

Is encryption ready to use safely or is it still experimental?

It is stable since v13 hit stable.

Hopefully this get implemented extremely well.

Anything else could make for some really terrible data breach possibilities. At scale. :/

Hmmm, NextCloud has a bug bounty program:


The maximum's seem pretty low though (to me), considering it's used for housing peoples personal data.

A bug bounty only helps with a very narrow set of security issues.

For instance, the deployment and updating process (which Nextcloud has no control over) is just as important.

Good point. :)

I think if you provide the money they’d be happy to raise the bounties!

Is nextcloud known to have deep pockets?

No idea personally. :)

In the meantime, if you don't want to wait or don't live in Japan, there is the UBOSBox Nextcloud server appliance we announced yesterday: https://indiecomputing.com/ (disclaimer: yes, my company)

> Nextcloud servers are not alone. The Nextcloud Federation feature enables users from one Nextcloud server to share with users on another server, creating a globally spanning network of private, self-hosted clouds. A federated cloud id, comparable to an email address, enables users to identify one another […]

I wonder what domain they'll be using for these self-hosted Nextcloud instances. Are they going to allow for custom domains?

Are all the component of NextCloud, including NextCoud Talk, open source, or are some features/components paid/enterprise/subscription only?

I don't know about any paid only plugin. Nextcloud is forked from ownCloud because the original founders of ownCloud didn't like the direction where ownCloud was heading (paid only features for enterprises) and they wanted to open source every part of it. They are unrealistically good people, making an unlikely good product :) See their reasoning of forking here:

- https://www.youtube.com/watch?v=UTKvLSnFL6I

- http://karlitschek.de/2016/06/nextcloud/

- https://news.ycombinator.com/item?id=12919330

This effort is to be applauded. Kudos to NEC and especially NextCloud; I wish them both luck!

If these Nextcloud instances are being installed on routers then they likely won't have access to very much storage space.

Most routers support attaching a USB hard- or flash drive. This might become more convenient when they add Nexcloud to the router.

Meaning they’re installing PHP on all routers to support Nextcloud? Not the expert here but that doesn’t sound too secure to me.

Here's a good start: https://paragonie.com/blog/2017/12/2018-guide-building-secur...

The big issue with PHP's security is that there are a lottt of old guides and stackoverflow answers out there with terrible, unsafe practices.

I see, thanks for the explanation

PHP can be secure

Most people's "PHP is inherently insecure" perception comes from projects like phpBB 2.x circa a decade ago and the shared hosts (still?) running an ancient version of PHP.

> the shared hosts (still?) running an ancient version of PHP.

Still 80%+ of PHP sites.



No. That w3tech link is not properly separating out the versions by age. 5.6 isn't an ancient version of PHP for example; 5.1 is.

5.6.36 was released in April 2018; 5.6 was released in 2014. 5.1 was released in 2005 by contrast.

There's nothing terribly wrong with running 5.6x if you have a good reason to do so (eg legacy), other than that the performance sucks compared to 7.2.

You can dig further into the w3tech numbers here:


Nobody is using 5 or 5.1. The majority of all PHP installations are using more modern versions, either 5.6x or 7.x.

PHP 5.6 is reaching the end of security updates in four months and 80% of PHP sites are still running it (or lower).


And WordPress, drupal and honestly every other php project custom or open source.

PHP needs to go away.

Careful, there are a lot of WP, Drupal, and PHP devs here, and they make up a much bigger chunk of the front end developer pool than you'd expect post-2000s.

And from sitting in on a lot of leadership meetings, they're one of the few groups that perpetually seems to be concerned with something they depend on sunsetting.

As long as they're passing with ISO, I just stay out of it.

That's fine if they are upset. Php is a scourge on the internet. If php on the server and Java on the desktop were wiped out. The internet would be a better place.

PHP is fine, no software is bug free, especially when it accepts external input. Drupal, WordPress etc are huge so there's definitely a lot of chances for things to sneak in, but PHP itself can't be 100% to blame.

They are low hanging fruit to exploit. Considering drupal specifically, and the massive history of WordPress (oh I can grab root passwords because of a massively deployed image slider) An attacker is thinking it's Christmas morning. And yes it is because they are PHP. It's unsafe under any circumstances.

Php is a go-to route of getting a shell.

It's trivial to look up what version of WordPress/Drupal/etc a site is running, and looking up that version's vulns. The issue is that sites don't keep their CMS up-to-date. Not because it's PHP. Every CMS, regardless of language, faces this issue.

It's just that some CMS is based on php and they consistently have far more vulnerabilities than non PHP ones. PHP is crap. It always has been, it will continue to be. I honestly can't imagine a building a production project from that garbage language in this day and age.

In this day and age, you'd use a framework like Laravel or CakePHP, which are a joy to work in.

And the only reason you see more vulnerabilities for CMS's written in PHP is because the most popular CMS's (Wordpress, Joomla, Drupal) are all written in PHP.

We'd see the same thing happen regardless of the language (except maybe Ada or Rust. They do a good job at stopping you from shooting yourself in the foot).

As opposed to? Le JS framework-du-jour? /s

I'll take PHP spaghetti over JS any day

Sure, anything an be secure. PHP just makes is comically easy to be insecure.

They are actually know what they are doing. I think they have a full time security guys and also have a bug bounty as others have mentioned.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact