Since you're referred to in that article as a "security engineer", I'll ask the following:
I know nothing of PHP other than its reputation. But apparently ownCloud is written in PHP and JavaScript. And PHP has its own "Security" section in its Wikipedia entry. And it has a reputation for security problems.
So, how "secure" (whatever that means) is ownCloud / Nextcloud? Has security been a problem for this software in real life?
Happy to answer this. First of all: Makes using a specific programming language a software much less secure? Probably not. You can do mistakes in every programming language. But since a lot of software is written in PHP and there are also many unexperienced PHP developers this reflects kinda bad on the language.
There is often the perceiption that ownCloud would be insecure because we have so many advisories. But these are just there because we proactively look for security vulnerabilities and patch them. (see also https://statuscode.ch/2015/09/ownCloud-security-development-...)
Oh! And we also run a bug bounty program for ownCloud and Nextcloud will have one with probably even higher rewards soon! - HackerOne did even do a case study with us so it can't be too bad ;)
(https://hackerone.com/resources)
> First of all: Makes using a specific programming language a software much less secure? Probably not.
Quite the contrary, most probably yes. Mistakes happen, but different
languages make different kinds of mistakes impossible or very easy. You can't
get segfault when manipulating strings in Perl or Python, while in C it takes
plenty of effort to avoid.
That is true, yes. Base ruby or C or PHP make it easy to make entire classes of mistakes you won't get using certain other languages.
But many of these problems can also be caught using the right tools and framework. With Ruby, using Rails will eliminate entire groups of risks you would have without it.
This is the same with PHP and frameworks like Symfony - which, incidentally, we use large parts off. And Lukas has been working a LOT on doing this kind of work, making sure we eliminate types of problems and mistakes developers could make. Combined with training (giving talks and workshops on writing secure code to our developers at events), code reviews by him and others, static code checking and so on, you get something that is really quite secure.
I am confident enough to say that our code base is the most secure way of sharing and syncing files using open source. Of course, before you or somebody else brings it up, SSH and rsync makes for a more secure experience but that's not exactly what Nextcloud competes with so perhaps add 'that gives a dropbox-like experience' to the above qualification :D
I've been following OwnCloud for years, and the one thing that has kept me from using it is the lack of delta sync. This fork has piqued my curiosity again. Is delta sync going to be a priority for NextCloud?
Whilst I have your attention ;) Are there any plans to add CalDav/iCal client functionality to NextCloud? I'd like my NextCloud server to sync with external calendars (E.g my work Google calendar) so that I only have to point my client devices at my own server.
I strongly recommend radicale with DavDroid. I've been using this set up (that only took a few minutes to complete, especially with Caddy for TLS) for months now with great success.
Radicale will also automatically commit every change into a Git repo, so you can always go back to any point in time. Just amazing.
Radicale sounds interesting, but it looks like it's just a CalDAV server? OwnCloud/NextCloud already gives me that. What I'm looking for is a way of syncing calendars which have to be off-site, to my own server. I don't have control over the fact that my company uses Google calendars for work and I'd like to dump my Facebook events into an OwnCloud/NextCloud calendar too.
Not in the way that you require it. But you can always file an issue or enhancement request :-)
That said, we'll likely have Webcal support (https://github.com/owncloud/calendar/pull/443), that way you can at least in ownCloud view your Google calendars. (it's not synced though)
I know nothing of PHP other than its reputation. But apparently ownCloud is written in PHP and JavaScript. And PHP has its own "Security" section in its Wikipedia entry. And it has a reputation for security problems.
So, how "secure" (whatever that means) is ownCloud / Nextcloud? Has security been a problem for this software in real life?