It's true some of our functionality can be rebuilt if we rewrite this functionality with SAF - even though it makes the user experience a bit worse. We have a file manager/document management app, which fits the use case for the full permission. There are some functions that are popular with some users like syncing a whole SD card, the download folder or the data of specific apps (in Android/data - some users use our app in a way as backup) that are just not possible with SAF. We get the security concerns from Google, but Box has this permission, so do quite some others, so our preferred solution is to re-gain the permission rather than bring back part of the functionality.
The good news is that this morning Google got back to us and told us that on resubmission we will regain the permission we need and our users regain all functionality within a few days.
So, this seems to have been resolved in a nice way. Thanks, all for the support!
Maintaining a server can be a pita, and not upgrading frequently is both a security risk as well as problematic from a stability pov.
My recommendation would be to use our All-in-One docker image. It takes care of updates and is supremely easy to use, plus likely to bring nice performance benefits as it has all this stuff that makes it fast like the HPB for Files.
It's risky business, though, as code of course gets reviewed a few times (at least at Nextcloud). If it gets detected once ppl are put on notice. If somebody can squirrel out that the code came from a competitor, a lawsuit is waiting... And just imagine the bad publicity it causes.
Besides that, it is unethical and I wouldn't want to work at a company that pulls such stunts. I think a lot of people wouldn't. It'd be hard to keep secret, too, I mean, 5 years later the employee that was asked to do it works somewhere else and BOOM.
So all together, I think it's extremely unlikely to happen.
I CAN imagine a disgruntled ex employee or angry employee at a competitor would pull something like this. We have seen employees at a competitor create social media sock puppet accounts to spread FUD about us - but management at the competitor put a stop to that once we notified them.
This is, of course, exactly what Nextcloud does. It will most certainly refuse to run and break your system. And yes, it also refused that 3-4 years ago.
Not saying it never breaks anything, but since 2016 we for example check PHP versions and other infra to not update to a broken system. We rewrote the updater in 2016 for this purpose. It's possible this has had a bug at some point of course - but it is more likely that the original poster who had this issue had this in the ownCloud times before 2016.
With regards to security, nothing is perfect but I'm absolutely positive that Nextcloud is ahead of the vast majority of open source projects. And if you know of a security hole, go and collect your USD 10K at HackerOne.
True. I don't know of any other "holistic" project that we could have choosen instead of Nextcloud. One very very important point is the AIO installation method. So easy and no fear to have forgotten something important. -- You saved us from Google (no way) and Microsoft365 (a possibility), thank you!
Note that we're not backed by a a venture capital firm that needs a 10X exit, we're self-funded and have been sustainably growing ~50%/year since we got started. We're over 100 people so paying for 2 developers on Roundcube (tripling the resources being put into Roundcube today) would be trivial for us.
We'll look what users want, what's best for the ecosystem etc, but we're not looking to kill it and if we ever would, it won't be for the money.
In the AIO you have to explicitly choose to install them, in the bare metal setup they are not installed unless you choose so when you install for the first time. You're right that Nextcloud has gotten bigger, but Collabora is in no way a default part that you can't uninstall...
It's true some of our functionality can be rebuilt if we rewrite this functionality with SAF - even though it makes the user experience a bit worse. We have a file manager/document management app, which fits the use case for the full permission. There are some functions that are popular with some users like syncing a whole SD card, the download folder or the data of specific apps (in Android/data - some users use our app in a way as backup) that are just not possible with SAF. We get the security concerns from Google, but Box has this permission, so do quite some others, so our preferred solution is to re-gain the permission rather than bring back part of the functionality.
The good news is that this morning Google got back to us and told us that on resubmission we will regain the permission we need and our users regain all functionality within a few days.
So, this seems to have been resolved in a nice way. Thanks, all for the support!