Skip to content

Restrict list of installable Nextcloud "apps"

From an Infrared mailthread:

I don't have any info on the specific software packages you are looking at but am curious about more general auto upgrade complications. The big one is: how do you navigate major version upgrades?

Our experience with Drupal has been less then great. But even a web app like Nextcloud poses challenges: what if a site has a plugin that has not been updated to be compatible with the next major version upgrade?

The auto upgrader has to be smart enough to skip the upgrade for that site, but even that doesn't answer the question if you are dealing with a large number of installations - how do these problem sites eventually get upgraded? In our experience, a lot of labor is involved in communicating with and helping groups get through these sticky upgrades.

After suffering the consequences of being wild and free with Drupal, [we have] been a bit more restrained now and has focused more on single, shared installations with tightly curated plugins. This approach isn't ideal either though, since many web apps aren't designed with this model in mind.

My response:

Thanks, that's a very good point.

In general, our thought is that as long as every OAS instance is as identical as possible, we hope to be able to avoid this type of complications.

We were also thinking, especially in the case of Nextcloud, to only offer a curated list of plugins and disable installing any of the other plugins. Added benefit is that you drastically decrease the attack surface of the NC installations. Only thing is I'm not sure yet how easy it will be to limit the list of applications... But I'm sure we'll figure something out.

Do you think that could work, could it be enough?

Their response:

I think that is the right direction.

It doesn't solve all problems - sometimes you can choose to include a plugin that becomes abandoned and then you have to either remove it from all installations (which is pretty painful) or adopt it yourself.

However, the curated list of plugins seems to be the right idea.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information