> Plus as far as I know neither ownCloud nor nextCloud went through a security audit
This is inaccurate. Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens, ...)
There's also a bug bounty program that pays pretty decently considering the company size: https://hackerone.com/nextcloud. (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad)
> and they are big piles of PHP with a lot more complexity than Seafile
I did a small audit of Seafile years ago and I don't think that argument flies.
```
def random_string():
"""
Generate a random string (currently a random number as a string)
"""
return str(random.randint(0,100000))
```
That's not really secure and copy-pasting Django core code and then removing security checks ... is shady at best.
Disclaimer: I wrote a significant part of the ownCloud code (https://github.com/owncloud/core/graphs/contributors), then forked it into Nextcloud. After some years I moved to Facebook to do application security there :-)
Oh wow, thanks for the quick reply. I searched for nextcloud audit but haven't found the reports, just docs about the "monitoring and audit" and the "security scan" feature. (I still can't, but maybe that's because these audits/reports are not public, I don't doubt your word.)
This is inaccurate. Nextcloud does receive security audits and is in fact also used by quite some security-conscious organizations (to name a few: German Government, Siemens, ...)
There's also a bug bounty program that pays pretty decently considering the company size: https://hackerone.com/nextcloud. (Remote Code Execution = 10k, Auth Bypass = 4k - compare that to rewards that the FAANG pays and you'll see it's not that bad)
> and they are big piles of PHP with a lot more complexity than Seafile
I did a small audit of Seafile years ago and I don't think that argument flies.
For example, they copied https://github.com/django/django/blob/23c612199a8aaef52c3c7e... to https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9... and removed some security-critical checks. They removed the check for the password hasht here. (https://github.com/django/django/blob/23c612199a8aaef52c3c7e...)
Furthermore, the Django secret key was generated as shown at https://github.com/haiwen/seahub/blob/b6f8935c0f355cc70145f9....
``` def random_string(): """ Generate a random string (currently a random number as a string) """ return str(random.randint(0,100000)) ```
That's not really secure and copy-pasting Django core code and then removing security checks ... is shady at best.
Disclaimer: I wrote a significant part of the ownCloud code (https://github.com/owncloud/core/graphs/contributors), then forked it into Nextcloud. After some years I moved to Facebook to do application security there :-)