r/privacy • u/[deleted] • Jan 28 '23
discussion OnlyOffice is a Russian company with deep ties to their government and military and actively tries to mask its origins. Please stop reccomending this as a "FOSS-alternative"!
[removed]
77
Jan 29 '23
[deleted]
4
u/Xorous Jan 29 '23
Kaspersky, proprietary software, denies us from studying its full source code, to verify its claims, and removing malicious source code. Its proprietor actively opposes us with hostile, proprietary, software licensing.
Nevertheless, some people obsess more about Russia than care about our privacy.
54
Jan 29 '23
[removed] — view removed comment
12
5
u/petalised Jan 29 '23
It is relevant. Why? Because you won't be auditing all of the source code each time you update the program. So, you have to trust the developers.
If the program is developed by community of people, has hundreds of independent contributors, there are more reasons to trust it. If it is developed by a shady Russian company that tries to hide that it is Russian, there are no reasons to trust it.
45
u/Reddit_User_385 Jan 29 '23
If the code is open source, you can verify yourself that it doesn't do shady things and keep using it. It's the whole point of FOSS isn't it? Russians ain't getting anything from you by using it, so it's also fine in terms "I don't want to support them".
9
u/petalised Jan 29 '23
This is too big of a program to verify all of the source code each time you update it. No one does it. So, it all boils down to trust.
2
u/uniteduniverse Jan 29 '23 edited Jan 29 '23
If the open source code is too big for users to verify, doesn't that mean that the FOSS philosophy is inherently flawed?
FOSS was never about trusting the creator(that same idea could be applied to proprietary software), it was always about "this programs source code is open, so I can modify it, read it, fork it to my heart's content. And because nothing on a technical standpoint is hidden from me, I can always check to see if it's doing something malicious I don't agree with".
1
u/Reddit_User_385 Jan 29 '23
The user can always compile the code themselves if they think there might be additions in the installed compared to the source code. Don't trust the developer, don't trust the installer, but trust the code you read.
1
u/petalised Jan 29 '23
From what I found online, there are 10 million lines of code in Libre Office. Only Office should have somewhat comparable number.
Do you seriously claim anyone will read the code?
0
u/Reddit_User_385 Jan 30 '23
Well, we are accusing software of spying on users without proof, so... why not also trust the code without proof? Idk. Does anyone read the entire Linux kernel? How come the entire internet and every single person interacting with technology trusts it, if they never read through the entire Linux kernel source code? Is Linux just US spyware what people install and use willingly?
1
u/petalised Jan 30 '23
And that was my initial point. Look at the number of Linux and Only Office contributors.
0
u/Reddit_User_385 Jan 30 '23
But what changes by that? Nothing. You either use it or not, if you don't trust it, you can read the source code, if you don't want to do that either... well, there isn't much else to do than to find other software. You have the option, if you do not want to use it, the next step is clear.
-2
33
u/Em_Adespoton Jan 28 '23
So the potential issues here are
1: Who exactly controls the cloud service? What do they have access to?
2: It’s FOSS, but has anyone actually done a thorough code review to ensure it’s clean? Of all versions and updates?
I’d have no issues using the non-cloud version assuming it has a decent code review, but not the cloud service.
1
u/uniteduniverse Jan 29 '23 edited Jan 29 '23
People hear FOSS and go dancing around as if it's the greatest thing ever. But no one ever seems to actually review the code of the software they have access to... The Linux kernel had a 10 year old sudo bug that was only found recently, yet it's source code has been open basically since it's inception. FOSS sounds great when you logically think about it, but it never really seems to go the way people expect.
3
u/throwaway_veneto Jan 29 '23
You don't need everyone to review the code they run, you only need a few people (usually packagers do that too) to do it.
4
-19
Jan 28 '23
[deleted]
51
Jan 29 '23
[deleted]
-14
u/VermiVermi Jan 29 '23
Most of the time it does lol, especially if tied with the government. Take off your pink glasses
17
Jan 29 '23
[deleted]
-12
u/VermiVermi Jan 29 '23
All 150 mln including 3 mln or something of police forces, including 1.2 mln of army and 200-300k those who invade Ukraine, yeah. Also not 150, but closer to 140, 83% or something of which supports putin.
12
Jan 29 '23
[deleted]
-12
u/VermiVermi Jan 29 '23
Oh, account creating March 2022 defends ruzzia. I think I'll save my time arguing with you
6
Jan 29 '23
I'm under the impression OO also have a strong commercial relationship with NextCloud. I no longer use either.
5
u/schklom Jan 29 '23
- There is a good chance no one at Nextcloud figured this out. I have use OnlyOffice for a few years and had no idea.
- OnlyOffice makes a plugin for Nextcloud to have more users. Do you have any source to show they actually have a business relationship?
4
Jan 29 '23
It's not merely a plugin, it a container running an OO server, and is also promoted with their commercial offerings.
3
u/schklom Jan 29 '23
One of them is a low performance OO server, the other is the plugin to connect to one. And they also have the same for Collabora online. But OO and CO are the ones making the Nextcloud apps. AFAIK Nextcloud doesn't have a business relationship with any of them.
Also, they don't promote them with commercial offerings, they now promote CO,
Nextcloud Officepromoted on https://nextcloud.com/office/ is a plugin to connect to a CO instance.The video on the bottom of the page is old and shows OO, yes, but that's not proof of a business relationship. Being able to open docx files with a friendly interface similar to Word is a good thing for them, and OO makes some money from people (mainly companies) buying OO instances.
-16
31
u/Xorous Jan 28 '23 edited Jan 29 '23
OnlyOffice is AGPL licensed, non-proprietary software, libre software: we, both individually and in groups, control it. Which line of source code is malicious?
Do you live in Russia or America? Do you think Russia is going to get you? America can. Some people obsess about Russian more than they care about our privacy.
Although, we already have LibreOffice.
0
u/JQuilty Jan 29 '23
Some people obsess about Russian more than they care about our privacy.
Not being in Russia doesn't mean you shouldn't be concerned about the Russian state. Identity theft and more mundane forms of blackmail are a very real possibility.
12
Jan 29 '23
You know which superpower is well known to use mass surveillance illegally on citizens and foreigners alike? USA.
3
u/JQuilty Jan 29 '23
That's nice. Too bad we're talking about OnlyOffice and Russia here.
And no need to specify which superpower, the Soviet Union is long gone.
1
Jan 29 '23
My point being: you're just a racist that masks it under "privacy concerns"
1
u/trai_dep Jan 29 '23
“Racist” doesn’t mean what you think it means.
But bad-faith argument bonus points for injecting inflammatory, misleading accusations into your argument.
Kudos!
2
0
Jan 29 '23
Yes all humans belong to the same race, if you had an argument you wouldn't be nitpicking genetics.
-1
u/JQuilty Jan 29 '23
Oh how original, a Russia/China defender decries everything as being racist. I hope Putin and Xi see the good work you're doing.
-1
Jan 29 '23
How original, I'm not a 'murican racist so I must be a communist spy :D :D :D
5
u/JQuilty Jan 29 '23
Never said you were a spy, just that you were a defender engaging in predictable behavior of decrying any detraction from them as racist. And expressed a hope that the respective heads of state would see the work you're putting in on the defense.
3
u/Frosty-Influence988 Jan 29 '23
You know which superpower is well known to use mass surveillance illegally on citizens and foreigners alike? USA.
To be fair, US is nowhere close to PRC in that regard.
1
u/ml6998ny Jan 29 '23
To "JQuilty"'s -- "Not being in Russia doesn't mean you shouldn't be concerned about the Russian state. Identity theft and more mundane forms of blackmail are a very real possibility". Let's talk about USA -- identity theft by NON Russians is common, same with "forms of blackmail".
20
u/RhodiumQuack Jan 29 '23
Holy shit who cares if something is Russian? I really don’t get it.
14
u/uniteduniverse Jan 29 '23
People think they should care, but they never seem to be able to give a good reason why we should. Their only explanation is "hurr durr, russian government spying on my data". But spying for what? What could Russia possibly be using with spreadsheet/PowerPoint/Word data that barely 5 million of the worlds population create with OnlyOffice? If people really care that much, they could just read the source code to see what Russia could possibly be tracking on them. This obsession with privacy over convenience has gone a little too far imo.
11
Jan 29 '23
privacy over convenience only if russia is involved… it's fine to use google docs :D :D :D
Google would never do weird stuff with your data!!!!
2
u/BangGearWatch Jan 29 '23
FOSS
"they could just read the source code"
Not everybody is a programmer, friend.
1
u/RhodiumQuack Jan 29 '23
That’s fair I think, but by that logic, if you cant read the code then you shouldn’t care if something is FOSS then as you can never really confirm for yourself, which would be the same as closed source
3
u/the-crotch Jan 29 '23
Racists who are bent out of shape about the Ukraine war
2
u/RhodiumQuack Jan 29 '23
I think it’s more xenophobes but yeah. Agreed.
It’s like someone went after the person who coded SimpleX Chat only because he was Russian. People are beyond ridiculous
-7
20
u/Frosty-Influence988 Jan 29 '23
Kinda irrelevant if they are Russian or not, As long as the source code is good.
17
u/sohamg2 Jan 29 '23
Look at the war crimes the USA commits. Then stop everything that pays taxes to the USA.
15
Jan 28 '23
Is it not foss?
I think the post is 100% about why it has to be russian. But why shouldn't I use it or recommend it?
No offense, just curious. I don't even use such apps, markdown is more powerfull than inferior office products.
4
Jan 28 '23
[deleted]
22
Jan 28 '23 edited Jan 28 '23
Yet I don't know why I shouldn't use or recommend it.
It's licensed under agpl, it is foss. You may use it, distribute it, etc...
You can also selfhost onlyoffice.
12
u/berejser Jan 28 '23
Just because it's foss doesn't mean its code has been audited. If such an audit says that there's no privacy risk then I'd be ok using it.
5
u/Luddite69 Jan 29 '23
oss doesn't mean its code has been audited
So then audit it. That is a major selling point of things being FOSS. If it was proprietary then you'd have not recourse.
4
u/berejser Jan 29 '23
I don't have anything like the level of security knowledge needed to do such a thing.
1
u/Luddite69 Jan 29 '23
Then treat it like any closed source project and use it or not as appropriate.
2
u/berejser Jan 29 '23
That's what I was saying from the start.
2
u/Luddite69 Jan 29 '23
Yea, but the overal thread is saying that it cannot be trusted due to "lack" of code review. The project is FOSS, so it can be reviewed. People here are acting as if there is no recourse, which is false.
A major selling point of FOSS is that you can act on your own initiative.
3
u/trai_dep Jan 29 '23
So then audit it.
You first.
4
u/Luddite69 Jan 29 '23
I'm not a user of Only Office. Don't be intellectually lazy. The program is still FOSS. Audit and compile it yourself if you really want that extra layer.
4
u/trai_dep Jan 29 '23
The point that u/berejser made, that simply because something has the theoretical possibility of being audited by a credible third party doesn't mean that it has. Magic FLOSS fairies don't exist.
Audits are expensive and infrequently done by most FLOSS projects. They are not intrinsically better or safer until they've had a credible, third-party audit. This one hasn't.
Telling people, "No. You!" doesn't address this issue. It's handwaving away a fair criticism.
PS: Compiling it yourself isn't magic pixie dust, either. You know this, right?
5
Jan 29 '23
It's not a "fair" criticism, it's a racist one.
Would this post be here if it was an american company?
Are american companies well known for always resisting their oppressive government?
This is just racism.
1
u/berejser Jan 29 '23
Race doesn't come into it, it's about the system of government under which the software is regulated.
If I don't trust software coming out of China that doesn't make me racist towards ethnically Chinese people. I'm reasonably trusting of software coming out of Taiwan and have had several Taiwanese phones and computers. The only difference between the two nations is that one is a free society and one is an authoritarian surveillance state.
→ More replies (0)2
u/berejser Jan 29 '23
Exactly. It's reasonable to treat something as potentially dangerous until an expert can show that it's safe. It's completely nuts to treat something as potentially safe until it is shown to be dangerous because by that point they've already got your data.
2
u/the-crotch Jan 29 '23
It's racist to treat something as dangerous simply because of it's country of origin
→ More replies (0)1
u/Luddite69 Jan 29 '23
You are right. If you feel it has not been studied enough or you lack the ability then just treat it as if it was closed and act accordingly.
You are the one who started with the "No. You" with your "You first" comment.
The point of compiling yourself is because you fear the binary or wizard might be pulling a fast one on you. So you skip that trust by doing it yourself.
Also it is not a theoretical possibility of being audited. Here is the source code. It is okay if you depend on others to do the heavy lifting in the audit for you, but don't pretend it cannot be done. That is intellectually lazy.
0
Jan 28 '23
[deleted]
16
Jan 28 '23
I think I asked politely after reading it and not comprehending it. Sorry for bothering.
-10
Jan 28 '23
[deleted]
17
Jan 28 '23
I read it, even multiple times because I tried to search for the info on what the problem is.
- I guess russians are interested in security and privacy the same way I am. I did not study the composition of the people who develop linux kernel but most of them won't be "free" either, yet they contribute to the freedom. Any code that the onlyoffice guys write, contributes to the free source code. Any apple service is much worse for the software freedom than onlyoffice.
- Same is true for microsoft, apple, etc...
I'd like to ignore all the russian stuff here, this is a privacy sub and not a political sub. Just from privacy/ security perspective, I don't think that there's a huge risk with onlyoffice. Especially if you selfhost it. Just because there are only 20 guys contributing to the code doesn't mean that it's unsafe. Sure audits are great but foss products usually don't give a f about audits because they have no money. This would mean we should give them more money such that they can get an audit.
It's a strange situation tbo. Let's assume russia makes money through onlyoffice, a product that fights against word. I'm on the foss side of onlyoffice and don't care about the political side of both. Word has no security audit either and if they do, I don't trust it since it's closed source. So it's better than word. Now both have ties to their respecting governmenty, yet I don't think that onlyoffice is anywhere near significant for russia but microsoft on the other hand...
2
Jan 28 '23
[deleted]
3
Jan 29 '23
inlcluding the news, governments
You mean people who are currently interested in pushing a certain narrative to convince the population that it's ok to go to war?
0
u/trai_dep Jan 29 '23
You’re speaking of Putin, right?
Because he’s the one who decided it’d be splendid to unilaterally invade his peaceful neighbor, primarily her civilians.
→ More replies (0)4
u/cloggedsink941 Jan 29 '23
Microsoft has ceased all business with Russia back in March last year already!
Because forced from the government.
15
u/voheke9860 Jan 29 '23
This bit is political as you can see that they are indirectly supporting the war with their government and military ties you are as well for using their software.
Companies like Google, Microsoft, Amazon, etc., all have ties with the US government. Should people in Asia or Latin America or Europe stop using these products simply because they disagree with America's War on Terrorism, invasion of Iraq, invasion of Afghanistan, sanctions on Cuba, etc.?
Make a list of countries that have invaded another country since WW2, and rank them by the number of countries they have invaded. If you want to avoid software by these countries, simply because of their government's actions, you will pretty much stop using computers all together.
4
Jan 29 '23
Should people in Asia or Latin America or Europe stop using these products simply because they disagree with America's War on Terrorism, invasion of Iraq, invasion of Afghanistan, sanctions on Cuba, etc.?
One can dream :)
1
Jan 29 '23
[deleted]
14
u/voheke9860 Jan 29 '23
Google, Microsoft and Amazon's ties aren't secret they are constantly put on the blast for it.
These companies are being criticized for actual privacy/security violations. Rarely have they been criticized for working with the US government.
Besides I don't even use any of the three you named and this being a privacy sub most people discourage it as well.
Do you have a smartphone? Is it an Android (Google) or iPhone (Apple)? Because both companies have ties to the US government. Or what is the processor in your laptop? Intel or AMD? Both companies have ties to the US government as well.
My point is that company with ties to the Russian government is no different than a company with ties to the US government. Do you go around telling people to avoid companies with ties to the US government? I doubt it.
15
u/Remote-Passenger5021 Jan 28 '23
The first comment says "is it not foss", the commenter never said it wasn't
10
11
Jan 28 '23
I use Libreoffice or Pages.
1
u/5erif Jan 29 '23
I love the Pages feel and workflow. Shame there isn't a clone layout for Libreoffice like the MS ribbon clone.
10
u/Simplixt Jan 29 '23
I'm using it as a docker container with nextcloud (however in a private network without internet, as 99% of my containers, as I'm not capable of doing code reviews)
Show me the suspicious traffic or code. Or fork it. And afterwards fork Seafile because it's to close to China, and.... and.... and...
9
u/webfork2 Jan 29 '23
Few notes here:
So I've not been impressed by ONLYOFFICE as a project, which has been more important than the national interest question. It's moved incredibly slow since it's appearance in terms of features, they've insisted on pure .DOCX and claimed it's 100% compatible with Word when it's so plainly not.
In terms of national interest, part of the reason for and success behind open source software generally is to try and help dissolve these questions. Because you can look at the code, it's possible to avoid interference by state actors. As other posters have noted, a more thorough audit is probably called for. Those are expensive so ... probably not going to happen.
Also for an English langue post, you might want to look at a translation option for non-English sources. In this case, here's the Epravda link you posted inside a translation: https://www-epravda-com-ua.translate.goog/publications/2022/07/6/688888/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp
8
7
u/Trianchid Jan 29 '23
Open office gang, i use open office since 17 years
1
u/5erif Jan 29 '23
What made you avoid the switch to Libreoffice following the great Oracle exodus?
2
u/Trianchid Jan 29 '23
Idk? Didn't hear about it, open office gets updates less regularly afaik , likewise
1
u/5erif Jan 29 '23
I think it was a bit over ten years ago when Oracle owned OpenOffice, there were management changes, and they started neglecting it, standing in the way of pull requests and ignoring direction from its biggest open source contributors. That's when the majority of its developers jumped ship to fork and develop LibreOffice, and the majority of its users switched to the new project too.
Seeing how much bad press their mismanagement of OpenOffice was causing, Oracle decided to donate the project to the Apache Foundation.
Apache has been handling it well for years now, so it's totally fine if you're happy with OpenOffice and not enticed by the shiny new features of LibreOffice. There's something nice about a project that isn't changing too fast, and OO does still have devs working on it.
I like the OpenOffice project name better, and have fond memories of using it.
2
u/Trianchid Jan 29 '23
I always remember Apache with it, i didn't remember the Oracle drama
Great stuff,i played on Open Office when i was kid lol, printed some paintings out too, aside from playing StarCraft 2
1
1
u/ml6998ny Jan 29 '23
Re: "vermivermi"'s (paid?) anti Ru propaganda and efforts to discredit Ru businesses. Notice this person uses derogatory name "RUZZIA". Don't expect such "people" to be fair or impartial. All cloud services are not very safe. It was in the New York Times Business section B, last Fall, an article about Microsoft offering FREE cloud services for high schools in France. The French refused and did not want anything to do with cloud service from an American company, even for FREE! I bought a HP laptop last summer from American store Target and still not able to use for the mess and insecurity associated with it's "cloud service". It didn't say on the box that this HP laptop uses cloud service, which is deceptive. The store didn't have any personnel to answer questions about the product they were selling. Is this fair? And we deal with American companies and businesses.
1
u/ml6998ny Jan 29 '23
"KanaKKind OP" just removed his prop--agandistic posting for 'discussion'. Very telling.
1
u/ml6998ny Jan 29 '23
Reddit keeps deleting my post. Trying. Clarification and related addition, re: "EU ...will put them under sanctions like they have done with RT" (r/malcarada). RT stands for Russian Television. Also Sputnik and probable others were "sanctioned"/ censored by US/EU for being "connected" w the Russian govt. Let's look at media in the West connected with governments, engaged in propaganda/dis--information/instigation of conflict in Ukr., such as: BBC for UK, Deutsche Welle for Germany, Radio Free Europe & Radio Liberty for USA -- none of these foreign pro-NATO state media are censored, sanctioned, prevented from broadcasting their wares. Censorship and lies. See these publications for more information: 1/ book: 'Inventing Reality' by Michael Parenti 2/ article in Columbia Magazine 'Uncovering America's Dark Secrets, A Q&A with Matthew Connelly on using data science to reveal previously hidden government documents' by Lorraine Glennon.
-1
-13
u/JustMrNic3 Jan 29 '23 edited Jan 29 '23
KDE organization seems to also unfortunately promote Russian commercial distributions on their website:
https://kde.org/distributions/
- ROSA
- Alt Workstation K
ROSA Desktop is a Russian Linux distribution featuring a customised KDE desktop and the working environment. This product comes with commercial support.
Alt Workstation K is a Russian distribution for organizing end-user workstations and is suitable for use in an office environment as well as at home. This product comes with commercial support.
Whoever chooses to buy the commercial support for these two Linux distros will indirectly fund Russia and it's war machine through taxes.
And KDE seems to promote them indirectly helping Russia get more money for doing awful things.
And what's worst, it seems that they also disappointingly removed the post requesting that these distros should be taken down from their website:
https://www.reddit.com/r/kde/comments/10lcd9q/why_do_russian_distributions_get_promoted_on_the/
I wish more people would request that they are not promoted anymore.
10
u/YamBitter571 Jan 29 '23
No one cares about the potential profit the Russian government would see from a Linux Distro support package. LMAO get real bud.
-12
2
u/diskowmoskow Jan 29 '23
Ukraine invasion might be the more recent, will you do the same thing for American companies, for their cultural machine or else? If the point is on privacy as we are in r/privacy I would think about it again.
2
u/JustMrNic3 Jan 29 '23
Yes!
I wand to governments at least to move from Microsoft's products anyway.
-18
Jan 28 '23
The only office guys are based in Latvia, not russia
2
Jan 28 '23
[deleted]
13
u/dickgraysonn Jan 29 '23
I think this is reaching red scare levels of paranoia. Someone being incorrect while disagreeing with you doesn't mean the account is a a "Russian bot".
3
Jan 29 '23
I edited it because I was thinking that apache open office was the master branch, and no, I'm not a bot. I think they were created in Russia but moved operations to Latvia, sorry I had to clear that up.
But you can check my profile, I'm not a bot.
-6
111
u/txmail Jan 28 '23
Grrrr.... I just read the ToS for a security camera made in China that stated they could use, without your consent or knowledge video feeds for academic research and about 10 other reasons that basically let them have full access to the video stream. It was a powerful camera with tons of AI features and the way it was designed meant that it would punch a two way hole straight through any firewall that was not actively blocking it.
I hate this world we have built.