{"id":79725,"date":"2026-05-13T12:44:17","date_gmt":"2026-05-13T12:44:17","guid":{"rendered":"https:\/\/owncloud.com\/?p=79725"},"modified":"2026-05-13T12:44:17","modified_gmt":"2026-05-13T12:44:17","slug":"ocis-curie-is-complete-and-you-should-update-to-8-0-3-now","status":"publish","type":"post","link":"https:\/\/owncloud.com\/de\/blogs\/ocis-curie-is-complete-and-you-should-update-to-8-0-3-now\/","title":{"rendered":"oCIS &#8222;Curie&#8220; is complete and you should update to 8.0.3 now"},"content":{"rendered":"<h2>If you&#8217;re running <em>any<\/em> oCIS (ownCloud Infinite Scale) version, please update to 8.0.3 today.<\/h2>\n<p>The latest patch, released on May 11th 2026, contains <strong>security fixes<\/strong>.<br \/>\nThe upgrade is a binary swap with no configuration changes, no migrations, nothing else to do if you were running oCIS 8.0.x before.<\/p>\n<p>Now for the full story of what the Curie release series has brought since February.<\/p>\n<h2>Curie<\/h2>\n<p>Each named production release of Infinite Scale is named after a female Nobel Prize laureate, a quiet but deliberate choice. These are the women whose work shaped the scientific and humanitarian foundations the modern world runs on. Naming a release series after them is at minimum a reminder that the infrastructure we build doesn&#8217;t exist in a cultural vacuum.<br \/>\nThe Curie series is named for Marie Curie, two-time Nobel laureate in Physics and Chemistry. The next releases in development are Deledda, after Grazia Deledda (Literature, 1926), and Ebadi (Shirin Ebadi, Peace 2003), planned for Q3.<\/p>\n<p>The Curie series shipped in four production releases between February and May, with an early access RC (Release Candidate) in the first week of Q1.<br \/>\nPatch numbering follows semantic versioning, the team doesn&#8217;t pre-decide whether something will be a major or minor; that&#8217;s determined by what actually lands.<br \/>\nWhat landed across Curie is substantial.<\/p>\n<h2>Multi-instance and federation<\/h2>\n<p>The centerpiece of the Curie series is multi-instance oCIS.<br \/>\nYou can now connect multiple oCIS deployments to the same Identity Provider and share resources across them.<br \/>\nThe UI gained an instance switcher and cross-instance resource references in the user context menu.<br \/>\nFor federated school clouds, multi-tenant enterprise setups, or the growing number of deployments that need cross-organizational collaboration, this opens use-cases that previously required significant custom work.<\/p>\n<p>Federation via Open Cloud Mesh (OCM) was substantially reworked for full specification compliance at the same time, enabling proper interoperability with other OCM implementations beyond just ownCloud.<br \/>\nThis comes with a migration note:<br \/>\nexisting OCM invitations and shares need to be recreated after upgrading from oCIS 7.x.<br \/>\nIf you&#8217;re running OCM in production, plan for that window.<br \/>\nOCM permission change notifications for federated contexts were fixed in a subsequent patch, and internal link access control was tightened.<\/p>\n<h2>Security and hardening<\/h2>\n<p>Alongside the federation work, Curie brought a round of security improvements that are worth naming explicitly:<\/p>\n<ul>\n<li>Public link brute-force protection is now enabled by default:<br \/>\nup to five failed password attempts per hour before a link is locked, with the threshold fully configurable.<\/li>\n<li>The Referrer-Policy was tightened to\u00a0no-referrer, removing any cross-origin leakage from outgoing requests.<\/li>\n<li>PROXY_FORCE_STRICT_TRANSPORT_SECURITY\u00a0was added to deployments where oCIS terminates behind an upstream proxy that was swallowing HSTS headers.<\/li>\n<li>Server-provided strings are now properly escaped before rendering in the UI a category of issue that belongs in a security review regardless of whether a known exploitation path exists. Then there&#8217;s 8.0.3, which closes runtime-level CVEs in Go and libvips.<\/li>\n<\/ul>\n<p>Many reasons you should <a href=\"#upgrade-now\">Update now<\/a>.<\/p>\n<h2>Office integration<\/h2>\n<p>The collaboration service (the WOPI layer that connects oCIS to e.g. <a href=\"https:\/\/www.collaboraonline.com\/collabora-online\/\" target=\"_blank\" rel=\"noopener\">Collabora<\/a>) gained the ability to blacklist specific file extensions from specific editors.<br \/>\nIn compliance environments where document type routing needs to be policy-controlled rather than left to users, this was a missing configuration knob.<\/p>\n<p>A persistent user-facing error in OnlyOffice view-only mode was also closed.<br \/>\nOnlyOffice sends a WOPI Lock request every time it opens a document, even when the user only has read access. The oCIS WOPI handler was trying to acquire a write lock regardless of view mode, failing with a permission error that OnlyOffice surfaced as an error dialog on document load. The fix returns\u00a0200 OK\u00a0immediately for read-only and view-only modes without touching the lock state which is exactly what the WOPI specification requires. If users were getting error pop-ups when opening shared documents they couldn&#8217;t edit, this is what closed it.<\/p>\n<h2>Identity and LDAP<\/h2>\n<p>Enterprise LDAP setups got meaningful attention across the series:<\/p>\n<ul>\n<li>The Graph service can now provision users against an external ID attribute from LDAP rather than always generating its own, with a switch to enable it.<br \/>\nThis is relevant for AD setups where the authoritative identifier lives upstream and oCIS shouldn&#8217;t be minting its own.<\/li>\n<li>A regression that was writing empty\u00a0<em>externalID\u00a0<\/em>values to LDAP on user creation (blocking creation entirely in many configurations) was patched quickly.<\/li>\n<li>Group creation was fixed to respect the <em>objectClass<\/em> configured in the server rather than always falling back to\u00a0<em>groupOfNames<\/em>.<\/li>\n<li>And a new environment variable (OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES) lets you attach additional <em>objectClasses<\/em> to groups at creation time, closing a gap for LDAP schemas that require groups to carry multiple values.<br \/>\nThis is common in enterprise AD and some OpenLDAP setups.<\/li>\n<\/ul>\n<h2>Spaces and permissions<\/h2>\n<p>The permission model was extended in two directions:<\/p>\n<ul>\n<li>The space role set gained <em>SpaceEditorWithoutVersionsWithoutTrashbin<\/em> full edit rights without access to version history or the trashbin.<br \/>\nThe previous step, <em>SpaceEditorWithoutTrashbin<\/em> (added in 7.2), removed <em>trashbin<\/em> access and this goes one step further; it&#8217;s designed for contexts where edit rights need to be granted without exposing file recovery capabilities: contractor access, compliance-constrained project spaces, environments where version history is a data governance concern.<\/li>\n<li>The REPORT WebDAV method now returns\u00a0<em>spaceid\u00a0<\/em>in its responses, matching what <em>PROPFIND<\/em> already returned.<br \/>\nClients that needed to correlate search results back to a specific space were carrying a workaround for this; now they don&#8217;t have to.<\/li>\n<\/ul>\n<p>A more subtle but production-relevant fix:<br \/>\nthe middleware responsible for reconciling space memberships was running on every authenticated request, including signed URL requests used for file downloads. Signed URL auth doesn&#8217;t carry OIDC claims. The middleware interpreted &#8222;no claims&#8220; as &#8222;remove this user from all project spaces&#8220;, and did so, only to re-add them on the next regular OIDC request. That oscillation produced transient &#8222;space not found&#8220; errors and intermittent download failures with nothing obvious in the logs to explain them.<br \/>\nThe fix is to skip reconciliation entirely when no OIDC claims are present in the request context.<\/p>\n<h2>The user experience<\/h2>\n<p>The User Interface received a few great features and fixes:<\/p>\n<ul>\n<li>A proper crash page in the Curie series: a bounded failure state with a clear message, rather than a blank screen when something goes wrong during load.<\/li>\n<li>The search bar got a layout fix (search text was overlapping the search icon).<\/li>\n<li>The share button was being obscured when a sharing role had a long display name, pushing it out of the visible area and making certain sharing flows completely inaccessible.<\/li>\n<li>External members weren&#8217;t appearing in the &#8222;Shared with&#8220; section at all, which made federated and external share recipients invisible in the sharing panel.<\/li>\n<\/ul>\n<h2>The release pipeline<\/h2>\n<p>Something changed structurally in how Curie was delivered.<br \/>\nFor years, oCIS used Drone CI: a self-hosted setup driven by a multi-thousand-line Starlark configuration file that orchestrated everything from unit tests to multi-architecture Docker builds, S3 artifact caching, e2e test suites against a live stack, Helm chart publishing, and the signed release tag flow.<br \/>\nRunning it meant owning the infrastructure underneath it.<\/p>\n<p>Moving a pipeline of that complexity to GitHub Actions isn&#8217;t a weekend project.<br \/>\nThe caching strategy needed rebuilding from scratch across a Go monorepo of around 50 internal services.<br \/>\nShared infrastructure dependencies had to be recreated.<br \/>\nThe release signing flow had to be re-orchestrated.<br \/>\nEvery step had to be verified to produce equivalent artifacts, because the quality gates don&#8217;t move just because the plumbing did.<\/p>\n<p>The transition completed mid-series.<br \/>\nEarlier Curie patches were still published by the\u00a0ownClouders\u00a0automation account; the most recent two came out of\u00a0github-actions.<br \/>\nThe pipeline is stable.<br \/>\nThe practical upside: no more runner infrastructure to maintain, native integration with GitHub&#8217;s security tooling, and a release process readable by any contributor who knows GitHub Actions rather than ownCloud-specific Drone Starlark.<br \/>\nFor a project that launched an OSPO and retired its CLA specifically to lower the barrier to external contribution, that alignment matters.<\/p>\n<h2>What&#8217;s coming: Deledda and Ebadi<\/h2>\n<p>The quarterly cadence puts an early access in the first week of each quarter, with GA (General Availability) gated by QA (Quality Assurance).<br \/>\nIf you&#8217;re wondering why there&#8217;s no Deledda RC (Release Candidate) yet given that Q2 is well underway, yes, we&#8217;re running late; the<a href=\"https:\/\/owncloud.com\/security-advisories\/security-notice-impact-of-cve-2026-33634-on-owncloud-build-infrastructure\/\"> CVE-2026-33634 Trivy\/Aqua supply chain incident<\/a> in March consumed significant bandwidth across engineering, communications, and customer-facing work. The CI (Continuous Integration) migration also ran long.<br \/>\nThe Deledda RC will land when it&#8217;s clean, not on a calendar date we can no longer hit.<\/p>\n<p>Ebadi enters development in Q3.<br \/>\nBoth releases are shaping up on the public roadmap.<br \/>\nThe community forum is the right place to push for features or fixes you need while those cycles are still being scoped.<\/p>\n<h2><a href=\"#upgrade-now\" target=\"_blank\" rel=\"noopener\">Upgrade now<\/a><\/h2>\n<p>Update to 8.0.3 from any 8.0.x version as it&#8217;s a binary swap no configuration changes, no migrations.<\/p>\n<p>If you&#8217;re coming from 7.3.x, the only thing that needs attention is OCM: existing federated invitations and shares need to be recreated as documented in the <a href=\"https:\/\/doc.owncloud.com\/ocis_release_notes.html#infinite-scale-8-0-0-production-curie\">8.0.0 release notes<\/a>. Everything else upgrades cleanly.<\/p>\n<ul>\n<li>oCIS 8.0.3:\u00a0<a href=\"https:\/\/github.com\/owncloud\/ocis\/releases\/tag\/v8.0.3\" target=\"_blank\" rel=\"noopener\">github.com\/owncloud\/ocis\/releases\/tag\/v8.0.3<\/a><\/li>\n<li>Full Curie changelog:\u00a0<a href=\"https:\/\/github.com\/owncloud\/ocis\/releases\" target=\"_blank\" rel=\"noopener\">github.com\/owncloud\/ocis\/releases<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;re running any oCIS (ownCloud Infinite Scale) version, please update to 8.0.3; The latest patch, released on May 11th 2026, contains security fixes.<\/p>\n","protected":false},"author":7,"featured_media":78665,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"categories":[43,335,339,354,360],"tags":[],"class_list":["post-79725","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-development","category-owncloud","category-release","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/comments?post=79725"}],"version-history":[{"count":3,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79725\/revisions"}],"predecessor-version":[{"id":79728,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/posts\/79725\/revisions\/79728"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media\/78665"}],"wp:attachment":[{"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/media?parent=79725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/categories?post=79725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/owncloud.com\/de\/wp-json\/wp\/v2\/tags?post=79725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}