Remove OnlyOffice

Why should this tool be removed?

The recent Euro-Office fork has shown what open source means to OnlyOffice.

They market themselves as open source (AGPL license) but then added contradictory terms that say you have to use their logo but you’re not allowed to use their logo, which makes forking effectively impossible.

Of course, the Free Software Foundation, the creators of AGPL, has clarified that these additional restrictions are not enforceable and can be removed. But this still shows what kind of project and company OnlyOffice is.

If this was some small, indie team wanting to fork it without a legal team or the recognition to warrant an official account of the FSF they could be sued out of existence making the entire codebase effectively propietary (against Privacy Guides’ criteria).

Additionally:

• No community contributions are accepted
• Broken build instructions
• 0 transparency - private internal issue trackers, commits referencing them
• Code comments in Russian
• Codebase includes binary blobs and obfuscated code
• Mobile apps are not open source, just proprietary wrappers

This is a company that wants the marketing benefits of “open source” without actually being open.

And about the company..

The company behind OnlyOffice, Ascensio System SIA, has a messy and shifting structure.

They present themselves as Latvian. But are actually tied to the Russian company “New Communication Technologies”, which is owned by Lev Bannov. Later it was moved to a Singapore holding company.

This is an effort to obscure their origins. Software made by Russian developers is not inherently untrustworthy or insecure but being based in and controlled from Russia and actively obfuscating ownership is.

There’s also a Russian-branded version (R7-Office) used domestically, including by the government and military.

The project itself is opaque enough that you can’t really verify what’s going on internally.

Nowadays there is a lot of geopolitical tension (push for European alternatives, Russia’s invasion etc.).

Software developed and controlled within certain jurisdictions can be subject to government pressure, legal demands, national security frameworks.

Development is widely reported to be based in Nizhny Novgorod.

In that context, Russian-based software can become part of broader information warfare or influence operations, especially when combined with opaque development and unclear governance.

This is not about nationality but about risk, control, and trust.

(They also refused to condemn the Russian invasion in Ukraine.)

Russia is well-known for meddling in US and EU affairs, trying to undermine democracy, cutting undersea cables etc.

Setting aside the moral arguments of Russian actions and focusing on the project itself - is OnlyOffice so good and trustworthy to overlook all this? Is there no alternative without all these risks? (There is)

All of this could be avoided by not using it. Is the prettier UI and Microsoft compatibility worth all this?

Privacy is ultimately about trust. Sure, there are many technical things that can guarantee it but not in all cases. There is always some trust involved, be it trusting the web client serving the correct JS code or that a service is running the same server source code that is publicly available.

Privacy can not be guaranteed by only technical means. You have to trust that updates aren’t introducing backdoors, and that the distribution channels (app stores, websites) aren’t compromised etc.

More reading:

• Reddit - Please wait for verification
• Euro-Office · GitHub
• OnlyOffice Tried to Fake Open Source. It Backfired Spectacularly.
• OnlyOffice concerns (vendor makes shady moves) - CryptPad Forum
• DMS Solutions stops doing business with OnlyOffice due to OnlyOffice close ties with Russia - DMS Solutions Co.
• https://eviloffice.tutdomen.com/

Just a suggestion but you might be better off reframing this as a recommendation to replace OnlyOffice with Euro-Office. The bar for removal is higher than the bar for suggesting an alternative (see attempts to Remove 1Password), and nothing here provides concrete evidence that OnlyOffice no longer meets the criteria (which would be the simplest justification for removal).

Euro-Office is not designed for stand-alone use, but developed to be a web based and integrated in another product that handles documents, for example a file sharing solution, an online wiki, a project management tool and so on.

And there are no releases for desktop and mobile apps yet. You can build them yourself but that’s not very beginner-friendly.

It’s just a WIP still.

I don’t think your arguments against OnlyOffice on the basis of its Russian connection holds any merit. There are good reasons why a trustworthy Russian FOSS developer would attempt to obfuscate their identity, or refuse to make public statements condemning their government. I see no reasonable basis here to doubt trust, just feels like McCarthyism

The argument of merit against this tool is, in my opinion, exclusively in your first section, discussing its questionable FOSS status

I don’t agree. As I said in my post jurisdiction matters and trust matters.

trustworthy Russian FOSS developer

They haven’t proven to be trustworthy. Trust is not given out like candy but earned.

There are good reasons why a trustworthy Russian FOSS developer would attempt to obfuscate their identity

such as?

refuse to make public statements condemning their government.

I guess, yeah, but then still jurisdiction matters. If they’re in Russia they can be forced to do a backdoor or a malicious update etc.

no reasonable basis here to doubt trust

• Codebase includes binary blobs and obfuscated code
• Mobile apps are not open source, just proprietary wrappers
• Broken build instructions
• Euro-Office situation
• Russian jurisdiction and obfuscating it, making it seem like an EU alternative

McCarthyism

So you’re telling me that Russia isn’t cutting undersea cables, didn’t meddle in EU or US affairs, isn’t authoritarian, didn’t invade a peaceful country?

These are real actions, not conjecture or lies.

And like I said before:

In that context, Russian-based software can become part of broader information warfare or influence operations, especially when combined with opaque development and unclear governance.

I guess this is ultimately a threat model debate? My threat model & corresponding mitigations are rigidly based on evidence-backed risks. I do not believe this russian argument is a risk that warrants special mitigation

I didn’t say that I believe this developer is trustworthy, only that the behavior you listed could be exhibited by a trustworthy developer, thus the behavior itself is not evidence of untrustworthiness

To hide from their totalitarian government or to circumvent international sanctions, for example. Developers are also entitled to privacy

There is no evidence of a backdoor in this tool. Implementing mitigations based on the fear one may eventually exist in this tool specifically is not a reasonable, evidence-based threat model. Russia is not a special case, many (if not every) technological nationstate can/has/does compel backdoors.

It would be reasonable to operate under the assumption every piece of software may eventually contain a backdoor. In that case, run all software in a zero-trust venv. Qubes is a strong option

My opposition is specifically to the implication that this tool’s Russian connections adds a special risk. Except for that last point, I do not believe these objections fall under that umbrella

This is all obviously true. But unless you believe Putin himself developed this tool, these concerns are not particularly relevant to the discussion: evaluating an office software tool.

I will never process a single document if the requirement for operation is the internet. And if Euro-Office is online, my choice is always OnlyOffice.

There will definetely be desktop and mobile apps. And I think it would be unwise for them to make them online-only without offline editing since all the tech is already there for it.

Anyways if they do decide to make it online-only then we can pressure them not to.

Please note we are not affiliated with any of the projects we recommend. In addition to our standard criteria, we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it’s the right choice for you.

• Must be cross-platform.
• Must be open-source software.
• Must function offline.
• Must support editing documents, spreadsheets, and slideshows.
• Must export files to standard document formats.

Source: Office Suites - Privacy Guides

OnlyOffice is a cloud-based free and open-source office suite with extensive functionality, including integration with Nextcloud.

Source: Office Suites - Privacy Guides

1. PrivacyGuides claims that OnlyOffice is FOSS, which it is not.
2. PrivacyGuides says that it is a must to be Open Source for a Office Suite, which OnlyOffice is not.

So we have two issues firstly PrivacyGuides is (not intentionally) lying to their user base and secondly recommends a tool that does not meet their own standards.

Maybe we should start by removing the “free and open-source” in the KB and make it clear that not everything is 100% Open Source and later if we have an alternative replace it.

Yes there is LibreOffice, however compared to OnlyOffice it is harder to use, looks older, has weaker compatibility, but is truly Open Source and has more features.

Euro Office will be/is Open Source and on GitHub. So you can always self-host it or run it locally, without any Cloud.

I think this topic might interest you:

If jurisdiction is a factor in your threat model, Privacy Guides may include this information in their recommendation to help users make informed decisions.

Can’t edit my post so I just wanted to add:

(They also refused to condemn the Russian invasion in Ukraine.)

It is understandable why they wouldn’t while in Russia but they never moved out or stopped operating there.

0 transparency - private internal issue trackers, commits referencing them

commits referencing only them and no other description

So there are numerous moral and jurisdictional issues and I also wanted to highlight the not open source thing further:

• Codebase includes binary blobs and obfuscated code
• Mobile apps are not open source, just proprietary wrappers
• Broken build instructions
• If this was some small, indie team wanting to fork it without a legal team or the recognition to warrant an official account of the FSF they could be sued out of existence making the entire codebase effectively propietary (against Privacy Guides’ criteria).

Thanks, I will but once there is an official release with mobile and desktop apps so in the meantime this will have to do.

@MightyPenny mixes valid technical criticisms with overstated, outdated, or speculative claims. It over-relies on historical/geopolitical guilt-by-association rather than current real evidence of privacy/security harm, and it uses selective framing that ignores counter-evidence and the project’s actual auditability for self-hosted use.