[Pkg-virtualbox-devel] Bug#794466: Virtualbox might not be suitable for Stretch
Gianfranco Costamagna
costamagnagianfranco at yahoo.it
Mon Aug 3 10:47:23 UTC 2015
Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical
X-Debbugs-CC: jmm at inutil.org
X-Debbugs-CC: rrs at debian.org
X-Debbugs-CC: frank.mehnert at oracle.com
X-Debbugs-CC: klaus.espenlaub at oracle.com
(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream doesn't play in a really fair mode wrt CVEs in the package (it used to, but not for the current CVE list).
This basically makes the package unsuitable for Stable Releases, since "Upgrade to a newer release" is not the correct answer, and
cherry-picking patches without upstream support is just impossible/not easily feasible for such a huge codebase.
I quote a mail from some Vbox upstream developers and Debian folks.
Personal Maintainer opinion:
I do not have anything against Virtualbox neither against Upstream, made by people competent who helped us a lot, and did a great work in merging
patches (also my patches) and providing such a good tool for us, I love the package and I would like to see it in Debian, but since people working for Oracle might risk to get punished for not following the Oracle policy, I think we are not sure we can continue giving a CVE free package for Stable Releases.
So, while Oracle employees tries to find out an Open Source friendly way to cooperate with us, I'm opening this bug, to let the community be aware of the status quo of the package.
On Tuesday 28 July 2015 14:00:31 Ritesh Raj Sarraf wrote:
> I am writing to you seeking clarification on what the project's stance
> is for Security Vulnerabilities.
>
> As you know, for Debian, we package VirtualBox. Given the breadth of
> the Debian project (oldstable, stable, testing, LTS, derivatives), it
> is important for us to have access to security fixes in an easy format.
>
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> For example, for the above CVE, afaik all we have is a consolidated
> report. http://www.oracle.com/technetwork/topics/security/cpujul2015
> -2367936.html
>
> With no broken down fixes in an easy format, it makes it difficult to
> backport those fixes to older versions.
I'm aware of the problem. Unfortunately there is an Oracle policy which
forbids us to provide relevant information about security bugs, see
here:
http://www.oracle.com/us/support/assurance/vulnerability-remediation/disclosure/index.html
We are currently trying to find out what's possible to help you but this
will take some more time.
thanks folks for the help, I still hope we can solve it in a good way, to avoid disappear of Virtualbox there :)
cheers!
Gianfranco
More information about the Pkg-virtualbox-devel
mailing list