[Pkg-virtualbox-devel] Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Sat Aug 8 21:23:31 UTC 2015 

Hi Debian Release Team,


TLTR:


Virtualbox suffers of  many security issues in Debian,
specially because Upstream (Oracle) refuses to give
patches for CVEs, and (you can see in the Debian bug
794466 an analysis of the Oracle policy and discussion)
this makes difficult to handle security uploads in stable
releases.


The only patch they give for a CVE is "upgrade to the
next version of the stable branch", and extracting patches
from the code is not trivial, specially for such a huge package.


My request, based on Markus mail quoted below

(something I pondered already, I was just waiting for somebody
to do the first move), would be to have a sort of permission
to do the updates to newer stable releases in s-p-u.

e.g.


On oldstable, version 4.1.18-dfsg-2+deb7u5 might become 4.1.30

on stable version 4.3.18 might become 4.3.30 and so on.

Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
branches where security fixes seems to be addressed all.

(virtualbox-ose from o-o-s still needs some pinpoint fixes)


So, even if the debdiff might look scary, we might want to
update at least to the correspondant stable branch
to fix bugs and security issues.

Honestly I *never* found a regression in Virtualbox maintainance
releases, neither in backports, and the huge popcon makes difficult
to just let the package disappear.

I maintain Virtualbox since ~2013 or so, and I can say that the
maintainance branches does not require new dependencies
(at least they never did, the only build-dependencies we added
in maintainance releases were due to packaging bugs that had to
be fixed, not something that upstream added)



Thanks for your attention,

(note: I did not find any reference on google about this sort
of exceptions, please feel free to point me on some documentation,
if adding -release to the bug is not enough, or feel free to reassing
to the best meta package bug)


Gianfranco

>Hi Gianfranco,
>thanks for your summary.
>
>Although I'm not involved in maintaining virtualbox, still a few
>thoughts:
>
>* What would that mean for Jessie updates?
>* Isn't that basically the same problem we have with MySQL,
>  or even Iceweasel?
>
>So I think the question is either drop, or work with upstream releases,
>from which I'd personally prefer.
>
>Even popcon isn't too bad: 
>https://qa.debian.org/popcon.php?package=virtualbox
>
>Leaving users with the possibility to use upstream packages is also not
>very attractive.
>
>Just me few cents :)
>Markus

More information about the Pkg-virtualbox-devel mailing list