[Pkg-virtualbox-devel] Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna costamagnagianfranco at yahoo.it
Mon Aug 10 07:16:59 UTC 2015


Hi,

>Debian Security Team:


>These are what we have currently in Debian:
>
>oldstable: 4.1.18
>stable: 4.3.18
>testing: 4.3.30



I would add (as Ben requested)

old-old-stable 3.2.10 --> 3.2.28
(this will fix AFAICS all the CVEs on o-o-stable, but not the latest one)


https://www.virtualbox.org/wiki/Changelog-3.2
>So, to keep the stable version secure in the Oracle way, we'll need to
>push it to 4.3.30. Please look at: 
>https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.
>
>Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1
>
>The good thing is that Oracle declares these as "Maintenance release".
>So usual sane practise for them too, should be, to only update it with
>Security Fixes. Though this has not been the case in the past. There
>have been regressions.


I do not recall any regressions there, at least between stable minor releases
(I recall regressions between 4.1.x and 4.3.x)

However the changelogs mentions a couple of them, so must be right :)

>But if the security team can agree up with this release model, then the
>VBox team could just keep it up-to-date.



Yes, otherwise the points remains:

1) leave the oracle with CVEs in stable releases

or

2) have an exception from Security Team and/or Release Team

or

3) wait and hope Oracle will change the model or make an exception

----


1) means a disappear of VBox from Testing I'm afraid

2) We will continue to provide security new releases, and fix almost all the CVEs around here
(except for one in o-o-stable)
3) this is kind of impossible right now I guess (even if Oracle employees are continuing
to try to have it)


BTW having the "stable maintenance releases" on Debian stable releases, will allow people to be able to rebuild
kernel modules on their own, because usually people upgrade
their kernel while running stable, and virtualbox usually don't compile anymore
with them.

Ubuntu followed a slightly different model, they started embedding in linux kernel
the virtualbox modules, while with Debian we are forced to update virtualbox on stable,
or close the bugs reported with "notfix" (and ask people to run it from testing instead).

So the annoying kernel module rebuilds might be fixed too here :)


cheers,

Gianfranco



More information about the Pkg-virtualbox-devel mailing list