[Pkg-virtualbox-devel] squeeze update of virtualbox-ose?
Gianfranco Costamagna
costamagnagianfranco at yahoo.it
Thu Jul 23 20:03:44 UTC 2015
Hi Ben,
sorry for the late answer, but I need to understand how Oracle will continue to play the Open Source game.
They generally refuse to give CVE patches.
Oracle forbids employes to give commit id to Developers who want to cherry-pick a patch for a CVE.
Months ago Frank (from Oracle) helped us a lot, and now he is on VAC, and nobody so far helped us in fixing the latest CVE in Jessie.
Another CVE has been fixed with a patch from a community member in vbox mail list, because my request hasn't been answered from official developers.
(actually the patch was a cherry-pick and it was correct to my checks, and upstream rejected my tweaks, so I applied it as-is)
If they want to have the package in Debian they need to learn how to help people in packaging it.
Vbox developers don't want to have work troubles by giving patches to us, so for now I just asked for a policy exception for Debian.
That said I'll probably ask for a removal of virtualbox, if we can't guarantee a CVE free stable version.
So, sorry for the long mail, but I have no manpower to maintain this huge package if upstram doesn't help me.
If somebody want to take a look is free to do, I won't look at it probably for 15 days or more. (I'm really busy with other packages much easier to maintain).
(I know you maintain the linux package, I know it is much harder than virtualbox, this is why I'll try to fix the package as soon as possible)
(sorry for typos and top posting)
cheers,
Gianfranco
Sent from Yahoo Mail on Android
From:"Ben Hutchings" <benh at debian.org>
Date:Thu, 16 Jul, 2015 at 20:40
Subject:squeeze update of virtualbox-ose?
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of virtualbox-ose:
https://security-tracker.debian.org/tracker/CVE-2012-3221
https://security-tracker.debian.org/tracker/CVE-2013-3792
https://security-tracker.debian.org/tracker/CVE-2013-5892
https://security-tracker.debian.org/tracker/CVE-2014-0404
https://security-tracker.debian.org/tracker/CVE-2014-0406
https://security-tracker.debian.org/tracker/CVE-2014-0407
https://security-tracker.debian.org/tracker/CVE-2014-0981
https://security-tracker.debian.org/tracker/CVE-2014-0983
https://security-tracker.debian.org/tracker/CVE-2014-2486
https://security-tracker.debian.org/tracker/CVE-2014-2488
https://security-tracker.debian.org/tracker/CVE-2014-2489
https://security-tracker.debian.org/tracker/CVE-2015-2594
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.
If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts at lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Ben Hutchings,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Ben Hutchings - Debian developer, member of Linux kernel and LTS teams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20150723/87b2e860/attachment.html>
More information about the Pkg-virtualbox-devel
mailing list