[Pkg-virtualbox-devel] Bug#823347: virtualbox-guest-additions-iso: Checks for updates without user consent or configurability

qazwsxedc qazwsxedc at gmx.net
Tue May 3 20:07:41 UTC 2016 

Package: virtualbox-guest-additions-iso
Version: 5.0.16-1
Severity: normal

Dear Maintainer,

   * What led up to the situation?
The Virtualbox guest additions appear to include functionality which "phones
home" and checks for updates being available, then notifies the user about them
if any are.

   * What exactly did you do (or not do) that was effective (or ineffective)?
Installed Virtualbox guest additions from virtualbox-guest-additions-iso into a
Debian Jessie VM on a Debian Jessie host

   * What was the outcome of this action?
See attached screenshot - a desktop notification pops up which tells the user
that an update is available.

   * What outcome did you expect instead?
No notification. I have this quaint notion that software should not "phone
home" without asking the user for permission and that there should be a
configurable option to suppress such behaviour, which defaults to "off".

This is concernnig because it implies that the software checks a central point
somewhere for existence of updates, leaking metadata about the user in the
process. It also increases the attack surface of the machine on which it runs.




-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.5.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

virtualbox-guest-additions-iso depends on no packages.

Versions of packages virtualbox-guest-additions-iso recommends:
ii  virtualbox  5.0.18-dfsg-3~bpo8+1

virtualbox-guest-additions-iso suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: updatenag.png
Type: image/png
Size: 75096 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-virtualbox-devel/attachments/20160503/dcaa359c/attachment-0001.png>

More information about the Pkg-virtualbox-devel mailing list