[Pkg-virtualbox-devel] Bug#823347: virtualbox-guest-additions-iso: Checks for updates without user consent or configurability

Gianfranco Costamagna locutusofborg at debian.org
Fri May 6 10:22:46 UTC 2016 

control: tags -1 moreinfo
control: tags -1 wontfix

Hi, some questions:

1) how can you be sure that it calls home and it doesn't instead ask the host about its version?


In my opinion it doesn't do remote calls, in my experience I saw that message days after the upstream release, and always after I updated the host virtualbox (I update it frequently, so I might have not a good testcase)


2) Here we package the official iso as-is, without changing any bits, so this bug even if really a bug is unfixable.

you might want to test virtualbox-guest-* packages, that instead are built from the upstream sources.


cheers,

G.




Il Martedì 3 Maggio 2016 22:21, qazwsxedc <qazwsxedc at gmx.net> ha scritto:
Package: virtualbox-guest-additions-iso
Version: 5.0.16-1
Severity: normal

Dear Maintainer,

   * What led up to the situation?
The Virtualbox guest additions appear to include functionality which "phones
home" and checks for updates being available, then notifies the user about them
if any are.

   * What exactly did you do (or not do) that was effective (or ineffective)?
Installed Virtualbox guest additions from virtualbox-guest-additions-iso into a
Debian Jessie VM on a Debian Jessie host

   * What was the outcome of this action?
See attached screenshot - a desktop notification pops up which tells the user
that an update is available.

   * What outcome did you expect instead?
No notification. I have this quaint notion that software should not "phone
home" without asking the user for permission and that there should be a
configurable option to suppress such behaviour, which defaults to "off".

This is concernnig because it implies that the software checks a central point
somewhere for existence of updates, leaking metadata about the user in the
process. It also increases the attack surface of the machine on which it runs.




-- System Information:
Debian Release: 8.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.5.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

virtualbox-guest-additions-iso depends on no packages.

Versions of packages virtualbox-guest-additions-iso recommends:
ii  virtualbox  5.0.18-dfsg-3~bpo8+1

virtualbox-guest-additions-iso suggests no packages.

-- no debconf information

More information about the Pkg-virtualbox-devel mailing list