Bug#794466: Virtualbox might not be suitable for Stretch

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical


X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]

(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream doesn't play in a really fair mode wrt CVEs in the package (it used to, but not for the current CVE list).

This basically makes the package unsuitable for Stable Releases, since "Upgrade to a newer release" is not the correct answer, and
cherry-picking patches without upstream support is just impossible/not easily feasible for such a huge codebase.

I quote a mail from some Vbox upstream developers and Debian folks.

Personal Maintainer opinion:
I do not have anything against Virtualbox neither against Upstream, made by people competent who helped us a lot, and did a great work in merging
patches (also my patches) and providing such a good tool for us, I love the package and I would like to see it in Debian, but since people working for Oracle might risk to get punished for not following the Oracle policy, I think we are not sure we can continue giving a CVE free package for Stable Releases.

So, while Oracle employees tries to find out an Open Source friendly way to cooperate with us, I'm opening this bug, to let the community be aware of the status quo of the package.


On Tuesday 28 July 2015 14:00:31 Ritesh Raj Sarraf wrote:

> I am writing to you seeking clarification on what the project's stance
> is for Security Vulnerabilities.
>
> As you know, for Debian, we package VirtualBox. Given the breadth of
> the Debian project (oldstable, stable, testing, LTS, derivatives), it
> is important for us to have access to security fixes in an easy format.
>
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> For example, for the above CVE, afaik all we have is a consolidated
> report. http://www.oracle.com/technetwork/topics/security/cpujul2015
> -2367936.html
>
> With no broken down fixes in an easy format, it makes it difficult to
> backport those fixes to older versions.

I'm aware of the problem. Unfortunately there is an Oracle policy which
forbids us to provide relevant information about security bugs, see
here:

http://www.oracle.com/us/support/assurance/vulnerability-remediation/disclosure/index.html

We are currently trying to find out what's possible to help you but this

will take some more time.



thanks folks for the help, I still hope we can solve it in a good way, to avoid disappear of Virtualbox there :)


cheers!

Gianfranco


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Markus Frosch-2
On Mon, 3 Aug 2015 10:47:23 +0000 (UTC) Gianfranco Costamagna <
[hidden email]> wrote:
> Source: virtualbox
> Version: 4.3.30-dfsg-1
> Severity: critical


Hi Gianfranco,
thanks for your summary.

Although I'm not involved in maintaining virtualbox, still a few
thoughts:

* What would that mean for Jessie updates?
* Isn't that basically the same problem we have with MySQL,
  or even Iceweasel?

So I think the question is either drop, or work with upstream releases,
from which I'd personally prefer.

Even popcon isn't too bad:
https://qa.debian.org/popcon.php?package=virtualbox

Leaving users with the possibility to use upstream packages is also not
very attractive.

Just me few cents :)
Markus

signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Hi Debian Release Team,


TLTR:


Virtualbox suffers of  many security issues in Debian,
specially because Upstream (Oracle) refuses to give
patches for CVEs, and (you can see in the Debian bug
794466 an analysis of the Oracle policy and discussion)
this makes difficult to handle security uploads in stable
releases.


The only patch they give for a CVE is "upgrade to the
next version of the stable branch", and extracting patches
from the code is not trivial, specially for such a huge package.


My request, based on Markus mail quoted below

(something I pondered already, I was just waiting for somebody
to do the first move), would be to have a sort of permission
to do the updates to newer stable releases in s-p-u.

e.g.


On oldstable, version 4.1.18-dfsg-2+deb7u5 might become 4.1.30

on stable version 4.3.18 might become 4.3.30 and so on.

Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
branches where security fixes seems to be addressed all.

(virtualbox-ose from o-o-s still needs some pinpoint fixes)


So, even if the debdiff might look scary, we might want to
update at least to the correspondant stable branch
to fix bugs and security issues.

Honestly I *never* found a regression in Virtualbox maintainance
releases, neither in backports, and the huge popcon makes difficult
to just let the package disappear.

I maintain Virtualbox since ~2013 or so, and I can say that the
maintainance branches does not require new dependencies
(at least they never did, the only build-dependencies we added
in maintainance releases were due to packaging bugs that had to
be fixed, not something that upstream added)



Thanks for your attention,

(note: I did not find any reference on google about this sort
of exceptions, please feel free to point me on some documentation,
if adding -release to the bug is not enough, or feel free to reassing
to the best meta package bug)


Gianfranco

>Hi Gianfranco,
>thanks for your summary.
>
>Although I'm not involved in maintaining virtualbox, still a few
>thoughts:
>
>* What would that mean for Jessie updates?
>* Isn't that basically the same problem we have with MySQL,
>  or even Iceweasel?
>
>So I think the question is either drop, or work with upstream releases,
>from which I'd personally prefer.
>
>Even popcon isn't too bad:
>https://qa.debian.org/popcon.php?package=virtualbox
>
>Leaving users with the possibility to use upstream packages is also not
>very attractive.
>
>Just me few cents :)
>Markus


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: I: Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Hi Frank and Release Team,


>Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
>branches where security fixes seems to be addressed all.
>
>(virtualbox-ose from o-o-s still needs some pinpoint fixes)


virtualbox-ose is at version 3.2.10, and the last release from [1]
is 3.2.28, and released two months ago.

Does this mean that CVE gets fixed on 3.2.x too?


[1] https://www.virtualbox.org/wiki/Changelog-3.2

thanks,

Gianfranco


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Jonathan Wiltshire via nm
In reply to this post by Gianfranco Costamagna
On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote:

> Virtualbox suffers of  many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> this makes difficult to handle security uploads in stable
> releases.
>
>
> The only patch they give for a CVE is "upgrade to the
> next version of the stable branch", and extracting patches
> from the code is not trivial, specially for such a huge package.
You should bring this up with the security team and see whether they are
satisfied that previous upstream releases have been of sufficient quality
for this to be feasible in the future.


--
Jonathan Wiltshire                                      [hidden email]
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Hi Debian Security Team,


(Dear Jonathan, thanks for the heads-up, I tried to avoid cross-posting,
and I thought release was a better place then security, so dropping
-release from the mail cc, let me know if I have to readd it)


I would like to ask you whether is possible to have an exception for
Virtualbox Stable Releases.

To avoid duplication, please read bug #794466 for the discussion and my
personal POV of the story, I tried to be as much verbose as possible,
please do not hesitate to ask anything you want if something is not
clear enough.

(or if you want debdiffs, git diff --stat between versions, changelogs or
whatever).


(below a little snippet of the last two bug messages)


cheers,

Gianfranco



Il Sabato 8 Agosto 2015 23:42, Jonathan Wiltshire <[hidden email]> ha scritto:
On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote:

> Virtualbox suffers of  many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> this makes difficult to handle security uploads in stable
> releases.
>
>
> The only patch they give for a CVE is "upgrade to the
> next version of the stable branch", and extracting patches
> from the code is not trivial, specially for such a huge package.

You should bring this up with the security team and see whether they are
satisfied that previous upstream releases have been of sufficient quality
for this to be feasible in the future.


--
Jonathan Wiltshire                                      [hidden email]
Debian Developer                        http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Ritesh Raj Sarraf-4
In reply to this post by Markus Frosch-2
On Sat, 2015-08-08 at 20:11 +0200, Markus Frosch wrote:

> Hi Gianfranco,
> thanks for your summary.
>
> Although I'm not involved in maintaining virtualbox, still a few
> thoughts:
>
> * What would that mean for Jessie updates?
> * Isn't that basically the same problem we have with MySQL,
>   or even Iceweasel?
>
> So I think the question is either drop, or work with upstream
> releases,
> from which I'd personally prefer.

Not sure about MySQL, but for Iceweasel, is it really like that ?

From what I've known, there were trademark issues which led to the
rebranding.


I'm not sure how they handle vulnerabilities. But their release
strategy is: ESR and Regular releases. Every security fix goes into the
next Regular release, and also the ESR release.

ESR is supported until the next ESR (31 => 38). So usually the Debian
Mozilla team prefers the ESR branch for Debian stable.

With VBox, they don't have an ESR model.

--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Markus Frosch-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 09.08.2015 12:51, Ritesh Raj Sarraf wrote:
> Not sure about MySQL, but for Iceweasel, is it really like that ?
>
> From what I've known, there were trademark issues which led to the rebranding.

Sorry for being unclear, I meant the usage of upstream releases directly in Debian (security) updates.

> I'm not sure how they handle vulnerabilities. But their release strategy is: ESR and Regular releases. Every security fix goes into the
> next Regular release, and also the ESR release.
>
> ESR is supported until the next ESR (31 => 38). So usually the Debian Mozilla team prefers the ESR branch for Debian stable.
>
> With VBox, they don't have an ESR model.

I guess they don't call it ESR or long term support, but as Gianfranco pointed out, they seem to support a lot of major releases currently.

The main problem is here, do we want to use their upstream releases? In lack of a proper patch source, the Oracle way...

Cheers
Markus Frosch
- --
[hidden email] / [hidden email]
http://www.lazyfrosch.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVyDkrAAoJEPJhXZqrmHtuBtQH/3kp+00a6xaICX1Z9jiVHDa9
iXBVNiswK9QDc7L8dpvNkbF2gWI4Um3Yy8WdpOj2vlz4Mo+kJ3ShXvJS5ONnnJOY
0pxHxkLtnvbVH7eyQRBu2YFxVRmR5eM+/Q3NvF0kZGOALQH+dqgXqvHV7VjG++tm
QkPO00ocMjGZsCqZY74GC1fJyfA0njQRues9qMiatY2ZoowLn6pRB8w3CFZkVmtr
dDdpCsVQE5swZZG7KfCsripQ3PlJD7n1S7lEr0mYVApcvQ4AUvKqTylO7aESVV/Z
XA6+nq9OezFb2PCBkDStbBPzwavfJzCXZa1nqdQ63mYNPlDlPWVgS6Rcy10tlFc=
=4Ip3
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Ritesh Raj Sarraf-4
On Mon, 2015-08-10 at 07:40 +0200, Markus Frosch wrote:

> > I'm not sure how they handle vulnerabilities. But their release
> strategy is: ESR and Regular releases. Every security fix goes into
> the
> > next Regular release, and also the ESR release.
> >
> > ESR is supported until the next ESR (31 => 38). So usually the
> Debian Mozilla team prefers the ESR branch for Debian stable.
> >
> > With VBox, they don't have an ESR model.
>
> I guess they don't call it ESR or long term support, but as
> Gianfranco pointed out, they seem to support a lot of major releases
> currently.
>
> The main problem is here, do we want to use their upstream releases?
> In lack of a proper patch source, the Oracle way...
Yes. And I guess this is going to be more of a decision making
challenge for the sec team.


Debian Security Team:

These are what we have currently in Debian:

oldstable: 4.1.18
stable: 4.3.18
testing: 4.3.30



So, to keep the stable version secure in the Oracle way, we'll need to
push it to 4.3.30. Please look at:
https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.

Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1

The good thing is that Oracle declares these as "Maintenance release".
So usual sane practise for them too, should be, to only update it with
Security Fixes. Though this has not been the case in the past. There
have been regressions.


But if the security team can agree up with this release model, then the
VBox team could just keep it up-to-date.


--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Hi,

>Debian Security Team:


>These are what we have currently in Debian:
>
>oldstable: 4.1.18
>stable: 4.3.18
>testing: 4.3.30



I would add (as Ben requested)

old-old-stable 3.2.10 --> 3.2.28
(this will fix AFAICS all the CVEs on o-o-stable, but not the latest one)


https://www.virtualbox.org/wiki/Changelog-3.2

>So, to keep the stable version secure in the Oracle way, we'll need to
>push it to 4.3.30. Please look at:
>https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.
>
>Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1
>
>The good thing is that Oracle declares these as "Maintenance release".
>So usual sane practise for them too, should be, to only update it with
>Security Fixes. Though this has not been the case in the past. There
>have been regressions.


I do not recall any regressions there, at least between stable minor releases
(I recall regressions between 4.1.x and 4.3.x)

However the changelogs mentions a couple of them, so must be right :)

>But if the security team can agree up with this release model, then the
>VBox team could just keep it up-to-date.



Yes, otherwise the points remains:

1) leave the oracle with CVEs in stable releases

or

2) have an exception from Security Team and/or Release Team

or

3) wait and hope Oracle will change the model or make an exception

----


1) means a disappear of VBox from Testing I'm afraid

2) We will continue to provide security new releases, and fix almost all the CVEs around here
(except for one in o-o-stable)
3) this is kind of impossible right now I guess (even if Oracle employees are continuing
to try to have it)


BTW having the "stable maintenance releases" on Debian stable releases, will allow people to be able to rebuild
kernel modules on their own, because usually people upgrade
their kernel while running stable, and virtualbox usually don't compile anymore
with them.

Ubuntu followed a slightly different model, they started embedding in linux kernel
the virtualbox modules, while with Debian we are forced to update virtualbox on stable,
or close the bugs reported with "notfix" (and ask people to run it from testing instead).

So the annoying kernel module rebuilds might be fixed too here :)


cheers,

Gianfranco


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Ritesh Raj Sarraf-4


On Mon, 2015-08-10 at 07:16 +0000, Gianfranco Costamagna wrote:

> >But if the security team can agree up with this release model, then
> the
> >VBox team could just keep it up-to-date.
>
>
>
> Yes, otherwise the points remains:
>
> 1) leave the oracle with CVEs in stable releases
>
> or
>
> 2) have an exception from Security Team and/or Release Team
>
> or
>
> 3) wait and hope Oracle will change the model or make an exception
>
> ----
>
>
> 1) means a disappear of VBox from Testing I'm afraid
>
> 2) We will continue to provide security new releases, and fix almost
> all the CVEs around here
> (except for one in o-o-stable)
> 3) this is kind of impossible right now I guess (even if Oracle
> employees are continuing
> to try to have it)

Does anyone know what Fedora project's stand is on VBox ?
From what I've checked so far, Fedora does not ship VBox. But I'm not
sure what their reasons are.......


--
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Moritz Muehlenhoff-5
In reply to this post by Gianfranco Costamagna
On Mon, Aug 10, 2015 at 07:16:59AM +0000, Gianfranco Costamagna wrote:

> Yes, otherwise the points remains:
>
> 1) leave the oracle with CVEs in stable releases
>
> or
>
> 2) have an exception from Security Team and/or Release Team
>
> or
>
> 3) wait and hope Oracle will change the model or make an exception

We'll have a security team meeting at DebConf and will discuss
virtualbox as well.

Cheers,
        Moritz

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna
Hi Moritz,

>
>We'll have a security team meeting at DebConf and will discuss
>virtualbox as well.


following up on the DebConf discussion,
I did update vbox for wheezy and jessie, on
the respective braches on git (names with the codenames)
targeted -security.

http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=wheezy

jessie is going from 4.3.18 to 4.3.30, while wheezy is going from 4.1.18 to 4.1.40

builds are also available from DebOMatic
http://debomatic-amd64.debian.net/distribution#oldstable/virtualbox/4.1.40-dfsg-1+deb7u1/lintian
http://debomatic-amd64.debian.net/distribution#stable/virtualbox/4.3.30-dfsg-1+deb8u1/buildlog


I tried to keep changes as minimal as possible, with just some patch refreshing and nothing more.
(and for changelogs, well, please tell me the best way to update it, because I honestly don't know)





I plan to do the same with virtualbox-ose and squeeze if you allow me too. (from 3.2.10 to 3.2.28).

I did some basic testing with both jessie and wheezy in that way.

1) Installed jessie on virtualbox.
2) Installed virtualbox inside the jessie VM (from apt)
3) installed Ubuntu vivid 32 bit in the virtualbox inside the VM
4) updated vbox with the DoM build
5) tested if the VM was still running correctly.

the same for wheezy, and all the testing were successful.

let me know if something is blocking the uploads, or if I can do them by myself (I guess policy and the manual
doesn't allow DD to push on security directly).

I don't know exactly the CVE fixed but at least for 4.1.x and 4.3.x they should be covered ALL of them.

for vbox ose I guess CVE-2015-2594 will be left out, the only one we don't have a targeted patch from upstream.

cheers,

G.

Reply | Threaded
Open this post in threaded view
|

Bug#794466: marked as done (Virtualbox might not be suitable for Stretch)

Debian Bug Tracking System
In reply to this post by Gianfranco Costamagna
Your message dated Mon, 14 Sep 2015 16:52:32 +0000 (UTC)
with message-id <[hidden email]>
and subject line closing!
has caused the Debian Bug report #794466,
regarding Virtualbox might not be suitable for Stretch
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [hidden email]
immediately.)


--
794466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact [hidden email] with problems

Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical


X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]
X-Debbugs-CC: [hidden email]

(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream doesn't play in a really fair mode wrt CVEs in the package (it used to, but not for the current CVE list).

This basically makes the package unsuitable for Stable Releases, since "Upgrade to a newer release" is not the correct answer, and
cherry-picking patches without upstream support is just impossible/not easily feasible for such a huge codebase.

I quote a mail from some Vbox upstream developers and Debian folks.

Personal Maintainer opinion:
I do not have anything against Virtualbox neither against Upstream, made by people competent who helped us a lot, and did a great work in merging
patches (also my patches) and providing such a good tool for us, I love the package and I would like to see it in Debian, but since people working for Oracle might risk to get punished for not following the Oracle policy, I think we are not sure we can continue giving a CVE free package for Stable Releases.

So, while Oracle employees tries to find out an Open Source friendly way to cooperate with us, I'm opening this bug, to let the community be aware of the status quo of the package.


On Tuesday 28 July 2015 14:00:31 Ritesh Raj Sarraf wrote:

> I am writing to you seeking clarification on what the project's stance
> is for Security Vulnerabilities.
>
> As you know, for Debian, we package VirtualBox. Given the breadth of
> the Debian project (oldstable, stable, testing, LTS, derivatives), it
> is important for us to have access to security fixes in an easy format.
>
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> For example, for the above CVE, afaik all we have is a consolidated
> report. http://www.oracle.com/technetwork/topics/security/cpujul2015
> -2367936.html
>
> With no broken down fixes in an easy format, it makes it difficult to
> backport those fixes to older versions.
I'm aware of the problem. Unfortunately there is an Oracle policy which
forbids us to provide relevant information about security bugs, see
here:

http://www.oracle.com/us/support/assurance/vulnerability-remediation/disclosure/index.html

We are currently trying to find out what's possible to help you but this

will take some more time.



thanks folks for the help, I still hope we can solve it in a good way, to avoid disappear of Virtualbox there :)


cheers!

Gianfranco

Hi, Virtualbox is finally CVE free in wheezy and jessie.

thanks to all for the support!

cheers,

G.
Reply | Threaded
Open this post in threaded view
|

Processed (with 1 error): Re: virtualbox: Virtualbox might not be suitable for testing

Debian Bug Tracking System
In reply to this post by Gianfranco Costamagna
Processing control commands:

> reopen -1 thanks
Failed to reopen 794466: New submitter address 'thanks' is not a valid e-mail address.

> found -1 5.0.6-dfsg-1
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Marked as found in versions virtualbox/5.0.6-dfsg-1.

--
794466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Processed: Re: Bug#794466: VIrtualBox future in Debian

Debian Bug Tracking System
In reply to this post by Gianfranco Costamagna
Processing control commands:

> affects -1 src:virtualbox-guest-additions-iso
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Ignoring request to set affects of bug 794466 to the same value previously set
> found -1 virtualbox-guest-additions-iso/5.1.22-1
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Marked as found in versions virtualbox-guest-additions-iso/5.1.22-1.
> severity -1 serious
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Severity set to 'serious' from 'critical'

--
794466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Lucas Nussbaum-4
In reply to this post by Gianfranco Costamagna
Control: retitle -1 virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases
Control: severity -1 important

Hi,

After a private discussion with Gianfranco, I'm retitling this bug and
downgrading its severity. (Gianfranco agrees, at least on the general
lines of argumentation).

The reasoning is as follows.

Virtualbox did not make it into stretch due to this bug, for good
reasons.

We are at the start of the buster release cycle, and we don't know what
will be the status at the time of the freeze. The situation around
security support should be re-evaluated at the beginning of the buster
freeze, but until then, it sounds like a better plan to maximize user
testing and allow virtualbox to migrate to testing.

Security support for unstable/testing is not a problem because we are
tracking new upstream releases anyway, where issues are being addressed
by upstream. Also, there's a public svn repository to get fixes from if
necessary.

Cheers,

Lucas

Reply | Threaded
Open this post in threaded view
|

Processed: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Debian Bug Tracking System
In reply to this post by Gianfranco Costamagna
Processing control commands:

> retitle -1 virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases
Bug #794466 [src:virtualbox] Virtualbox might not be suitable for Stretch
Changed Bug title to 'virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases' from 'Virtualbox might not be suitable for Stretch'.
> severity -1 important
Bug #794466 [src:virtualbox] virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases
Severity set to 'important' from 'serious'

--
794466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Processed: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Debian Bug Tracking System
In reply to this post by Gianfranco Costamagna
Processing control commands:

> severity -1 serious
Bug #794466 [src:virtualbox] virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases
Severity set to 'serious' from 'important'

--
794466: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794466
Debian Bug Tracking System
Contact [hidden email] with problems

Reply | Threaded
Open this post in threaded view
|

Bug#794466: Virtualbox might not be suitable for Stretch

Gianfranco Costamagna via nm
In reply to this post by Gianfranco Costamagna
As said on irc:

1) I don't want to ship the package in Buster if the security team can't handle security updates
2) I don't want security team to handle them, I'll in case provide them the stuff that can be sponsored (as we did in the past).

In case the new micro releases are not ship anymore by upstream, we can declare the security support as finished.


So, my solution is "best effort security updates", but only if security team is ok with this approach.

G.

12