[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of virtualbox-ose?

Hi Ben,

sorry for the late answer, but I need to understand how Oracle will continue to play the Open Source game.

They generally refuse to give CVE patches.

Oracle forbids employes to give commit id to Developers who want to cherry-pick a patch for a CVE.

Months ago Frank (from Oracle) helped us a lot, and now he is on VAC, and nobody so far helped us in fixing the latest CVE in Jessie.

Another CVE has been fixed with a patch from a community member in vbox mail list, because my request hasn't been answered from official developers.
(actually the patch was a cherry-pick and it was correct to my checks, and upstream rejected my tweaks, so I applied it as-is)

If they want to have the package in Debian they need to learn how to help people in packaging it.

Vbox developers don't want to have work troubles by giving patches to us, so for now I just asked for a policy exception for Debian.

That said I'll probably ask for a removal of virtualbox, if we can't guarantee a CVE free stable version.

So, sorry for the long mail, but I have no manpower to maintain this huge package if upstram doesn't help me.

If somebody want to take a look is free to do, I won't look at it probably for 15 days or more. (I'm really busy with other packages much easier to maintain).

(I know you maintain the linux package, I know it is much harder than virtualbox, this is why I'll try to fix the package as soon as possible)

(sorry for typos and top posting)


Sent from Yahoo Mail on Android

From:"Ben Hutchings" <benh@debian.org>
Date:Thu, 16 Jul, 2015 at 20:40
Subject:squeeze update of virtualbox-ose?

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of virtualbox-ose:

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Ben Hutchings,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:

Ben Hutchings - Debian developer, member of Linux kernel and LTS teams

Reply to: