Re: Bug#794466: Virtualbox might not be suitable for Stretch

[Gianfranco Costamagna <costamagnagianfranco@yahoo.it>]

Hi Debian Security Team,


(Dear Jonathan, thanks for the heads-up, I tried to avoid cross-posting,
and I thought release was a better place then security, so dropping
-release from the mail cc, let me know if I have to readd it)


I would like to ask you whether is possible to have an exception for
Virtualbox Stable Releases.

To avoid duplication, please read bug #794466 for the discussion and my
personal POV of the story, I tried to be as much verbose as possible,
please do not hesitate to ask anything you want if something is not
clear enough.

(or if you want debdiffs, git diff --stat between versions, changelogs or
whatever).


(below a little snippet of the last two bug messages)


cheers,

Gianfranco



Il Sabato 8 Agosto 2015 23:42, Jonathan Wiltshire <jmw@debian.org> ha scritto:
On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote:

> Virtualbox suffers of  many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> this makes difficult to handle security uploads in stable
> releases.
> 
> 
> The only patch they give for a CVE is "upgrade to the
> next version of the stable branch", and extracting patches
> from the code is not trivial, specially for such a huge package.

You should bring this up with the security team and see whether they are
satisfied that previous upstream releases have been of sufficient quality
for this to be feasible in the future.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                        http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51