[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#794466: Virtualbox might not be suitable for Stretch

On Mon, 2015-08-10 at 07:40 +0200, Markus Frosch wrote:
> > I'm not sure how they handle vulnerabilities. But their release 
> strategy is: ESR and Regular releases. Every security fix goes into 
> the
> > next Regular release, and also the ESR release.
> > 
> > ESR is supported until the next ESR (31 => 38). So usually the 
> Debian Mozilla team prefers the ESR branch for Debian stable.
> > 
> > With VBox, they don't have an ESR model.
> I guess they don't call it ESR or long term support, but as 
> Gianfranco pointed out, they seem to support a lot of major releases 
> currently.
> The main problem is here, do we want to use their upstream releases? 
> In lack of a proper patch source, the Oracle way...

Yes. And I guess this is going to be more of a decision making
challenge for the sec team.

Debian Security Team:

These are what we have currently in Debian:

oldstable: 4.1.18
stable: 4.3.18
testing: 4.3.30

So, to keep the stable version secure in the Oracle way, we'll need to
push it to 4.3.30. Please look at: 
https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.

Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1

The good thing is that Oracle declares these as "Maintenance release".
So usual sane practise for them too, should be, to only update it with
Security Fixes. Though this has not been the case in the past. There
have been regressions.

But if the security team can agree up with this release model, then the
VBox team could just keep it up-to-date.

Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: