On Mon, 2015-08-10 at 07:40 +0200, Markus Frosch wrote: > > I'm not sure how they handle vulnerabilities. But their release > strategy is: ESR and Regular releases. Every security fix goes into > the > > next Regular release, and also the ESR release. > > > > ESR is supported until the next ESR (31 => 38). So usually the > Debian Mozilla team prefers the ESR branch for Debian stable. > > > > With VBox, they don't have an ESR model. > > I guess they don't call it ESR or long term support, but as > Gianfranco pointed out, they seem to support a lot of major releases > currently. > > The main problem is here, do we want to use their upstream releases? > In lack of a proper patch source, the Oracle way... Yes. And I guess this is going to be more of a decision making challenge for the sec team. Debian Security Team: These are what we have currently in Debian: oldstable: 4.1.18 stable: 4.3.18 testing: 4.3.30 So, to keep the stable version secure in the Oracle way, we'll need to push it to 4.3.30. Please look at: https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog. Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1 The good thing is that Oracle declares these as "Maintenance release". So usual sane practise for them too, should be, to only update it with Security Fixes. Though this has not been the case in the past. There have been regressions. But if the security team can agree up with this release model, then the VBox team could just keep it up-to-date. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
Attachment:
signature.asc
Description: This is a digitally signed message part