Hi Debian Security Team,
(Dear Jonathan, thanks for the heads-up, I tried to avoid cross-posting, and I thought release was a better place then security, so dropping -release from the mail cc, let me know if I have to readd it) I would like to ask you whether is possible to have an exception for Virtualbox Stable Releases. To avoid duplication, please read bug #794466 for the discussion and my personal POV of the story, I tried to be as much verbose as possible, please do not hesitate to ask anything you want if something is not clear enough. (or if you want debdiffs, git diff --stat between versions, changelogs or whatever). (below a little snippet of the last two bug messages) cheers, Gianfranco Il Sabato 8 Agosto 2015 23:42, Jonathan Wiltshire <j...@debian.org> ha scritto: On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote: > Virtualbox suffers of many security issues in Debian, > specially because Upstream (Oracle) refuses to give > patches for CVEs, and (you can see in the Debian bug > 794466 an analysis of the Oracle policy and discussion) > this makes difficult to handle security uploads in stable > releases. > > > The only patch they give for a CVE is "upgrade to the > next version of the stable branch", and extracting patches > from the code is not trivial, specially for such a huge package. You should bring this up with the security team and see whether they are satisfied that previous upstream releases have been of sufficient quality for this to be feasible in the future. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1214388994.1347901.1439070589132.javamail.ya...@mail.yahoo.com
