Your message dated Sat, 28 May 2016 17:45:32 +0000 (UTC)
with message-id <[email protected]>
and subject line Re: Aw: Re: Bug#823347: virtualbox-guest-additions-iso: Checks
for updates without user consent or configurability
has caused the Debian Bug report #823347,
regarding virtualbox-guest-additions-iso: Checks for updates without user
consent or configurability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
823347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823347
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: virtualbox-guest-additions-iso
Version: 5.0.16-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
The Virtualbox guest additions appear to include functionality which "phones
home" and checks for updates being available, then notifies the user about them
if any are.
* What exactly did you do (or not do) that was effective (or ineffective)?
Installed Virtualbox guest additions from virtualbox-guest-additions-iso into a
Debian Jessie VM on a Debian Jessie host
* What was the outcome of this action?
See attached screenshot - a desktop notification pops up which tells the user
that an update is available.
* What outcome did you expect instead?
No notification. I have this quaint notion that software should not "phone
home" without asking the user for permission and that there should be a
configurable option to suppress such behaviour, which defaults to "off".
This is concernnig because it implies that the software checks a central point
somewhere for existence of updates, leaking metadata about the user in the
process. It also increases the attack surface of the machine on which it runs.
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.5.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
virtualbox-guest-additions-iso depends on no packages.
Versions of packages virtualbox-guest-additions-iso recommends:
ii virtualbox 5.0.18-dfsg-3~bpo8+1
virtualbox-guest-additions-iso suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
>I can't be sure it calls home, but I concluded that it did this from the
>wording of the notification, along the lines of "a new version is available".
>This implies >it checked elsewhere, found a new version and said so. If in
>fact all it does is to compare versions of the guest additions and of the
>host, notice a difference, >and display a notification then it would help to
>avoid confusion if the notification said so, perhaps along the lines of "guest
>additions and host are at different >version levels - do you want to update?"
as said before, the virtualbox-guest-additions-iso is an iso image that comes
from upstream, and we inject it inside the guest.
So, no patching in a sane way is possible.
I could patch the virtualbox-guest-* packages, but this will result in a
different behavior from the upstream guest stuff and the Debian-provided one.
I suggest you if you want to change the wording, to submit a patch upstream (or
a bug), and Debian will have the fix on the next release.
thanks for caring!
Gianfranco
Gesendet: Freitag, 06. Mai 2016 um 11:22 Uhr
Von: "Gianfranco Costamagna" <[email protected]>
An: qazwsxedc <[email protected]>, "[email protected]"
<[email protected]>
Betreff: Re: Bug#823347: virtualbox-guest-additions-iso: Checks for updates
without user consent or configurability
control: tags -1 moreinfo
control: tags -1 wontfix
Hi, some questions:
1) how can you be sure that it calls home and it doesn't instead ask the host
about its version?
In my opinion it doesn't do remote calls, in my experience I saw that message
days after the upstream release, and always after I updated the host virtualbox
(I update it frequently, so I might have not a good testcase)
2) Here we package the official iso as-is, without changing any bits, so this
bug even if really a bug is unfixable.
you might want to test virtualbox-guest-* packages, that instead are built from
the upstream sources.
cheers,
G.
Il Martedì 3 Maggio 2016 22:21, qazwsxedc <[email protected]> ha scritto:
Package: virtualbox-guest-additions-iso
Version: 5.0.16-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
The Virtualbox guest additions appear to include functionality which "phones
home" and checks for updates being available, then notifies the user about them
if any are.
* What exactly did you do (or not do) that was effective (or ineffective)?
Installed Virtualbox guest additions from virtualbox-guest-additions-iso into a
Debian Jessie VM on a Debian Jessie host
* What was the outcome of this action?
See attached screenshot - a desktop notification pops up which tells the user
that an update is available.
* What outcome did you expect instead?
No notification. I have this quaint notion that software should not "phone
home" without asking the user for permission and that there should be a
configurable option to suppress such behaviour, which defaults to "off".
This is concernnig because it implies that the software checks a central point
somewhere for existence of updates, leaking metadata about the user in the
process. It also increases the attack surface of the machine on which it runs.
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.5.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
virtualbox-guest-additions-iso depends on no packages.
Versions of packages virtualbox-guest-additions-iso recommends:
ii virtualbox 5.0.18-dfsg-3~bpo8+1
virtualbox-guest-additions-iso suggests no packages.
-- no debconf information
--- End Message ---
