On 13/03/19 at 22:18 +0100, Ivo De Decker wrote:
> Control: severity -1 serious
> Hi,
> On Mon, Aug 28, 2017 at 03:01:18PM +0200, Lucas Nussbaum wrote:
> > After a private discussion with Gianfranco, I'm retitling this bug and
> > downgrading its severity. (Gianfranco agrees, at least on the general
> > lines of argumentation).
> > 
> > The reasoning is as follows.
> > 
> > Virtualbox did not make it into stretch due to this bug, for good
> > reasons.
> > 
> > We are at the start of the buster release cycle, and we don't know what
> > will be the status at the time of the freeze. The situation around
> > security support should be re-evaluated at the beginning of the buster
> > freeze, but until then, it sounds like a better plan to maximize user
> > testing and allow virtualbox to migrate to testing.
> > 
> > Security support for unstable/testing is not a problem because we are
> > tracking new upstream releases anyway, where issues are being addressed
> > by upstream. Also, there's a public svn repository to get fixes from if
> > necessary.
> Could you clarify how you intend to handle security issues for virtualbox in
> buster? During a brief discussion on irc, the security team made it clear that
> they won't handle that (as the package is in contrib and upstream isn't
> cooperating), so it would be up to the maintainers to handle that.

I'm not a maintainer, but I'm in "To:", so I'll reply anyway, as a heavy
user of Virtualbox (mainly through Vagrant).

I don't know if the security support situation around virtualbox has
improved. I suspect it has not.

The situation we have with stretch, where virtualbox is installable via
stretch-backports, is a good compromise for users in my POV. If the
backports team does not make it a requirement for inclusion in
buster-backports that the package is in testing, I wouldn't mind it
staying out of testing during the buster cycle.

(But again I'm not the maintainer)


Reply via email to