Control: severity -1 serious Hi,
On Mon, Aug 28, 2017 at 03:01:18PM +0200, Lucas Nussbaum wrote: > After a private discussion with Gianfranco, I'm retitling this bug and > downgrading its severity. (Gianfranco agrees, at least on the general > lines of argumentation). > > The reasoning is as follows. > > Virtualbox did not make it into stretch due to this bug, for good > reasons. > > We are at the start of the buster release cycle, and we don't know what > will be the status at the time of the freeze. The situation around > security support should be re-evaluated at the beginning of the buster > freeze, but until then, it sounds like a better plan to maximize user > testing and allow virtualbox to migrate to testing. > > Security support for unstable/testing is not a problem because we are > tracking new upstream releases anyway, where issues are being addressed > by upstream. Also, there's a public svn repository to get fixes from if > necessary. Could you clarify how you intend to handle security issues for virtualbox in buster? During a brief discussion on irc, the security team made it clear that they won't handle that (as the package is in contrib and upstream isn't cooperating), so it would be up to the maintainers to handle that. Thanks, Ivo
