On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote: > Virtualbox suffers of many security issues in Debian, > specially because Upstream (Oracle) refuses to give > patches for CVEs, and (you can see in the Debian bug > 794466 an analysis of the Oracle policy and discussion) > this makes difficult to handle security uploads in stable > releases. > > > The only patch they give for a CVE is "upgrade to the > next version of the stable branch", and extracting patches > from the code is not trivial, specially for such a huge package.
You should bring this up with the security team and see whether they are satisfied that previous upstream releases have been of sufficient quality for this to be feasible in the future. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
signature.asc
Description: Digital signature
