Hi, On 13/03/19 at 22:18 +0100, Ivo De Decker wrote: > Control: severity -1 serious > > Hi, > > On Mon, Aug 28, 2017 at 03:01:18PM +0200, Lucas Nussbaum wrote: > > After a private discussion with Gianfranco, I'm retitling this bug and > > downgrading its severity. (Gianfranco agrees, at least on the general > > lines of argumentation). > > > > The reasoning is as follows. > > > > Virtualbox did not make it into stretch due to this bug, for good > > reasons. > > > > We are at the start of the buster release cycle, and we don't know what > > will be the status at the time of the freeze. The situation around > > security support should be re-evaluated at the beginning of the buster > > freeze, but until then, it sounds like a better plan to maximize user > > testing and allow virtualbox to migrate to testing. > > > > Security support for unstable/testing is not a problem because we are > > tracking new upstream releases anyway, where issues are being addressed > > by upstream. Also, there's a public svn repository to get fixes from if > > necessary. > > Could you clarify how you intend to handle security issues for virtualbox in > buster? During a brief discussion on irc, the security team made it clear that > they won't handle that (as the package is in contrib and upstream isn't > cooperating), so it would be up to the maintainers to handle that.
I'm not a maintainer, but I'm in "To:", so I'll reply anyway, as a heavy user of Virtualbox (mainly through Vagrant). I don't know if the security support situation around virtualbox has improved. I suspect it has not. The situation we have with stretch, where virtualbox is installable via stretch-backports, is a good compromise for users in my POV. If the backports team does not make it a requirement for inclusion in buster-backports that the package is in testing, I wouldn't mind it staying out of testing during the buster cycle. (But again I'm not the maintainer) Lucas
