Debian Bug report logs - #794466
virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Virtualbox might not be suitable for Stretch

Date: Mon, 3 Aug 2015 10:47:23 +0000 (UTC)

Source: virtualbox
Version: 4.3.30-dfsg-1
Severity: critical


X-Debbugs-CC: jmm@inutil.org
X-Debbugs-CC: rrs@debian.org
X-Debbugs-CC: frank.mehnert@oracle.com
X-Debbugs-CC: klaus.espenlaub@oracle.com

(please cc people if needed
As Said in many different threads [1 bottom of the mail], Upstream doesn't play in a really fair mode wrt CVEs in the package (it used to, but not for the current CVE list).

This basically makes the package unsuitable for Stable Releases, since "Upgrade to a newer release" is not the correct answer, and
cherry-picking patches without upstream support is just impossible/not easily feasible for such a huge codebase.

I quote a mail from some Vbox upstream developers and Debian folks.

Personal Maintainer opinion:
I do not have anything against Virtualbox neither against Upstream, made by people competent who helped us a lot, and did a great work in merging
patches (also my patches) and providing such a good tool for us, I love the package and I would like to see it in Debian, but since people working for Oracle might risk to get punished for not following the Oracle policy, I think we are not sure we can continue giving a CVE free package for Stable Releases.

So, while Oracle employees tries to find out an Open Source friendly way to cooperate with us, I'm opening this bug, to let the community be aware of the status quo of the package.


On Tuesday 28 July 2015 14:00:31 Ritesh Raj Sarraf wrote:
> I am writing to you seeking clarification on what the project's stance
> is for Security Vulnerabilities.
>
> As you know, for Debian, we package VirtualBox. Given the breadth of
> the Debian project (oldstable, stable, testing, LTS, derivatives), it
> is important for us to have access to security fixes in an easy format.
>
> https://security-tracker.debian.org/tracker/CVE-2015-2594
>
> For example, for the above CVE, afaik all we have is a consolidated
> report. http://www.oracle.com/technetwork/topics/security/cpujul2015
> -2367936.html
>
> With no broken down fixes in an easy format, it makes it difficult to
> backport those fixes to older versions.

I'm aware of the problem. Unfortunately there is an Oracle policy which
forbids us to provide relevant information about security bugs, see
here:

http://www.oracle.com/us/support/assurance/vulnerability-remediation/disclosure/index.html

We are currently trying to find out what's possible to help you but this

will take some more time.



thanks folks for the help, I still hope we can solve it in a good way, to avoid disappear of Virtualbox there :)


cheers!

Gianfranco

Message #12 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Markus Frosch <lazyfrosch@debian.org>

To: 794466@bugs.debian.org

Subject: Re: Virtualbox might not be suitable for Stretch

Date: Sat, 08 Aug 2015 20:11:03 +0200

[Message part 1 (text/plain, inline)]

On Mon, 3 Aug 2015 10:47:23 +0000 (UTC) Gianfranco Costamagna <
costamagnagianfranco@yahoo.it> wrote:
> Source: virtualbox
> Version: 4.3.30-dfsg-1
> Severity: critical


Hi Gianfranco,
thanks for your summary.

Although I'm not involved in maintaining virtualbox, still a few
thoughts:

* What would that mean for Jessie updates?
* Isn't that basically the same problem we have with MySQL,
  or even Iceweasel?

So I think the question is either drop, or work with upstream releases,
from which I'd personally prefer.

Even popcon isn't too bad: 
https://qa.debian.org/popcon.php?package=virtualbox

Leaving users with the possibility to use upstream packages is also not
very attractive.

Just me few cents :)
Markus

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "debian-release@lists.debian.org" <debian-release@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sat, 8 Aug 2015 21:23:31 +0000 (UTC)

Hi Debian Release Team,


TLTR:


Virtualbox suffers of  many security issues in Debian,
specially because Upstream (Oracle) refuses to give
patches for CVEs, and (you can see in the Debian bug
794466 an analysis of the Oracle policy and discussion)
this makes difficult to handle security uploads in stable
releases.


The only patch they give for a CVE is "upgrade to the
next version of the stable branch", and extracting patches
from the code is not trivial, specially for such a huge package.


My request, based on Markus mail quoted below

(something I pondered already, I was just waiting for somebody
to do the first move), would be to have a sort of permission
to do the updates to newer stable releases in s-p-u.

e.g.


On oldstable, version 4.1.18-dfsg-2+deb7u5 might become 4.1.30

on stable version 4.3.18 might become 4.3.30 and so on.

Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
branches where security fixes seems to be addressed all.

(virtualbox-ose from o-o-s still needs some pinpoint fixes)


So, even if the debdiff might look scary, we might want to
update at least to the correspondant stable branch
to fix bugs and security issues.

Honestly I *never* found a regression in Virtualbox maintainance
releases, neither in backports, and the huge popcon makes difficult
to just let the package disappear.

I maintain Virtualbox since ~2013 or so, and I can say that the
maintainance branches does not require new dependencies
(at least they never did, the only build-dependencies we added
in maintainance releases were due to packaging bugs that had to
be fixed, not something that upstream added)



Thanks for your attention,

(note: I did not find any reference on google about this sort
of exceptions, please feel free to point me on some documentation,
if adding -release to the bug is not enough, or feel free to reassing
to the best meta package bug)


Gianfranco

>Hi Gianfranco,
>thanks for your summary.
>
>Although I'm not involved in maintaining virtualbox, still a few
>thoughts:
>
>* What would that mean for Jessie updates?
>* Isn't that basically the same problem we have with MySQL,
>  or even Iceweasel?
>
>So I think the question is either drop, or work with upstream releases,
>from which I'd personally prefer.
>
>Even popcon isn't too bad: 
>https://qa.debian.org/popcon.php?package=virtualbox
>
>Leaving users with the possibility to use upstream packages is also not
>very attractive.
>
>Just me few cents :)
>Markus 

Message #22 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: "794466@bugs.debian.org" <794466@bugs.debian.org>, "debian-release@lists.debian.org" <debian-release@lists.debian.org>, Frank Mehnert <frank.mehnert@oracle.com>

Subject: I: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sat, 8 Aug 2015 21:28:13 +0000 (UTC)

Hi Frank and Release Team,


>Oracle at this moment maintains a 4.0.x 4.1.x 4.2.x 4.3.x 5.0.x
>branches where security fixes seems to be addressed all.
>
>(virtualbox-ose from o-o-s still needs some pinpoint fixes)


virtualbox-ose is at version 3.2.10, and the last release from [1]
is 3.2.28, and released two months ago.

Does this mean that CVE gets fixed on 3.2.x too?


[1] https://www.virtualbox.org/wiki/Changelog-3.2

thanks,

Gianfranco

Message #27 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "debian-release@lists.debian.org" <debian-release@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sat, 8 Aug 2015 22:42:19 +0100

[Message part 1 (text/plain, inline)]

On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote:
> Virtualbox suffers of  many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> this makes difficult to handle security uploads in stable
> releases.
> 
> 
> The only patch they give for a CVE is "upgrade to the
> next version of the stable branch", and extracting patches
> from the code is not trivial, specially for such a huge package.

You should bring this up with the security team and see whether they are
satisfied that previous upstream releases have been of sufficient quality
for this to be feasible in the future.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: "794466@bugs.debian.org" <794466@bugs.debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sat, 8 Aug 2015 21:49:49 +0000 (UTC)

Hi Debian Security Team,


(Dear Jonathan, thanks for the heads-up, I tried to avoid cross-posting,
and I thought release was a better place then security, so dropping
-release from the mail cc, let me know if I have to readd it)


I would like to ask you whether is possible to have an exception for
Virtualbox Stable Releases.

To avoid duplication, please read bug #794466 for the discussion and my
personal POV of the story, I tried to be as much verbose as possible,
please do not hesitate to ask anything you want if something is not
clear enough.

(or if you want debdiffs, git diff --stat between versions, changelogs or
whatever).


(below a little snippet of the last two bug messages)


cheers,

Gianfranco



Il Sabato 8 Agosto 2015 23:42, Jonathan Wiltshire <jmw@debian.org> ha scritto:
On Sat, Aug 08, 2015 at 09:23:31PM +0000, Gianfranco Costamagna wrote:

> Virtualbox suffers of  many security issues in Debian,
> specially because Upstream (Oracle) refuses to give
> patches for CVEs, and (you can see in the Debian bug
> 794466 an analysis of the Oracle policy and discussion)
> this makes difficult to handle security uploads in stable
> releases.
> 
> 
> The only patch they give for a CVE is "upgrade to the
> next version of the stable branch", and extracting patches
> from the code is not trivial, specially for such a huge package.

You should bring this up with the security team and see whether they are
satisfied that previous upstream releases have been of sufficient quality
for this to be feasible in the future.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                        http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Message #37 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Markus Frosch <lazyfrosch@debian.org>, 794466@bugs.debian.org

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sun, 09 Aug 2015 16:21:43 +0530

[Message part 1 (text/plain, inline)]

On Sat, 2015-08-08 at 20:11 +0200, Markus Frosch wrote:
> Hi Gianfranco,
> thanks for your summary.
> 
> Although I'm not involved in maintaining virtualbox, still a few
> thoughts:
> 
> * What would that mean for Jessie updates?
> * Isn't that basically the same problem we have with MySQL,
>   or even Iceweasel?
> 
> So I think the question is either drop, or work with upstream 
> releases,
> from which I'd personally prefer.


Not sure about MySQL, but for Iceweasel, is it really like that ?

From what I've known, there were trademark issues which led to the
rebranding.


I'm not sure how they handle vulnerabilities. But their release
strategy is: ESR and Regular releases. Every security fix goes into the
next Regular release, and also the ESR release.

ESR is supported until the next ESR (31 => 38). So usually the Debian
Mozilla team prefers the ESR branch for Debian stable.

With VBox, they don't have an ESR model.

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Markus Frosch <lazyfrosch@debian.org>

To: rrs@debian.org, 794466@bugs.debian.org

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 10 Aug 2015 07:40:04 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 09.08.2015 12:51, Ritesh Raj Sarraf wrote:
> Not sure about MySQL, but for Iceweasel, is it really like that ?
> 
> From what I've known, there were trademark issues which led to the rebranding.

Sorry for being unclear, I meant the usage of upstream releases directly in Debian (security) updates.

> I'm not sure how they handle vulnerabilities. But their release strategy is: ESR and Regular releases. Every security fix goes into the
> next Regular release, and also the ESR release.
> 
> ESR is supported until the next ESR (31 => 38). So usually the Debian Mozilla team prefers the ESR branch for Debian stable.
> 
> With VBox, they don't have an ESR model.

I guess they don't call it ESR or long term support, but as Gianfranco pointed out, they seem to support a lot of major releases currently.

The main problem is here, do we want to use their upstream releases? In lack of a proper patch source, the Oracle way...

Cheers
Markus Frosch
- -- 
markus@lazyfrosch.de / lazyfrosch@debian.org
http://www.lazyfrosch.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVyDkrAAoJEPJhXZqrmHtuBtQH/3kp+00a6xaICX1Z9jiVHDa9
iXBVNiswK9QDc7L8dpvNkbF2gWI4Um3Yy8WdpOj2vlz4Mo+kJ3ShXvJS5ONnnJOY
0pxHxkLtnvbVH7eyQRBu2YFxVRmR5eM+/Q3NvF0kZGOALQH+dqgXqvHV7VjG++tm
QkPO00ocMjGZsCqZY74GC1fJyfA0njQRues9qMiatY2ZoowLn6pRB8w3CFZkVmtr
dDdpCsVQE5swZZG7KfCsripQ3PlJD7n1S7lEr0mYVApcvQ4AUvKqTylO7aESVV/Z
XA6+nq9OezFb2PCBkDStbBPzwavfJzCXZa1nqdQ63mYNPlDlPWVgS6Rcy10tlFc=
=4Ip3
-----END PGP SIGNATURE-----

Message #47 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Markus Frosch <lazyfrosch@debian.org>, 794466@bugs.debian.org

Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 10 Aug 2015 12:03:00 +0530

[Message part 1 (text/plain, inline)]

On Mon, 2015-08-10 at 07:40 +0200, Markus Frosch wrote:
> > I'm not sure how they handle vulnerabilities. But their release 
> strategy is: ESR and Regular releases. Every security fix goes into 
> the
> > next Regular release, and also the ESR release.
> > 
> > ESR is supported until the next ESR (31 => 38). So usually the 
> Debian Mozilla team prefers the ESR branch for Debian stable.
> > 
> > With VBox, they don't have an ESR model.
> 
> I guess they don't call it ESR or long term support, but as 
> Gianfranco pointed out, they seem to support a lot of major releases 
> currently.
> 
> The main problem is here, do we want to use their upstream releases? 
> In lack of a proper patch source, the Oracle way...

Yes. And I guess this is going to be more of a decision making
challenge for the sec team.


Debian Security Team:

These are what we have currently in Debian:

oldstable: 4.1.18
stable: 4.3.18
testing: 4.3.30



So, to keep the stable version secure in the Oracle way, we'll need to
push it to 4.3.30. Please look at: 
https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.

Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1

The good thing is that Oracle declares these as "Maintenance release".
So usual sane practise for them too, should be, to only update it with
Security Fixes. Though this has not been the case in the past. There
have been regressions.


But if the security team can agree up with this release model, then the
VBox team could just keep it up-to-date.


-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[signature.asc (application/pgp-signature, inline)]

Message #52 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: "rrs@debian.org" <rrs@debian.org>, Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "team@security.debian.org" <team@security.debian.org>, "benh@debian.org" <benh@debian.org>

Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 10 Aug 2015 07:16:59 +0000 (UTC)

Hi,

>Debian Security Team:


>These are what we have currently in Debian:
>
>oldstable: 4.1.18
>stable: 4.3.18
>testing: 4.3.30



I would add (as Ben requested)

old-old-stable 3.2.10 --> 3.2.28
(this will fix AFAICS all the CVEs on o-o-stable, but not the latest one)


https://www.virtualbox.org/wiki/Changelog-3.2
>So, to keep the stable version secure in the Oracle way, we'll need to
>push it to 4.3.30. Please look at: 
>https://www.virtualbox.org/wiki/Changelog-4.3 for the 4.3.x changelog.
>
>Similarly, 4.1.x here: https://www.virtualbox.org/wiki/Changelog-4.1
>
>The good thing is that Oracle declares these as "Maintenance release".
>So usual sane practise for them too, should be, to only update it with
>Security Fixes. Though this has not been the case in the past. There
>have been regressions.


I do not recall any regressions there, at least between stable minor releases
(I recall regressions between 4.1.x and 4.3.x)

However the changelogs mentions a couple of them, so must be right :)

>But if the security team can agree up with this release model, then the
>VBox team could just keep it up-to-date.



Yes, otherwise the points remains:

1) leave the oracle with CVEs in stable releases

or

2) have an exception from Security Team and/or Release Team

or

3) wait and hope Oracle will change the model or make an exception

----


1) means a disappear of VBox from Testing I'm afraid

2) We will continue to provide security new releases, and fix almost all the CVEs around here
(except for one in o-o-stable)
3) this is kind of impossible right now I guess (even if Oracle employees are continuing
to try to have it)


BTW having the "stable maintenance releases" on Debian stable releases, will allow people to be able to rebuild
kernel modules on their own, because usually people upgrade
their kernel while running stable, and virtualbox usually don't compile anymore
with them.

Ubuntu followed a slightly different model, they started embedding in linux kernel
the virtualbox modules, while with Debian we are forced to update virtualbox on stable,
or close the bugs reported with "notfix" (and ask people to run it from testing instead).

So the annoying kernel module rebuilds might be fixed too here :)


cheers,

Gianfranco

Message #57 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "team@security.debian.org" <team@security.debian.org>, "benh@debian.org" <benh@debian.org>

Cc: "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 10 Aug 2015 13:41:52 +0530

[Message part 1 (text/plain, inline)]

On Mon, 2015-08-10 at 07:16 +0000, Gianfranco Costamagna wrote:
> >But if the security team can agree up with this release model, then 
> the
> >VBox team could just keep it up-to-date.
> 
> 
> 
> Yes, otherwise the points remains:
> 
> 1) leave the oracle with CVEs in stable releases
> 
> or
> 
> 2) have an exception from Security Team and/or Release Team
> 
> or
> 
> 3) wait and hope Oracle will change the model or make an exception
> 
> ----
> 
> 
> 1) means a disappear of VBox from Testing I'm afraid
> 
> 2) We will continue to provide security new releases, and fix almost 
> all the CVEs around here
> (except for one in o-o-stable)
> 3) this is kind of impossible right now I guess (even if Oracle 
> employees are continuing
> to try to have it)


Does anyone know what Fedora project's stand is on VBox ?
From what I've checked so far, Fedora does not ship VBox. But I'm not
sure what their reasons are.......


-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

Cc: "rrs@debian.org" <rrs@debian.org>, Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "team@security.debian.org" <team@security.debian.org>, "benh@debian.org" <benh@debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sat, 15 Aug 2015 12:43:11 +0200

On Mon, Aug 10, 2015 at 07:16:59AM +0000, Gianfranco Costamagna wrote:
> Yes, otherwise the points remains:
> 
> 1) leave the oracle with CVEs in stable releases
> 
> or
> 
> 2) have an exception from Security Team and/or Release Team
> 
> or
> 
> 3) wait and hope Oracle will change the model or make an exception

We'll have a security team meeting at DebConf and will discuss
virtualbox as well.

Cheers,
        Moritz

Message #67 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: "rrs@debian.org" <rrs@debian.org>, Markus Frosch <lazyfrosch@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>, "team@security.debian.org" <team@security.debian.org>, "benh@debian.org" <benh@debian.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 31 Aug 2015 12:35:08 +0000 (UTC)

Hi Moritz,

>
>We'll have a security team meeting at DebConf and will discuss
>virtualbox as well.


following up on the DebConf discussion,
I did update vbox for wheezy and jessie, on
the respective braches on git (names with the codenames)
targeted -security.

http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-virtualbox/virtualbox.git/log/?h=wheezy

jessie is going from 4.3.18 to 4.3.30, while wheezy is going from 4.1.18 to 4.1.40

builds are also available from DebOMatic
http://debomatic-amd64.debian.net/distribution#oldstable/virtualbox/4.1.40-dfsg-1+deb7u1/lintian
http://debomatic-amd64.debian.net/distribution#stable/virtualbox/4.3.30-dfsg-1+deb8u1/buildlog


I tried to keep changes as minimal as possible, with just some patch refreshing and nothing more.
(and for changelogs, well, please tell me the best way to update it, because I honestly don't know)





I plan to do the same with virtualbox-ose and squeeze if you allow me too. (from 3.2.10 to 3.2.28).

I did some basic testing with both jessie and wheezy in that way.

1) Installed jessie on virtualbox.
2) Installed virtualbox inside the jessie VM (from apt)
3) installed Ubuntu vivid 32 bit in the virtualbox inside the VM
4) updated vbox with the DoM build
5) tested if the VM was still running correctly.

the same for wheezy, and all the testing were successful.

let me know if something is blocking the uploads, or if I can do them by myself (I guess policy and the manual
doesn't allow DD to push on security directly).

I don't know exactly the CVE fixed but at least for 4.1.x and 4.3.x they should be covered ALL of them.

for vbox ose I guess CVE-2015-2594 will be left out, the only one we don't have a targeted patch from upstream.

cheers,

G.

Message #72 received at 794466-done@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: "794466-done@bugs.debian.org" <794466-done@bugs.debian.org>

Subject: closing!

Date: Mon, 14 Sep 2015 16:52:32 +0000 (UTC)

Hi, Virtualbox is finally CVE free in wheezy and jessie.

thanks to all for the support!

cheers,

G.

Message #77 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Clemens Haupt Hohentrenk <yxcv@vienna.at>

To: Debian Bug Tracking System <794466@bugs.debian.org>

Subject: virtualbox: Virtualbox might not be suitable for testing

Date: Mon, 05 Oct 2015 08:34:01 +0200

Package: virtualbox
Version: 5.0.4-dfsg-4
Followup-For: Bug #794466

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

Updateing yesterday didn't help

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Undating

   * What was the outcome of this action?

The virtual machine 'Deppi-505' has terminated unexpectedly during startup with exit code 1 (0x1).

   * What outcome did you expect instead?

Smooth working


*** End of the template - remove these template lines ***


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (650, 'testing'), (600, 'unstable'), (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 4.2.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages virtualbox depends on:
ii  adduser          3.113+nmu3
ii  libc6            2.19-22
ii  libcurl3-gnutls  7.44.0-2
ii  libgcc1          1:5.2.1-17
ii  libgsoap7        2.8.22-1
ii  libpng12-0       1.2.50-2+b2
ii  libpython2.7     2.7.10-4
ii  libsdl1.2debian  1.2.15-11
ii  libssl1.0.0      1.0.2d-1
ii  libstdc++6       5.2.1-17
ii  libvncserver1    0.9.10+dfsg-3
ii  libvpx2          1.4.0-4
ii  libx11-6         2:1.6.3-1
ii  libxcursor1      1:1.1.14-1+b1
ii  libxext6         2:1.3.3-1
ii  libxml2          2.9.2+zdfsg1-4
ii  libxmu6          2:1.1.2-1
ii  libxt6           1:1.1.4-1+b1
ii  python           2.7.9-1
ii  python2.7        2.7.10-4
pn  python:any       <none>
ii  virtualbox-dkms  5.0.4-dfsg-4
ii  zlib1g           1:1.2.8.dfsg-2+b1

Versions of packages virtualbox recommends:
ii  libgl1-mesa-glx [libgl1]  10.6.8-1
ii  libqt4-opengl             4:4.8.7+dfsg-3
ii  libqtcore4                4:4.8.7+dfsg-3
ii  libqtgui4                 4:4.8.7+dfsg-3
ii  virtualbox-qt             5.0.4-dfsg-4

Versions of packages virtualbox suggests:
ii  vde2                            2.3.2+r586-2
ii  virtualbox-guest-additions-iso  5.0.4-1

-- Configuration Files:
/etc/default/virtualbox changed:
LOAD_VBOXDRV_MODULE=1
SHUTDOWN_USERS="yx"
SHUTDOWN=poweroff


-- no debconf information

Fehlercode:
NS_ERROR_FAILURE (0x80004005)
Komponente:
MachineWrap
Interface:
IMachine {f30138d4-e5ea-4b3a-8858-a059de4c93fd}

Message #82 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: 794466@bugs.debian.org, yxcv@vienna.at

Subject: Re: virtualbox: Virtualbox might not be suitable for testing

Date: Mon, 5 Oct 2015 15:35:27 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Clemens,

this bug has *nothing* to deal with your bug.

please open a new one.
thanks

Gianfranco

On Mon, 05 Oct 2015 08:34:01 +0200 Clemens Haupt Hohentrenk
<yxcv@vienna.at> wrote:
> Package: virtualbox Version: 5.0.4-dfsg-4 Followup-For: Bug
> #794466
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where
> appropriate ***
> 
> * What led up to the situation?
> 
> Updateing yesterday didn't help
> 
> * What exactly did you do (or not do) that was effective (or 
> ineffective)?
> 
> Undating
> 
> * What was the outcome of this action?
> 
> The virtual machine 'Deppi-505' has terminated unexpectedly during
> startup with exit code 1 (0x1).
> 
> * What outcome did you expect instead?
> 
> Smooth working
> 
> 
> *** End of the template - remove these template lines ***
> 
> 
> -- System Information: Debian Release: stretch/sid APT prefers
> testing APT policy: (650, 'testing'), (600, 'unstable'), (500,
> 'oldstable-updates'), (500, 'oldstable') Architecture: i386 (i686)
> 
> Kernel: Linux 4.2.0-1-686-pae (SMP w/2 CPU cores) Locale:
> LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell:
> /bin/sh linked to /bin/dash Init: systemd (via
> /run/systemd/system)
> 
> Versions of packages virtualbox depends on: ii  adduser
> 3.113+nmu3 ii  libc6            2.19-22 ii  libcurl3-gnutls
> 7.44.0-2 ii  libgcc1          1:5.2.1-17 ii  libgsoap7
> 2.8.22-1 ii  libpng12-0       1.2.50-2+b2 ii  libpython2.7
> 2.7.10-4 ii  libsdl1.2debian  1.2.15-11 ii  libssl1.0.0
> 1.0.2d-1 ii  libstdc++6       5.2.1-17 ii  libvncserver1
> 0.9.10+dfsg-3 ii  libvpx2          1.4.0-4 ii  libx11-6
> 2:1.6.3-1 ii  libxcursor1      1:1.1.14-1+b1 ii  libxext6
> 2:1.3.3-1 ii  libxml2          2.9.2+zdfsg1-4 ii  libxmu6
> 2:1.1.2-1 ii  libxt6           1:1.1.4-1+b1 ii  python
> 2.7.9-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWEnyfAAoJEPNPCXROn13ZlDEP/0TzzSsbsRSmcGRHBuU3kgNC
MB9HghCVKNDUkU0B/cIglgWfzIdnQ8TtpYd85bZ29WOzZ9KkEDs+hqBqLQLUuAVJ
252kQkEfDvUleHMIMrgznc0obbtoQid/xijcs51QOMWOhOFAdIDgZKSfBhtXIL52
LTYcdXycLlMIsEYB2XUSl/qxDVVPU2orx1XHN765pNSXyy/+ltvenq9D0GQCaYME
Y51aRLxUvPZOHTCt//aBZq49/jG64eSYj8Pp33+mXaXlDy2NpN4V/wdw4gvBL0vH
tepZ8lArjwTI/BaEmmnNUPqodtgnNkJCNoKMFhrr+7xLL5KdULuMUUmgh5fOdQKm
bksLT8U1k/lglzr7dm5DVRqTP0Jjk92Cm5v6AcPjkuwbELXuEa24UP46CEof1AdF
8T8luOkvZwQE2+PobPOMRHyXp+lFjrWa/3v50u6gqRS3IdBhm4jUcAcOpeiLFtXk
Ddw9XlISpkn87nO1PejikhPLM3VoDFYGu/e0LqV8SDFdGPUeVy+ywV6srGQqdb5L
up103q3sjlp0KWBA81upXTglhSRZcm4PA879YMXJJYOBp9SDzjxN4lDe+dNStduq
Fhnzq/TqrQnjo5CY54GWT9arhO4j2nTTZKyjDC6EFEGD6Q9dyMoy4U7P9q1CXDrx
hAs5AztGpmJOzvNSRdLb
=7Z9D
-----END PGP SIGNATURE-----

Message #93 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 794466@bugs.debian.org

Subject: Re: virtualbox: Virtualbox might not be suitable for testing

Date: Tue, 25 Oct 2016 17:29:39 +0200

[Message part 1 (text/plain, inline)]

control: reopen -1 thanks
control: found -1 5.0.6-dfsg-1

As per DSA-3699-1, security team thinks virtualbox can't be released with Stretch.

G.

[signature.asc (application/pgp-signature, attachment)]

Message #100 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>

To: 794466@bugs.debian.org

Subject: Re: virtualbox: Virtualbox might not be suitable for testing

Date: Mon, 5 Dec 2016 09:25:31 +0100

On Tue, 25 Oct 2016 17:29:39 +0200 Gianfranco Costamagna
<locutusofborg@debian.org> wrote:
> control: reopen -1 thanks
> control: found -1 5.0.6-dfsg-1
> 
> As per DSA-3699-1, security team thinks virtualbox can't be released with Stretch.

That's sad. I hope you can keep virtualbox in backports for stretch.

Cheers,
Emilio

Message #105 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gordon Farquharson <gordonfarquharson@gmail.com>

To: 794466@bugs.debian.org

Subject: VIrtualBox future in Debian

Date: Mon, 12 Dec 2016 21:59:25 -0800

[Message part 1 (text/plain, inline)]

On Tue, 25 Oct 2016 17:29:39 +0200 Gianfranco Costamagna <
locutusofborg@debian.org> wrote:

> As per DSA-3699-1, security team thinks virtualbox can't be released with
Stretch.

Thanks for all your work in maintaining VirtuaBox in Debian.

Could you answer the following questions so that I (and others) can make
some decisions about future use of VirtualBox?

1. Will you continue to package VirtualBox for Debian?

2. Do you anticipate making a backports version available for Stretch?

3. Do you recommend migrating existing VirtualBox images to KVM?

Gordon

-- 
Gordon Farquharson
GnuPG Key ID: 32D6D676

[Message part 2 (text/html, inline)]

Message #110 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Gordon Farquharson <gordonfarquharson@gmail.com>, 794466@bugs.debian.org

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Tue, 13 Dec 2016 14:25:32 +0530

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, 2016-12-12 at 21:59 -0800, Gordon Farquharson wrote:
> 3. Do you recommend migrating existing VirtualBox images to KVM?

Migration should be doable. I'm not sure if there are any issues in migration,
but you may give it a shot.


Should you migrate, it may depend on what your core requirements are.

VirtualBox has a much nicer UI integrating all features, very well, into its
Graphical interface.


On the other hand, KVM is the stock in-kernel hypervisor for Linux, which has a
much larger userbase (Oepnstack, RHEV etc) and gets much more testing.


In the past, I've migrated my setups from both ways. Initially, from KMV to
VBox, and then later again from VBox to KVM.

VM disk image conversion was fairly stable. I had no issues during image
conversion.

For config settings, I just noted down the settings and applied the same when
importing it to the other hypervisor. For a large number of VMs, this may not be
optimal.


- -- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAlhPt4QACgkQpjpYo/Lh
dWlkKhAAiESUsGuNWhMgqet1QlDPdpC9VBysXuZOm/5JqvdDAPf41cy+KDzCWS4w
xfdaB7XOw2JShsmYAByf7j/W+o/oiaRRN/GgSy07I3tMzbaiFCjKU4Vd5yszhE91
Zb3eNMQZw7x7J0qCSNO0zzOJBvSX4QQaxXm9NfphAEQ+i22q9hWYwCTkzGdjmXqJ
uNYF44HYIOA+1DKp0KeXqs7J9CaLqV/t4SVxA/kBvtQ7ET1iVsjomPPz/6bBBZ/s
8j5PTrDgt0gXSXRjGFb/Rr7argXIsJMC9BPr/pYgF4buLkKpL9IRuCEzxAEo4r1c
IBNen1BiVps1qgZmdv967B4jMhyFhJJnJCeHznLchDodMbK2f2Dqnlnz8hwqTmeu
e+B/oEFh8mrFsV/gqngl4gg8HTiCXI680wdkCs2hLxTABzPaUKFockKaCO4BLZkr
NkH/fq6gb6UFFoM42e00qQrK6qzO5IaM1AFrFAiQ+RXE8lSTzKiO7Ot2Em00mLSG
7cdf6wU0TyfWirvP1P76rCQ/ToQdqdBX9TBtQZ9m+p1iraT8Ybz79ZljqpNp/yEX
DaE0ugqoaxlhquESXp6QWhdHWKFhAnMlEmGsI106Iqnuqj7ksV1dhyFpsoVOaHUC
NA2Sl5kHnPHStOciKySM+mIe8J3O+rnEzwsxvkC/eOYL85k7uro=
=+9mB
-----END PGP SIGNATURE-----

Message #115 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gordon Farquharson <gordonfarquharson@gmail.com>

To: rrs@debian.org

Cc: 794466@bugs.debian.org

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Wed, 14 Dec 2016 09:51:34 -0800

[Message part 1 (text/plain, inline)]

I did a test migration of a VirtualBox image running Windows 10 to KVM from
virt-manager, and everything worked. However, I don't seem to have the
correct drivers installed (virtio drivers?) to get full resolution support
in my guest Windows system.

I'd still like to know what the plans are for the VirtualBox package in
Debian. I can backport the version in sid to stretch by building it myself,
but at some point, this process may break if maintenance of the package is
dropped.

Gordon

On Tue, Dec 13, 2016 at 12:55 AM, Ritesh Raj Sarraf <rrs@debian.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On Mon, 2016-12-12 at 21:59 -0800, Gordon Farquharson wrote:
> > 3. Do you recommend migrating existing VirtualBox images to KVM?
>
> Migration should be doable. I'm not sure if there are any issues in
> migration,
> but you may give it a shot.
>
>
> Should you migrate, it may depend on what your core requirements are.
>
> VirtualBox has a much nicer UI integrating all features, very well, into
> its
> Graphical interface.
>
>
> On the other hand, KVM is the stock in-kernel hypervisor for Linux, which
> has a
> much larger userbase (Oepnstack, RHEV etc) and gets much more testing.
>
>
> In the past, I've migrated my setups from both ways. Initially, from KMV to
> VBox, and then later again from VBox to KVM.
>
> VM disk image conversion was fairly stable. I had no issues during image
> conversion.
>
> For config settings, I just noted down the settings and applied the same
> when
> importing it to the other hypervisor. For a large number of VMs, this may
> not be
> optimal.
>
>
> - --
> Ritesh Raj Sarraf | http://people.debian.org/~rrs
> Debian - The Universal Operating System
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAlhPt4QACgkQpjpYo/Lh
> dWlkKhAAiESUsGuNWhMgqet1QlDPdpC9VBysXuZOm/5JqvdDAPf41cy+KDzCWS4w
> xfdaB7XOw2JShsmYAByf7j/W+o/oiaRRN/GgSy07I3tMzbaiFCjKU4Vd5yszhE91
> Zb3eNMQZw7x7J0qCSNO0zzOJBvSX4QQaxXm9NfphAEQ+i22q9hWYwCTkzGdjmXqJ
> uNYF44HYIOA+1DKp0KeXqs7J9CaLqV/t4SVxA/kBvtQ7ET1iVsjomPPz/6bBBZ/s
> 8j5PTrDgt0gXSXRjGFb/Rr7argXIsJMC9BPr/pYgF4buLkKpL9IRuCEzxAEo4r1c
> IBNen1BiVps1qgZmdv967B4jMhyFhJJnJCeHznLchDodMbK2f2Dqnlnz8hwqTmeu
> e+B/oEFh8mrFsV/gqngl4gg8HTiCXI680wdkCs2hLxTABzPaUKFockKaCO4BLZkr
> NkH/fq6gb6UFFoM42e00qQrK6qzO5IaM1AFrFAiQ+RXE8lSTzKiO7Ot2Em00mLSG
> 7cdf6wU0TyfWirvP1P76rCQ/ToQdqdBX9TBtQZ9m+p1iraT8Ybz79ZljqpNp/yEX
> DaE0ugqoaxlhquESXp6QWhdHWKFhAnMlEmGsI106Iqnuqj7ksV1dhyFpsoVOaHUC
> NA2Sl5kHnPHStOciKySM+mIe8J3O+rnEzwsxvkC/eOYL85k7uro=
> =+9mB
> -----END PGP SIGNATURE-----
>
>


-- 
Gordon Farquharson
GnuPG Key ID: 32D6D676

[Message part 2 (text/html, inline)]

Message #120 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: Gordon Farquharson <gordonfarquharson@gmail.com>, "rrs@debian.org" <rrs@debian.org>, "794466@bugs.debian.org" <794466@bugs.debian.org>

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Wed, 14 Dec 2016 19:46:07 +0000 (UTC)

Hi all,

>I'd still like to know what the plans are for the VirtualBox package in Debian. I can backport the version in sid to stretch by building it myself, but at some >point, this process may break if maintenance of the package is dropped.


I started a discussion on -backports mail list some days before your email
https://lists.debian.org/debian-backports/2016/12/msg00042.html

Please forward the discussion there, since this seems to be a backport-specific issue :)

G.



On Tue, Dec 13, 2016 at 12:55 AM, Ritesh Raj Sarraf <rrs@debian.org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>On Mon, 2016-12-12 at 21:59 -0800, Gordon Farquharson wrote:
>> 3. Do you recommend migrating existing VirtualBox images to KVM?
>
>Migration should be doable. I'm not sure if there are any issues in migration,
>but you may give it a shot.
>
>
>Should you migrate, it may depend on what your core requirements are.
>
>VirtualBox has a much nicer UI integrating all features, very well, into its
>Graphical interface.
>
>
>On the other hand, KVM is the stock in-kernel hypervisor for Linux, which has a
>much larger userbase (Oepnstack, RHEV etc) and gets much more testing.
>
>
>In the past, I've migrated my setups from both ways. Initially, from KMV to
>VBox, and then later again from VBox to KVM.
>
>VM disk image conversion was fairly stable. I had no issues during image
>conversion.
>
>For config settings, I just noted down the settings and applied the same when
>importing it to the other hypervisor. For a large number of VMs, this may not be
>optimal.
>
>
>- --
>Ritesh Raj Sarraf | http://people.debian.org/~rrs
>Debian - The Universal Operating System
>-----BEGIN PGP SIGNATURE-----
>
>iQIzBAEBCgAdFiEEQCVDstmIVAB/ Yn02pjpYo/ LhdWkFAlhPt4QACgkQpjpYo/Lh
>dWlkKhAAiESUsGuNWhMgqet1QlDPdp C9VBysXuZOm/5JqvdDAPf41cy+ KDzCWS4w
>xfdaB7XOw2JShsmYAByf7j/W+o/ oiaRRN/ GgSy07I3tMzbaiFCjKU4Vd5yszhE91
>Zb3eNMQZw7x7J0qCSNO0zzOJBvSX4Q QaxXm9NfphAEQ+ i22q9hWYwCTkzGdjmXqJ
>uNYF44HYIOA+ 1DKp0KeXqs7J9CaLqV/t4SVxA/ kBvtQ7ET1iVsjomPPz/6bBBZ/s
>8j5PTrDgt0gXSXRjGFb/ Rr7argXIsJMC9BPr/ pYgF4buLkKpL9IRuCEzxAEo4r1c
>IBNen1BiVps1qgZmdv967B4jMhyFhJ JnJCeHznLchDodMbK2f2Dqnlnz8hwq Tmeu
>e+B/oEFh8mrFsV/ gqngl4gg8HTiCXI680wdkCs2hLxTAB zPaUKFockKaCO4BLZkr
>NkH/ fq6gb6UFFoM42e00qQrK6qzO5IaM1A FrFAiQ+RXE8lSTzKiO7Ot2Em00mLSG
>7cdf6wU0TyfWirvP1P76rCQ/ ToQdqdBX9TBtQZ9m+ p1iraT8Ybz79ZljqpNp/yEX
>DaE0ugqoaxlhquESXp6QWhdHWKFhAn MlEmGsI106Iqnuqj7ksV1dhyFpsoVO aHUC
>NA2Sl5kHnPHStOciKySM+mIe8J3O+ rnEzwsxvkC/eOYL85k7uro=
>=+9mB
>-----END PGP SIGNATURE-----
>
>


-- 

Gordon Farquharson
GnuPG Key ID: 32D6D676

Message #125 received at 794466@bugs.debian.org (full text, mbox, reply):

From: solitone <solitone@mail.com>

To: 794466@bugs.debian.org

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Sun, 18 Dec 2016 19:03:30 +0100

On Mon, 2016-12-12 at 21:59 -0800, Gordon Farquharson wrote:
> 3. Do you recommend migrating existing VirtualBox images to KVM?

On Tue, 13 Dec 2016 14:25:32 +0530, Ritesh Raj Sarraf  wrote:
> Migration should be doable. I'm not sure if there are any issues in 
> migration, but you may give it a shot.

On Wed, 14 Dec 2016 09:51:34 -0800, Gordon Farquharson wrote:
> I did a test migration of a VirtualBox image running Windows 10 to KVM from
> virt-manager, and everything worked. 

I also migrated a VirtualBox image to KVM, and works nicely. The guest system 
is Windows 10. VirtualBox runs on debian jessie, and KVM in debian stretch. 

In contrast to Gordon's, my guest's screen resolution is set at the full 
capability of my HiDPI screen--2560x1600. A scale factor of 200% (Windows 10 
Settings -> Display) allows for perfectly sized texts, icons, and other items.

I believe KVM is just what I need. Considering VirtualBox is unavailable in 
stretch, I won't use it any longer.

Message #130 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Daniel Pocock <daniel@pocock.pro>

To: 794466@bugs.debian.org

Subject: VirtualBox removal impact on Debian work

Date: Thu, 19 Jan 2017 09:23:44 +0100

I use VirtualBox on stable (currently jessie) as part of my strategy for
testing anything that will run in future Debian releases (e.g. stretch).
 It has been extremely useful for this purpose in the past.

How many other developers are working this way, either with VirtualBox
or one of the alternatives?

I recently did a trial of the stretch installer into a Virtualbox VM
(host running jessie) and ran into trouble getting the graphical
desktop, it is discussed in bug 851124[1].  Even if Virtualbox won't
continue being available, it would be helpful to other developers and
testers to find ways to make them aware of such things before they lose
any time on it.

It would also be helpful to have a summary on the wiki about some of the
points raised already in the thread:

- whether or not it will be available as a backport (I was able to run
the sid packages in my stretch VM without rebuilding or modifying them)

- a cheat sheet or conversion guide for the next best thing, whatever
that is, e.g. KVM

Given the convenience of Virtualbox, many users may not have been
tempted to explore KVM or other desktop virtualization solutions before
so it could be helpful to write a quick summary of how it really
compares to the Virtualbox package.  In particular:

- are graphics features and performance equivalent, better or worse?
I've tried setting up KVM once with the pass-through VGA and it never
worked, although that may have been a chipset limitation.  I also
recently introduced the virglrenderer[2] for qemu into Debian.  Those
are both things that Virtualbox doesn't support but they are only useful
to people with the right hardware.  For people without the right
hardware, falling back to a remote-desktop protocol might be a serious
limitation, virtio-gpu might be better but it is not clear that this
will work for a jessie host or even a stretch host just yet:
https://www.kraxel.org/blog/tag/virtio-gpu/
The fact that VirtualBox offers a strong desktop graphics solution is
probably one key reason some people may want to stay on Virtualbox, at
least until the KVM / qemu solutions work more effortlessly.

- how does CPU performance compare, e.g. speed, impact on the host?

- how convenient is it to do the basic things that most people do with
the Virtualbox GUI?  For me, those basic things are typically attaching
and detaching VDI and ISO images and tweaking the network from NAT to
bridge.

- what is the impact of migration on guest operating systems that are
sensitive to perceived hardware change, e.g. for each Windows version?

Having some of these things in one place could help people get on with
other things they are testing.

Regards,

Daniel



1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851124
2. https://virgil3d.github.io/

Message #135 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 794466@bugs.debian.org

Date: Thu, 19 Jan 2017 16:57:09 +0100

[Message part 1 (text/plain, inline)]

affects 794466 src:virtualbox-guest-additions-iso
thanks

[signature.asc (application/pgp-signature, attachment)]

Message #146 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Daniel Pocock <daniel@pocock.pro>, 794466@bugs.debian.org

Subject: Re: Bug#794466: VirtualBox removal impact on Debian work

Date: Fri, 20 Jan 2017 18:47:12 +0530

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello Daniel,

On Thu, 2017-01-19 at 09:23 +0100, Daniel Pocock wrote:
> I use VirtualBox on stable (currently jessie) as part of my strategy for
> testing anything that will run in future Debian releases (e.g. stretch).
>  It has been extremely useful for this purpose in the past.
> 
> How many other developers are working this way, either with VirtualBox
> or one of the alternatives?
> 

Used to use/maintain VBox. But moved away after Oracle's attitude towards it.
Pretty happy with KVM/Libvirt right now.

> I recently did a trial of the stretch installer into a Virtualbox VM
> (host running jessie) and ran into trouble getting the graphical
> desktop, it is discussed in bug 851124[1].  Even if Virtualbox won't
> continue being available, it would be helpful to other developers and
> testers to find ways to make them aware of such things before they lose
> any time on it.
> 

And how do you propose doing that ?
I'm interested to know because I maintain many packages, usually used in the
enterprises, for which I'd only get user testing and bug reports, after the next
stable release. By then, it is already late.

The best I've doing is to handpick users and email them to do some early
testing. Also, blogging sometimes helps. But I'm sure, I'm only reaching a minor
subset of the actual users.

> It would also be helpful to have a summary on the wiki about some of the
> points raised already in the thread:
> 

Yes. Would be nice to see that. But creating a wiki means, maintaining its
status. On the other hand, the bug report usually serves as a live status of the
issue.

> - whether or not it will be available as a backport (I was able to run
> the sid packages in my stretch VM without rebuilding or modifying them)
> 
> - a cheat sheet or conversion guide for the next best thing, whatever
> that is, e.g. KVM
> 

Hmmm. Mostly what you want is to convert .vbox image into something that qemu
understands. For the rest of the stuff, like Guest VM setting attributes, I
don't think there's a straight way to do it.

> Given the convenience of Virtualbox, many users may not have been
> tempted to explore KVM or other desktop virtualization solutions before
> so it could be helpful to write a quick summary of how it really
> compares to the Virtualbox package.  In particular:
> 
> - are graphics features and performance equivalent, better or worse?

Someone needs to do it. And I'd still think that such result (on performance)
won't be comprehensive.

On the features side, yes, it'd be nice to have. VBox really enjoys in the UI
front.
Other than that, KVM has a better edge.

* In-kernel hypervisor. No frequent breakages with newer kernels
* In-kernel hypervisor. Doesn't need external modules (dkms pacakges) to be
built.
* Very good performance with Guest VMs that support Para-Virtualized drivers for
block and net (and maybe graphics too now). For non-para-virtualized guest OS,
performance could suck.
* VBox has a lot better UI than libvirt. But libvirt is much nicer to manager
remote hypervisors.


> I've tried setting up KVM once with the pass-through VGA and it never
> worked, although that may have been a chipset limitation.  I also
> recently introduced the virglrenderer[2] for qemu into Debian.  Those
> are both things that Virtualbox doesn't support but they are only useful
> to people with the right hardware.  For people without the right
> hardware, falling back to a remote-desktop protocol might be a serious
> limitation, virtio-gpu might be better but it is not clear that this
> will work for a jessie host or even a stretch host just yet:
> https://www.kraxel.org/blog/tag/virtio-gpu/
> The fact that VirtualBox offers a strong desktop graphics solution is
> probably one key reason some people may want to stay on Virtualbox, at
> least until the KVM / qemu solutions work more effortlessly.
> 


> - how does CPU performance compare, e.g. speed, impact on the host?
> 

It is the same, in my opinion. Without the vbox-guest-dkms package, the Guest
VMs run under Full virtualization, and inherit its performance bottlenecks.

> - how convenient is it to do the basic things that most people do with
> the Virtualbox GUI?  For me, those basic things are typically attaching
> and detaching VDI and ISO images and tweaking the network from NAT to
> bridge.
> 

Things are simple in libvirt too. But vbox does have a cleaner UI.

> - what is the impact of migration on guest operating systems that are
> sensitive to perceived hardware change, e.g. for each Windows version?
> 

I don't know. Last I used was with Windows 7. And it was sensitive.

> Having some of these things in one place could help people get on with
> other things they are testing.
> 
> Regards,
> 
> Daniel
> 
> 
> 
> 1. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851124
> 2. https://virgil3d.github.io/
> 
- -- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAliCDdkACgkQpjpYo/Lh
dWn6Hw//YjubU3WC7DMTxTmFIdf5tcTnS8XSFg0dXU+aYLukiw/Edk7QgnwNScLs
Zx2dQZ3OABmpWOSYxkmhvhjqWRnqeRnsNxifGC7a3WwlVyxuG/uugspAPsqBPrgm
gamnNtooOqL7eg0ri4no9VhP3moEIEidMUUzj+TetA+EmP2XpjMdK1n49I5E00p1
0hZh9hrBEiGbFo/2bmh7av/XUrQgKtGSP3dPz/6HiMqwXu9bKyeEE+HMNcX+1Y9P
nzqFsDSGI7CJCFtBt487pqwz7BXXDe6EAfzCe2p1p2yF4Xg+uXcuLut24nMEHJ3t
3U8dV47npPZ7pRN84J/whH8lmcLVZgQzXyty8hbXFVWVwcQQZLc0Z4S+8Uw+9wvM
Ut5XezMxAlVe0fMQJ6tpGPCRo2u/PG99snGXz9jpIxzxJofalf2j1DVz3MZnMV27
cyfkEmXQASO/LEhus+oZ/XGIUsFlTf+ffLnLrmBDf+d6SCT0r+SkvjVvVdhkTHIM
kXnX++vc5psB2ncK7zv/HcSmtgOU1wW2GWgjlYVsK/QdO49ACjrXr6ypUn9DayRB
rnB3dGnGXcTIs0H08RtnggWTeDe6B3lewOahOoQiVTU1qGsQdKxhcnP4vBmbv0bv
TaH5rFnonSPlkBuTdsfin434+tMP2J0Iuo/AQQaB3ufaiZb1vjw=
=IyWE
-----END PGP SIGNATURE-----

Message #151 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@ubuntu.com>

To: 794466@bugs.debian.org

Cc: 851124@bugs.debian.org, Ritesh Raj Sarraf <rrs@debian.org>, Daniel Pocock <daniel@pocock.pro>

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Wed, 25 Jan 2017 18:38:48 -0500

Sorry for the long post, but it does give a walkthrough of how this is
working now in Stretch…


I installed Debian Stretch today using the January 23 weekly
netinstall image. I installed to a VirtualBox guest (the host is
Ubuntu 17.04 Alpha). The install went well except for two issues.

1. I chose to install the GNOME desktop. tasksel had some kind of
error near the end of downloading packages. Maybe some transient
network error. When I re-ran the task, it suggested I install some
virtualbox-ose-something package. The install completed successfully.

2. When I rebooted after install, gdm did not start and my console was
flickering really bad. Along with the console flickering, I could not
reliably enter my password since keypresses were getting dropped. I
tried booting into recovery mode but since I did not set a root
password (I prefer to use sudo), Debian gave me an error about the
root account being locked and after I pressed Enter as prompted, it
continued a normal boot. After about 5 minutes, the flickering
stopped. I guess this is systemd eagerly retrying a failed service
until it reaches its timeout.

journalctl -xb revealed that gdm ""could not find drm kms device". I
couldn't find anything useful by searching for that message on Google.
I then checked to see whether the VirtualBox guest utils were
installed. They weren't. So I had to enable unstable in my apt
sources, then
sudo apt -t unstable install virtualbox-guest-utils virtualbox-guest-x11
sudo reboot

gdm works great now.

Suggestions
=========
3. Something needs to be done about whatever in the installer suggests
installing the virtualbox-ose package. Since I clicked OK, I thought
it *did* install something useful for VirtualBox but I don't think it
did.

4. I have not had the #2 problem with other distros. Ubuntu includes
some minimal VirtualBox-compatible driver as part of its default
kernel. Could Debian do the same so that Debian will actually run on
VirtualBox?

5. As far as the drivers go, if they aren't in a Debian release, then
once someone actually gets Debian running, I guess they'll either just
keep whatever drivers they installed the first time. Or maybe they'll
use VirtualBox's guest additions iso to install the drivers. Neither
way offers automatic update of drivers. I feel this situation is worse
from a security perspective than having a Debian package that is at
least updated on major new Debian releases.

Why can't the Security Team treat VirtualBox like how it's been
treating WebKit1? Still have it in the archives but with a prominent
notice that Debian does not provide security updates.

6. Assuming that VirtualBox won't be in the next stable Debian
release, I guess we need a page like mozilla.debian.net for it?

Thanks,
Jeremy Bicha

Message #156 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Ritesh Raj Sarraf <rrs@debian.org>

To: Jeremy Bicha <jbicha@ubuntu.com>, 794466@bugs.debian.org

Cc: 851124@bugs.debian.org, Daniel Pocock <daniel@pocock.pro>

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Thu, 26 Jan 2017 16:14:57 +0530

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, 2017-01-25 at 18:38 -0500, Jeremy Bicha wrote:
> 3. Something needs to be done about whatever in the installer suggests
> installing the virtualbox-ose package. Since I clicked OK, I thought
> it *did* install something useful for VirtualBox but I don't think it
> did.
> 

This must be from back when VBox had better support model. Given its current
status, we should fix the installer and not support VBox there.

> 4. I have not had the #2 problem with other distros. Ubuntu includes
> some minimal VirtualBox-compatible driver as part of its default
> kernel. Could Debian do the same so that Debian will actually run on
> VirtualBox?
> 

You mean the driver provided by the virtualbox-guest-dkms package ?
The easiest would be if VBox worked on upstreaming that driver. For Debian,
carrying that external driver may not be desirable unless the kernel team's
policy changed in recent past.

> 5. As far as the drivers go, if they aren't in a Debian release, then
> once someone actually gets Debian running, I guess they'll either just
> keep whatever drivers they installed the first time. Or maybe they'll
> use VirtualBox's guest additions iso to install the drivers. Neither
> way offers automatic update of drivers. I feel this situation is worse
> from a security perspective than having a Debian package that is at
> least updated on major new Debian releases.
> 

Hmmm. This one is a worrisome state. But the iso package is part of non-free.

> Why can't the Security Team treat VirtualBox like how it's been
> treating WebKit1? Still have it in the archives but with a prominent
> notice that Debian does not provide security updates.
> 
> 6. Assuming that VirtualBox won't be in the next stable Debian
> release, I guess we need a page like mozilla.debian.net for it?
- -- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAliJ0ykACgkQpjpYo/Lh
dWnUGg//ZUJmx0NeJbXqOzJLZVe2hFHccuY6g4IYQ9H8IOtSKHZaF4U6HDRWbMi5
TUHSgF7b5ixlVYYtRQppoT++TY2tZBuGzT8OODbAfJZ/hmFwteGGNlzfmjBDmYXW
0CJKxhXxv0GC0HFrc5kHo7yy+oAGjUbLbsUXfNlWkwIeNMPAzA08KIHM5JZq2x5A
ufT+unJXbN1is2aJBPAYKZGJbVJBuG38cLXR+8Tvsom8/IIwpG8mwiIAvcttnn7n
N+h0g0caWEu/Yq/KREIgsjRM4SPjp4uLA9pF3jZeeHBw0ieSAZCOeYNW5VjjaHiM
fnNxiP0F7q4FTxgQh/Zqn3oBA6PW6P5P/aLGOFUbEZIZU/Mwz6VVlrwBsgnmtPKp
N91dJ8BZsT6hHcueBQgl1djcN8Fe2agikUk7W6K0MhBWxZFWrDegKbf0JbfK+LvX
9e1SefkV1tWtirnDjd/aN+EzsVND+zPRb10L27zwZaPaQ2H+rZyh8Sv9nGVdFEV3
2GSz/SnnkdTCPuA3Casz4u0273USPjzNYBnIv/k2G83MNt5ROB6WDDymsCMlBv7r
AvQlvmje34BYYT/ZEggeKhSVMSlOE9SDe1GY/gBKLm2K+Sh/qr4Dmz/JZIsUkjCl
43T4+kWilrapFr03NSklvldyO/2fdAtRCpnrqhWLW7+kjfLcwW0=
=VcZQ
-----END PGP SIGNATURE-----

Message #161 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: Jeremy Bicha <jbicha@ubuntu.com>, "794466@bugs.debian.org" <794466@bugs.debian.org>, Debian Security Team <team@security.debian.org>

Cc: "851124@bugs.debian.org" <851124@bugs.debian.org>, Ritesh Raj Sarraf <rrs@debian.org>, Daniel Pocock <daniel@pocock.pro>

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Mon, 30 Jan 2017 14:36:11 +0000 (UTC)

Hello Jeremy,
(and security team)

>I installed Debian Stretch today using the January 23 weekly
>netinstall image. I installed to a VirtualBox guest (the host is
>Ubuntu 17.04 Alpha). The install went well except for two issues.
>
>1. I chose to install the GNOME desktop. tasksel had some kind of
>error near the end of downloading packages. Maybe some transient
>network error. When I re-ran the task, it suggested I install some
>virtualbox-ose-something package. The install completed successfully.


virtualbox-ose is dead and removed, not sure why/who is pulling it in
>2. When I rebooted after install, gdm did not start and my console was
>flickering really bad. Along with the console flickering, I could not
>reliably enter my password since keypresses were getting dropped. I
>tried booting into recovery mode but since I did not set a root
>password (I prefer to use sudo), Debian gave me an error about the
>root account being locked and after I pressed Enter as prompted, it
>continued a normal boot. After about 5 minutes, the flickering
>stopped. I guess this is systemd eagerly retrying a failed service
>until it reaches its timeout.

>
>journalctl -xb revealed that gdm ""could not find drm kms device". I
>couldn't find anything useful by searching for that message on Google.
>I then checked to see whether the VirtualBox guest utils were
>installed. They weren't. So I had to enable unstable in my apt
>sources, then
>sudo apt -t unstable install virtualbox-guest-utils virtualbox-guest-x11
>sudo reboot
>
>gdm works great now.


exactly
>3. Something needs to be done about whatever in the installer suggests
>installing the virtualbox-ose package. Since I clicked OK, I thought
>it *did* install something useful for VirtualBox but I don't think it
>did.


probably that suggestion should be updated to virtualbox-guest-x11

>4. I have not had the #2 problem with other distros. Ubuntu includes
>some minimal VirtualBox-compatible driver as part of its default
>kernel. Could Debian do the same so that Debian will actually run on
>VirtualBox?


it was nacked by Debian Kernel Team when I asked it
>5. As far as the drivers go, if they aren't in a Debian release, then
>once someone actually gets Debian running, I guess they'll either just
>keep whatever drivers they installed the first time. Or maybe they'll
>use VirtualBox's guest additions iso to install the drivers. Neither
>way offers automatic update of drivers. I feel this situation is worse
>from a security perspective than having a Debian package that is at
>least updated on major new Debian releases.


fully agree, but I'm not in the position to revert this change
>Why can't the Security Team treat VirtualBox like how it's been
>treating WebKit1? Still have it in the archives but with a prominent
>notice that Debian does not provide security updates.


you might want to ask them :)
>6. Assuming that VirtualBox won't be in the next stable Debian
>release, I guess we need a page like mozilla.debian.net for it?
>


not sure what it means, but ok for me!

I still think vbox is superior and I have to wait some minutes to make the screen
stop flickering each time I install a new Debian iso in a VM.

I really think not having it working out-of-the-box in a virtual machine is really
a bad user experience.

G.

Message #166 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Gianfranco Costamagna <locutusofborg@debian.org>

Cc: Jeremy Bicha <jbicha@ubuntu.com>, "794466@bugs.debian.org" <794466@bugs.debian.org>, Debian Security Team <team@security.debian.org>, "851124@bugs.debian.org" <851124@bugs.debian.org>, Ritesh Raj Sarraf <rrs@debian.org>, Daniel Pocock <daniel@pocock.pro>

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Thu, 2 Feb 2017 23:12:57 +0100

On Mon, Jan 30, 2017 at 02:36:11PM +0000, Gianfranco Costamagna wrote:
> fully agree, but I'm not in the position to revert this change
> >Why can't the Security Team treat VirtualBox like how it's been
> >treating WebKit1? Still have it in the archives but with a prominent
> >notice that Debian does not provide security updates.

The usual expectation is that everything in Debian is covered by
reasonable security support. We need to make some exceptions for
technical reasons (as like in webkit, where it's simply not
feasible to backport). Security support for vbox would be feasible,
but fails entirely due to Oracle's policy. If up for them to fix
that.

Cheers,
        Moritz

Message #171 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Vintexs Deku <vintexsdeku@gmail.com>

To: undisclosed-recipients:;

Subject: hi

Date: Mon, 22 May 2017 13:46:56 +0100

[Message part 1 (text/plain, inline)]

*Why you have not reply to my email which I send to you, check you email
and reply to me*

[Message part 2 (text/html, inline)]

Message #178 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 794466@bugs.debian.org

Subject: Re: Bug#794466: VIrtualBox future in Debian

Date: Tue, 20 Jun 2017 10:18:02 +0200

[Message part 1 (text/plain, inline)]

control: affects -1 src:virtualbox-guest-additions-iso
control: found -1 virtualbox-guest-additions-iso/5.1.22-1
control: severity -1 serious

Adding guest-additions-iso package, to kick it out from testing again

G.

[signature.asc (application/pgp-signature, attachment)]

Message #189 received at 794466@bugs.debian.org (full text, mbox, reply):

From: Lucas Nussbaum <lucas@debian.org>

To: 794466@bugs.debian.org

Cc: Gianfranco Costamagna <locutusofborg@debian.org>

Subject: Re: Bug#794466: Virtualbox might not be suitable for Stretch

Date: Mon, 28 Aug 2017 15:01:18 +0200

Control: retitle -1 virtualbox: might not be suitable for stable releases due to lack of cooperation from upstream on security support for older releases
Control: severity -1 important

Hi,

After a private discussion with Gianfranco, I'm retitling this bug and
downgrading its severity. (Gianfranco agrees, at least on the general
lines of argumentation).

The reasoning is as follows.

Virtualbox did not make it into stretch due to this bug, for good
reasons.

We are at the start of the buster release cycle, and we don't know what
will be the status at the time of the freeze. The situation around
security support should be re-evaluated at the beginning of the buster
freeze, but until then, it sounds like a better plan to maximize user
testing and allow virtualbox to migrate to testing.

Security support for unstable/testing is not a problem because we are
tracking new upstream releases anyway, where issues are being addressed
by upstream. Also, there's a public svn repository to get fixes from if
necessary.

Cheers,

Lucas

Send a report that this bug log contains spam.