[SRU] virtualbox crash on network traffic

I understand this is urgent, but this SRU is missing some details.

a) Upstream still has the warning[1] in the "news flash" on the top right of the page, telling users to not upgrade to 7.0.16. In the 7.0.16 changelog[2] page, though, there is no further information.

b) I browsed their bug database, and mailing lists, particularly right after the 7.0.16 announcement, and found no patch or follow-up

c) While not required, the patch in the SRU has no DEP-3 headers. Where is it coming from? I think in this case, given the little amount of information available elsewhere, it would be best if it had such headers. Or, instead, the SRU description of the bug could have more details: upstream bug, upstream commit, perhaps a link to some discussion. Is this fix enough? I found another place in the same file where the same variable is declared, and it does not have the 2* change. Maybe not needed there, but then again, there is no explanation about this patch.

While we are at it, if a new upload would happen, it could also have these changes:
- run update-maintainer
- while at it, the version could be changed to the SRU format, which in this case, would be 7.0.16-dfsg-2ubuntu0.1

1. https://www.virtualbox.org/
2. https://www.virtualbox.org/wiki/Changelog-7.0#v16

The virtualbox-hwe upload has this changelog:
 virtualbox-hwe (7.0.16-dfsg-2ubuntu1.24.04.2) noble; urgency=medium
 .
   * Build only the guest-* packages with hwe stack
 .
 virtualbox (7.0.16-dfsg-2ubuntu1) noble; urgency=medium
 .
   * Add patch 162843 to fix an host crash with some network modes.
     LP: #2063841

I didn't see anything in the diff, though, about the first change (build only the guest-* packages). It just has the same d/patch as virtualbox, for this bug. Is something missing?

Given the lack of details on the fix, upstream bug, my concern here is with a possible incomplete fix, and us having to rush another SRU right after, or perhaps even making things worse (if the fix is later changed again).

I checked the commits in trunk[1], and spotted this one there at [2], with the corresponding changeset at [3] which matches your patch, but the referenced bug or even svn rev are not public :/

That commit[3] is at least the last one on that file, so they didn't change it again, which is good.

1. https://www.virtualbox.org/log/vbox/trunk
2. https://www.virtualbox.org/browser/vbox/trunk?rev=104355
3. https://www.virtualbox.org/changeset/104355/vbox

In addition to Andreas's comments, this SRU bug references the MRE page, but the SRU that's been uploaded (at least to noble) is not an upstream microrelease, it's a patch added under debian/patches. So the MRE exception does not apply here. How is this fix meant to be verified?

Status changed to 'Confirmed' because the bug affects multiple users.

>a) Upstream still has the warning[1] in the "news flash" on the top right of the page, telling users to not upgrade to 7.0.16. In the 7.0.16 changelog[2] page, though, there is no further information.

the situation is now more clear with 7.0.18 out

>b) I browsed their bug database, and mailing lists, particularly right after the 7.0.16 announcement, and found no patch or follow-up

more clear with 7.0.18 too

>c) While not required, the patch in the SRU has no DEP-3 headers. Where is it coming from? I think in this case, given the little amount of information available elsewhere, it would be best if it had such headers. Or, instead, the SRU description of the bug could have more details: upstream bug, upstream commit, perhaps a link to some discussion. Is this fix enough? I found another place in the same file where the same variable is declared, and it does not have the 2* change. Maybe not needed there, but then again, there is no explanation about this patch.

can we please avoid it? I usually stick with the very same content as for the Debian uploads, to have delta just between the changelog files

>While we are at it, if a new upload would happen, it could also have these changes:
- run update-maintainer

same reason as above, I would like to avoid having to maintain two codebases, except for changelog file last entry

- while at it, the version could be changed to the SRU format, which in this case, would be 7.0.16-dfsg-2ubuntu0.1

I use the ~ approach, because in case of MRE a "backport" versioning makes the upgrade path work correctly.

>I didn't see anything in the diff, though, about the first change (build only the guest-* packages). It just has the same d/patch as virtualbox, for this bug. Is something missing?

yes, it has the patchset with the additional patch and just a changelog new entry.

> MRE

removed, I also would like to update to 7.0.18 later, but for now, better a quick SRU instead of a new MRE upload. (also because MRE is not whitelisted yet)

This bug was fixed in the package virtualbox - 7.0.18-dfsg-1

---------------
virtualbox (7.0.18-dfsg-1) unstable; urgency=medium

  * New upstream version 7.0.18-dfsg
  * Fixup link for tarball import
  * Drop patch 162843, upstream. Refresh vnc patch

 -- Gianfranco Costamagna <email address hidden> Fri, 03 May 2024 16:44:26 +0200

Hello Gianfranco, or anyone else affected,

Accepted virtualbox into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox/7.0.16-dfsg-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Ah, I think I see what's happening with virtualbox-hwe? You took the new virtualbox src package, and then addded on a changelog entry for the diff between virtualbox and virtualbox-hwe?

That's not what we'd expect to see in a changelog entry - we'd expect to see the changes since the last version of *that* source package (particularly in an SRU, where the changelog is more user-visible).

Could you please upload with a fixed changelog?

Hm. The changelog diff I'd *expect* is:

+virtualbox-hwe (7.0.16-dfsg-2ubuntu1.24.04.2) noble; urgency=medium
+
+ * Add patch 162843 to fix an host crash with some network modes.
+ LP: #2063841
+
+ -- Gianfranco Costamagna <email address hidden> Fri, 26 Apr 2024 12:51:11 +0200
+

ie: just the differences from the previous virtualbox-hwe package. I don't *think* this should complicate your branching strategy? You'd merge virtualbox into virtualbox-hwe, then *edit* the most recent changelog entry rather than appending one?

ok doing now.

Hello Gianfranco, or anyone else affected,

Accepted virtualbox-hwe into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/virtualbox-hwe/7.0.16-dfsg-2ubuntu1.24.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello, testing was good on my side, please also other people help in testing proposed pocket.
Thanks!

This fix is missing from src:virtualbox-hwe in Oracular, the current devel release. We currently have:

 virtualbox-hwe | 7.0.16-dfsg-2ubuntu1.24.04.1 | oracular/multiverse | source
 virtualbox-hwe | 7.0.16-dfsg-2ubuntu1.24.04.2 | noble-proposed/multiverse | source

Marking src:virtualbox as released for devel (oracular), because oracular has version 7.0.18 which has this fix.

virtualbox-hwe is scheduled for removal in oracular.
https://bugs.launchpad.net/ubuntu/+source/virtualbox-hwe/+bug/2063946

I am confused by this SRU. The bug is marked as verification-done and seems ready for release, but then the bug description has a huge disclaimer NOT to upgrade to the version under testing?

What is the status of this? Can we release it into noble-updates or not?

7.0.16 release pocket might crash, while 7.0.16 in proposed is fine

This bug was fixed in the package virtualbox - 7.0.16-dfsg-2ubuntu1

---------------
virtualbox (7.0.16-dfsg-2ubuntu1) noble; urgency=medium

  * Add patch 162843 to fix an host crash with some network modes.
    LP: #2063841

 -- Gianfranco Costamagna <email address hidden> Fri, 26 Apr 2024 12:51:11 +0200

This bug was fixed in the package virtualbox-hwe - 7.0.16-dfsg-2ubuntu1.24.04.2

---------------
virtualbox-hwe (7.0.16-dfsg-2ubuntu1.24.04.2) noble; urgency=medium

  * Add patch 162843 to fix an host crash with some network modes.
    LP: #2063841

 -- Gianfranco Costamagna <email address hidden> Fri, 26 Apr 2024 12:51:11 +0200

The verification of the Stable Release Update for virtualbox has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.