At the moment, you have 3 options to install VirtualBox using apt. Manually downloading / verifying / updating is not a good choice IMO.
4.3.36 = Oldest / Most Secure version from Jessie stable contrib:
Install: sudo apt-get install virtualbox linux-headers-$(uname -r)
Guest Additions (if needed): sudo apt-get install virtualbox-guest-x11
5.0.14 = Newer / Less Secure version from Jessie-backports:
Add to /etc/apt/sources.list: deb http://http.debian.net/debian jessie-backports main contrib
Install: sudo apt-get -t jessie-backports install virtualbox
Guest Additions (if needed): sudo apt-get -t jessie-backports install virtualbox-guest-x11
5.0.14 = Latest / Least (?) Secure version from Oracle repository:
Add to /etc/apt/sources.list: deb http://download.virtualbox.org/virtualbox/debian jessie contrib
Add Oracle key to apt-get keyring: wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -
Check fingerprint: 7B0F AB3A 13B9 0743 5925 D9C9 5442 2A4B 98AB 5139 Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
Install: sudo apt-get update sudo apt-get install virtualbox-5.0
Guest Additions ISO is included in the package. (Strange since repository is contrib only). Insert ISO in guest to install.
EDIT: virtualbox-guest-x11 should be used over virtualbox-guest-additions-iso in debian. Thanks @TNT_BOM_BOM
This is a great suggestion. However I would disagree with
“4.3.36 = Oldest / Most Secure version from Jessie stable contrib”
Debian package maintainers are notoriously untrustworthy. The modifications they made to the source is not usually known. Oldest versions of software just means it has older bugs and security researchers have had more time to find vulnerabilities in it. For application level security it almost never means “older is more secure” but just the opposite.
Thanks for pointing that out. I did not mean to imply that the software was necessarily more secure because it was older. Just stating that it was the oldest of the 3 options (for the people who can’t read version numbers i guess?!?). Will clean up.
Are you suggesting that the Oracle or Testing versions are more secure than Stable? Should the official recommendation be to upgrade to a newer version?
It is hard to say what is best. In general, the fewer people who are in the chain for delivering your software the better. To be honest it will probably never matter
It might even be better for Whonix to offer the download from servers they control so that Oracle is not able to de-anonymize potential Whonix users based on download records they keep.
It is. Those must be within the debian/patches folder of every source package. Package build scripts must be Open Source. Must adhere to Debian policy… Or are you talking about Debian build machines security, deterministic builds issues?
No, to clarify, my issue is procedural, having more people (i.e., more machines) in between me and the source code. I don’t trust them any more than I trust any other public service provider to use the best default settings.
I see. There you have a valid point. But doesn’t the argument fall short because by using Debian [based] as host operating system in the first place - which is the premise here, I think - you are already using loads of packages where Debian maintainers injected themselves as “a proxy”? “loads off” here means probably >=90% packages. Certainly all the essential packages and more.
Certainly there is. I am a bit of an odd ball because I like to challenge to assumptions, especially security assumptions about people I don’t know and have never met.
I don’t mean to derail the thread. I have free time and I am mainly here to wait for feedback on deploying the gateway for alpine linux. With alpine I would reduce my software dependencies from 264 for base Debian jessie packages and tor to 53 base packages with alpine. It may even be desirable to run the gateway off of a Coreos container but I am not trying that yet.
Given the implied trust that we already place in Debian maintainers and the lack of a better currently implemented solution, it seems logically consistent to heed the Debian team’s advice regarding Stable vs Testing repositories:
If security or stability are at all important for you: install stable. period. This is the most preferred way.
Since there is typically over 1 year between releases you might find that stable contains old versions of packages. However, they have been tested in and out. One can confidently say that the packages do not have any known severe bugs, security holes etc., in them.
Will recommend Stable unless someone has a strong opinion otherwise.
