[vbox-dev] Guest Additions are being downloaded over insecure HTTP

Frank Mehnert

2014-08-21 06:34:53 UTC

George,

can you make a clear statement what package you're using? None of the
packages from virtualbox.org should ever execute this code path.

Hm, I'm using Debian testing (jessie) with the Debian virtualbox
# apt-cache show virtualbox
Package: virtualbox
Version: 4.3.14-dfsg-1
While using a VM, I go to the "Devices" menu and then "Insert Guest
Additions CD image".
Then it tells me that "Could not find Virtualbox Guest Additions disk
image file. Do you wish to download this disk image from the Internet".
"Are you sure you want to download the VirtualBox Guest Additions disk image
file from
http://dlc.sun.com.edgesuite.net/virtualbox/4.3.14/VBoxGuestAdditions_4.3.1
4.iso (size 65,943,552 bytes)?"
I have no idea what edgesuite.net is, but indeed I couldn't find a
reference in the vanilla Virtualbox codebase...
Is this Debian code?

dlc.sun.com.edgesuite.net is the service behind download.virtualbox.org.
As Klaus explained, there is work going on to make the stuff from this
service accessible via HTTPS but this will take more time.

The VirtualBox packages made by Oracle include the Guest Additions. They
are only available via HTTP. But the Debian repository at
http://download.virtualbox.org/virtualbox/debian is signed and there are
checksums available for all these packages at

https://www.virtualbox.org/download/hashes/{version}/{SHA256SUMS}

Kind regards,

Frank
--
Dr.-Ing. Frank Mehnert | Software Development Director, VirtualBox
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | 71384 Weinstadt, Germany

Hauptverwaltung: Riesstr. 25, D-80992 M?nchen
Registergericht: Amtsgericht M?nchen, HRA 95603
Gesch?ftsf?hrer: J?rgen Kunz

Komplement?rin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Gesch?ftsf?hrer: Alexander van der Ven, Astrid Kepper, Val Maher