Discuss the 5.2.2 release

[michael]

Discuss the 5.2.2 release here.
You can download the release here.
Mainly a regression-fix release for 5.2.0.

[mpack]

The main page gives October 24th as the release date of 5.2.2, which is a tad confusing. I had to do several double takes!

Edit:  Ah, fixed now I see. For others convenience the changelog is here.

[michael]

Fixed, thank you (and Michal, who pointed it out too).

[halfervirt]

I think the hashes are missing for this release. Would someone upload them?

Thanks.

https://www.virtualbox.org/download/has ... SHA256SUMS
https://www.virtualbox.org/download/has ... .2/MD5SUMS

[ChipMcK]

MD5SUMS
SHA256SUMS

Best

[socratis]

The problem is that the checksums that ChipMcK gave are over "http" and people that are checking the checksums want them over "https". And in the Downloads page (which is https) the links to the checksums are broken (the links that halfervirt gave). I've had another complaint over the IRC.

[halfervirt]

Alright, thanks both. I've upgraded to 5.2.0 for now, and I'll await the 5.2.2 hashes being available over a secure channel.

[mpack]

Alright, thanks both. I've upgraded to 5.2.0 for now, and I'll await the 5.2.2 hashes being available over a secure channel.

I'm curious why? The hashes have nothing to do with security, they're about checking whether you have a corrupted download, after you suspect same.

On Windows versions at least, security is provided by digital signatures embedded in the executables, including the installer.

[socratis]

On Windows versions at least, security is provided by digital signatures embedded in the executables, including the installer.

Same on the OSX side about the installer. But I guess that if the download is not from an "https" source, and the SHA256 (minimum) is not available again from an "https" source, some people are having trouble sleeping at night

[mpack]

AFAICS the website shouldn't matter. Even if you got the installer off a guy with a barrow down at the fishmarket, the installer can only pass a digital signature check if the code is untouched since Oracle signed it.

[Nickna]

AFAICS the website shouldn't matter. Even if you got the installer off a guy with a barrow down at the fishmarket, the installer can only pass a digital signature check if the code is untouched since Oracle signed it.

You REALLY should know what you're talking about if you've going to dispense security advice to people. In your scenario, you acquire an installer from a stranger at the fishmarket. Now how are you going to verify that it came from Oracle? By trying to open it? Do you see the problem with that?

[michael]

Sorry about that, hashes uploaded.

[mpack]

You REALLY should know what you're talking about if you've going to dispense security advice to people.

I'm speaking as someone who is a developer who digitally signs his own code with a DigiCert EV certificate (requiring a USB key to be present). How about you?

In your scenario, you acquire an installer from a stranger at the fishmarket. Now how are you going to verify that it came from Oracle? By trying to open it?

By using the signature verification tools provided by your OS. This is what the signature is there for. This does not require you to run the suspect executable. If the code has been modified then the digest hash check will fail. Only Oracle can provide an Oracle signature which passes.

Edit:  I see that Michael has fixed the hashes problem, and this discussion is off topic (oops), so we had better stop there.

[RonSMeyer1]

No go. Back to 5.1.30. You still can't use 3D acceleration in a Linux guest.

[socratis]

@RonSMeyer1
Please don't generalize, not all Linux guests have issues. All of mine are just fine, thank you. If you have a problem with a specific distro/version, please state which one. Don't just throw an "all of them" out there.