Debian 10 and VirtualBox
While progressing at work toward the eventual replacement of Ubuntu with Debian 10, I discovered there is no Debian repository packages for VirtualBox.
Digging into this reveals Debian packagers find security patching difficult because the developers at the parent company Oracle do not release reliable Common Vulnerabilities and Exposures (CVE) notices. Because of a lack of cooperation from upstream on security support for older releases. The Debian policy is not to update VirtualBox point releases but instead backport patches. There also are no packages in the Buster Backports repository.
The upstream Oracle reply is to update to the latest version to resolve all security concerns.
A common reply by many software developers.
The Oracle people are not helping their own cause. Neither are the Debian developers.
I understand the issue for the main Buster repositories, but I see no reason the Backports repository can’t have the latest point release. The Backports repository targets more recent software.
VirtualBox can still be installed on Debian 10. The caveat is the upstream package does not support VNC, which means the extension pack must be installed for remote access.