VirtualBox is the only one of the 3 mentioned is still both free as in beer (even for commercial use*) as well as free as in freedom (GPLv3).

* Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.

The only other really free alternative is Qemu.

> * Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.

Oh? I moved to KVM via UnRAID, but not because of any particular complaint with VirtualBox or the Oracle plugin. But then, I only used the plugin for the RDP feature. Has that been moved into the main codebase?

Not RDP, but like encryption, it's the only other feature I can think of which remains on the extpack. IMHO they are all enterprisey "mark a checkbox" level features that should be irrelevant for even actual enterprise users.

Why do you have to use RDP anyway? It gives almost zero advantages over VNC here since all the output is going to be raster.

>Why do you have to use RDP anyway? It gives almost zero advantages over VNC here since all the output is going to be raster.

No preference for either protocol; I just used RDP because that was the most convenient with VirtualBox and the plugin. (I think (?) I tried VNC and couldn't get it to work.) I use VNC now with UnRAID's KVM, but probably would have stuck with RDP were it supported.

> most features from it have been moved to the GPL base

Wow, that’s nice to hear! Installing the ext pack used to be an almost mandatory step for me.

Except virtual box is open source and probably the whole reason these vulnerabilities are found. I’m sure similar vulnerabilities could exist in VMware but are much harder to find due to being closed source.

Even if we accept the premise, I'd rather use software that contains hard-to-find bugs than easy-to-find bugs, all other things being equal.

In my experience of casual usage VMware is less buggy in general (no random crashes, etc.), and that usually translates into fewer security bugs too.

But if your adversary is spending $$$$$ on vulns to throw at you, you can probably assume they can vm-escape either one.

It’s really not harder for the folks with this skill set, and plenty of these vulnerabilities have been found in VMware too over the years.

https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY...

https://www.darkreading.com/vulnerabilities-threats/vmware-z...

https://cloud.google.com/blog/topics/threat-intelligence/vmw...

It is always harder, because it always take more time. We don't know the ratio (how many bugs more would have been found if VMware would be open source)

We can agree to disagree. I just don’t think it’s the high order bit in determining the rate of vulnerability discovery - in my opinion the commercial utility (white / black / grey) of the exploits is a more important factor in determining how quickly they are found.

Your post is obsolete. VMware workstation is now free for all users, even commercial ones.

https://blogs.vmware.com/cloud-foundation/2024/11/11/vmware-...

Is there any catch? Can we say that Broadcom brought something good when they bought it?

Yes, that development of vmware workstation has been abandoned for years ever since the original team was fired.

No catch as far as I know.

That and most development virtual box use has moved to using Docker which has caused things like Hyper-V on Windows and macOS to create better alternatives for Docker to use and Linux doesn't need the VM.

Nope. Hyper-V only works on pro and higher versions of Windows. VMWare is not free. I can run VirtualBox on demand (as a portable app) and that simplifies things immensely. VirtualBox can also work with all different kinds of virtual hard disks, can archive and import archives from different versions without any problem and that make it a versatile and useful tool. There are also tons of information about VirtualBox from the community.