Re: clamav needs updating
On Mon, 2007-07-23 at 14:58 +0100, Stephen Gran wrote:
> This one time, at band camp, Jim Popovitch said:
> > On Mon, 2007-07-23 at 10:26 +0100, Stephen Gran wrote:
> > > This one time, at band camp, Javier Amor García said:
> > > > Hello,
> > > > we are interested in the new version of clamav to use it in the new
> > > > release of eBox .
> > > > An updated ClamAV is one of the last missing pieces left for the release
> > > > so we would like to know when the volatile package will be ready.
> > > > It will be ready in the first half of this week?
> > >
> > > No, probably not. As I feared, we have found a piece of software
> > > (avscan) that is broken by some changes in the clamav public API in this
> > > release. I have been talking to the maintainer, and he is working on a
> > > patch with upstream. Once I have some idea of how that's going, I will
> > > upload to volatile, but not until we have a supportable path that
> > > doesn't break other software in the archive, sorry.
> > How long will you wait on the dependent project avscan before releasing
> > clamav?
> My interpretation of volatile's role with regard to the archive means
> that the only answer possible is "when avscan is ready". Maybe the
> other volatile team members will have a different opinion.
So avscan (or any other V project) could prevent critical updates from
reaching end-users. That seems like a security problem to me. Suppose
some virus spammers convince ($$) some avscan (or other project)
developer to drag their feet on releasing a fix?
Wouldn't it be better to advise of the dependent project's problem in
the release notes, and advise against applying the clamav update on just
those avscan systems?
Does murphy.d.o use avscan or clamav?