Re: Updating scanners and filters in Debian stable (3.1)

[Jan Niehusmann <jan@debian.org>]

On Wed, Sep 15, 2004 at 08:05:18PM +0200, Martin Schulze wrote:
> Martin Michlmayr wrote:
> > * Martin Schulze <joey@infodrom.org> [2004-09-13 15:40]:
> > > A while ago there was a discussion in which it was said that such
> > > tools are rather useless (or even dangerous) if they don't get their
> > > database updated in accordance with new viruses/security problems.
[...]
> > 
> > Maybe we should just relax the stable update policy for such packages,
> > and others which would benefit from regular updates (e.g. drivers).

[very valid reasoning deleted]

> I don't think I would be in favour of it.

What about a smaller change to the stable update policy: 

Virus scanners and other security tools which need regular database
updates should provide their own update mechanismn, as some already
do. This handles the case of daily virus signature updates, which could
never be done appropriately through the security archive. It could be
used for things like spamassassin rules as well. This would allow for
local update policies, as well: Some people may not want their
spamassassin rules to be updated automatically, so they could turn of
the automated updates and still benefit from s.d.o security fixes.

If the upstream database format changes some day in an incompatible way,
and the automated updates start failing, it should be considered a
security issue big enough to warrant an update through
security.debian.org. Where possible, the database handling code could be
backported, but depending on the nature of the change, an update to the
new upstream version could be considered _if_ there are no deep
dependencies on that package. 

Just my opinion, but I really hope some solution can be found which makes
debian as secure as possible while maintaining the advantages of a
really stable release.

Jan