[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating scanners and filters in Debian stable (3.1)



This one time, at band camp, paddy said:
> On Mon, Sep 13, 2004 at 12:45:34PM -0400, Stephen Gran wrote:
> > This one time, at band camp, Martin Schulze said:
> > > A while ago there was a discussion in which it was said that such
> > > tools are rather useless (or even dangerous) if they don't get their
> > > database updated in accordance with new viruses/security problems.
> > > 
> > > Some of these systems are hence not suitable for a stable Debian
> > > release where updates will only be made for security problems and
> > > very important bugfixes.
> > > 
> > > Have you thought about keeping these packages out of sarge or did you
> > > develop a solution so that users can get their databases updated
> > > outside of the stable Debian release?
> > 
> > ClamAV uses freshclam for virus definitions, so the actual database
> > updates are covered.  That being said, there are relatively frequent
> > changes to the scanning engine as well, leaving me feeling like it may
> > not be the best choice for a stable release.  I do plan to continue
> > offering out of band up dates on p.d.o, but I am not sure this is the
> > best way to proceed.  Feedback welcome,
> 
> Stephen,
> 
> Revisiting your original question.
> 
> Reading the Debian Policy Manual as I am right now:
> 
> 	2.2.1 The main section
> 	...
> 	packages in main ...
> 	must not be so buggy that we refuse to support them
> 
> While you clearly do not refuse, it was argued that the net effect is 
> likely to be just so.

People seem to comparing apples and oranges rather frequently in this
discussion, so I will try to be very clear here.  I am not talking about
regular bugs in clam that affect the security, stability, or packaging
of the software itself.  Infrastructure is already in place for those
sorts of problems.  

The problem is only that packages of this sort need to change to keep 
up with the threats they are designed to combat.  The inability to pick 
up a new virus is not a bug in the same category as 'segfaults at start'
or 'never worked at all' - it is a 'this used to work, but times have 
changed' bug, similar to a 'please package new upstream version because
it has more features' kind of bug.  If clam releases in stable, and
there is no volatile, then there is no in-band mechanism to deal with
these sorts of bugs.  So there will likely be tons of 'does not catch
virus X' bugs tagged wontfix and people will just be referred to out of
band update sites.  This is not the end of the world, but I think we can
do better.
 
> Perhaps the question now should be:  does volatile modify this?
> 
> (for example, does volatile count as support for this purpose).

I don;t think it relates to that part of the policy manual, as I said
above, but perhaps some people feel so.
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgpV2EAf0gZtv.pgp
Description: PGP signature


Reply to: