Re: Updating scanners and filters in Debian stable (3.1)
On Mon, Oct 11, 2004 at 04:30:36PM -0400, Stephen Gran wrote:
> This one time, at band camp, paddy said:
> > On Mon, Sep 13, 2004 at 12:45:34PM -0400, Stephen Gran wrote:
> > > This one time, at band camp, Martin Schulze said:
> > > > A while ago there was a discussion in which it was said that such
> > > > tools are rather useless (or even dangerous) if they don't get their
> > > > database updated in accordance with new viruses/security problems.
> > > >
> > > > Some of these systems are hence not suitable for a stable Debian
> > > > release where updates will only be made for security problems and
> > > > very important bugfixes.
> > > >
> > > > Have you thought about keeping these packages out of sarge or did you
> > > > develop a solution so that users can get their databases updated
> > > > outside of the stable Debian release?
> > >
> > > ClamAV uses freshclam for virus definitions, so the actual database
> > > updates are covered. That being said, there are relatively frequent
> > > changes to the scanning engine as well, leaving me feeling like it may
> > > not be the best choice for a stable release. I do plan to continue
> > > offering out of band up dates on p.d.o, but I am not sure this is the
> > > best way to proceed. Feedback welcome,
> > Stephen,
> > Revisiting your original question.
> > Reading the Debian Policy Manual as I am right now:
> > 2.2.1 The main section
> > ...
> > packages in main ...
> > must not be so buggy that we refuse to support them
> > While you clearly do not refuse, it was argued that the net effect is
> > likely to be just so.
> People seem to comparing apples and oranges rather frequently in this
> discussion, so I will try to be very clear here. I am not talking about
> regular bugs in clam that affect the security, stability, or packaging
> of the software itself. Infrastructure is already in place for those
> sorts of problems.
You're right of course, I have been confused by conversations about other
packages. Given that a package lives up to what is expected of packages
in stable (or can reasonably be expected to do so), is it not 'supported'
It would seem a little presumptious to consider the converse: that packages
needing it should maintain a presence in volatile, as a condition of
fullfilling their obligations to stable.
Either way, this does underline the potential value of volatile,
as you go on to point out.
> The problem is only that packages of this sort need to change to keep
> up with the threats they are designed to combat. The inability to pick
> up a new virus is not a bug in the same category as 'segfaults at start'
> or 'never worked at all' - it is a 'this used to work, but times have
> changed' bug, similar to a 'please package new upstream version because
> it has more features' kind of bug. If clam releases in stable, and
> there is no volatile, then there is no in-band mechanism to deal with
> these sorts of bugs. So there will likely be tons of 'does not catch
> virus X' bugs tagged wontfix and people will just be referred to out of
> band update sites. This is not the end of the world, but I think we can
> do better.
> > Perhaps the question now should be: does volatile modify this?
> > (for example, does volatile count as support for this purpose).
I realise now that this is perilously close to 'an excuse for not
living up to the standards of stable', which I did not intend.
> I don;t think it relates to that part of the policy manual, as I said
> above, but perhaps some people feel so.
Just reading that paragraph in the policy manual, there seems an ambiguity
in 'support', but I am not familiar with whole document and its interpretation, so I am likely just misquoting. I really was reading that at the time and my
post finger got itchy (again :) And I thought that data point might assist
you in addressing one of your original questions.
I have no strong feeling either way, beyond that volatile seems a strong
positive move to do worthwhile work.
But if 'support' for stable is defined to ignore the 'useless' question,
then it seems volatile will define 'support' to a different standard.
Perl 6 will give you the big knob. -- Larry Wall