Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> I missed to include the clamav maintainers. Sorry about that.
> // Ola
> On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <firstname.lastname@example.org> wrote:
> > Dear maintainers, LTS team and Debian Secutiry team
> > I have started to look at the clamav package update due to
> > CVE-2019-1787
> > CVE-2019-1788
> > CVE-2019-1789
> > (the other three vulnerabilities are not affecting jessie or stretch as I
> > understand it)
> > I have understood that the clamav package is typically updated to the
> > latest version also in stable and oldstable. However when doing so I
> > encountered quite a few things that I would like to ask your advice on.
> > First of all to the maintainers. Do you want to handle also LTS
> > (oldstable) and regular security (stable) upload of clamav?
Stable is already done through stable proposed updates (which is the normal
path for clamav). We leave the LTS releases to the LTS team. Base your work
on what's in stable.
> > Question to maintainers and Security team. Should we synchronize the
> > efforts here and have you already started on the stable update?
> > If not I have a few questions:
> > 1) Do you know the binary compatibility between libclamav7 and libclamav9?
> > I have noticed that the package in sid produces libclamav9 while the one
> > in jessie provides libclamav7. Do you think this can be an issue?
Yes. It's guaranteed to be an issue. We have a stable transition prepared
and will do it (once the srm blesses) after the next point release in April.
Note that the security team doesn't support clamav.
> > 2) Do you think backporting the package in sid is better than simply
> > updating to the latest upstream while keeping most scripts in oldstable? I
> > had to copy over the split-archive.sh to be able to generate a proper orig
> > tarball.
No. Use what's in stable proposed updates.
> > - I personally think the package in sid have a little too much updates to
> > make that safe, especially since it produces new library packages.
Agreed. That would definitely be a bad idea.
> > - On the other hand, I had to do some modifications already to make allow
> > the package to be generated and I have not even started building yet.
> > There
> > may be many fixes needed to make this package work in oldstable...
I suspect that what's in stable will work in oldstable, but I haven't tried
it. It'll certainly take less work than what's in sid.
> > I guess we cannot generate new library package version, or?
Generally one does not, but for clamav you kind of have to at some point.
Note that for libclamav7 -> libclamav9 there are also API changes, so
libclamav-dev reverse builld-depends need patching in addition to rebuilding.
Once we've done that in stable, it should be easy enough to adapt for
oldstable when the time comes. Don't worry about it now.