That sounds like the right approach. Scott K On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <ola@inguza.com> wrote: > > Hi Scott > > > > I have now walked through the difference in the debian directories between > > the version in jessie and stretch updates. > > I think there is more work than just a simple changelog update. > > > > 1) The changelog file contain a lot of changes. I wonder how we generally > > should it. If I backport a package from current stable should I keep that > > changelog and just add one entry or should I pretent that the jessie > > version still apply and add one entry from that one... Not sure myself. > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > > patch introduced to not depend on it > > 3) Config file moved > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > > Preliminary not. > > 5) Debhelper compat updated. Should be ok. > > 6) Build dependency changes. > > 7) clamav-dbg package no longer provided > > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > > and pkgconfig moved accordingly. > > 9) Support for llvm introduced. Should probably be ok. > > 10) A LOT of symbols changed. They are delared private so it should be ok. > > But you never know. > > > > It would be helpful if you can help me judge if any of the above means > > backwards incompatibility. > > > > I'm most worried about the following: > > - Socket change > > - Config file change > > - Postinst change > > - clamav-dbg > > - Symbol changes > > > > Thank you in advance > > > > // Ola > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <debian@kitterman.com> wrote: > >> I believe you've misunderstood. > >> > >> The version in stable is 0.100.3 and does not have a soname bump (nor > >> does it > >> need one). You should be able to update the LTS with that package with > >> little > >> more (maybe no more) than an updated changelog. > >> > >> Scott K > >> > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > >> > Hi Scott and LTS team > >> > > >> > Thank you. I'll see if I can backport the required fixes. That may > >> > solve > >> > the library issue. > >> > > >> > Alternatively we state that clamav is not supported. Maybe someone in > >> > >> the > >> > >> > LTS team can advice on that. > >> > > >> > Best regards > >> > > >> > // Ola > >> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian@kitterman.com> > >> > >> wrote: > >> > > Comments inline. > >> > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > >> > > > Hi > >> > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > >> > > > > >> > > > // Ola > >> > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola@inguza.com> wrote: > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > >> > > > > > >> > > > > I have started to look at the clamav package update due to > >> > > > > CVE-2019-1787 > >> > > > > CVE-2019-1788 > >> > > > > CVE-2019-1789 > >> > > > > (the other three vulnerabilities are not affecting jessie or > >> > >> stretch > >> > >> > > as I > >> > > > >> > > > > understand it) > >> > > > >> > > That's correct. > >> > > > >> > > > > I have understood that the clamav package is typically updated to > >> > >> the > >> > >> > > > > latest version also in stable and oldstable. However when doing > >> > >> so I > >> > >> > > > > encountered quite a few things that I would like to ask your > >> > >> advice > >> > >> > > > > on. > >> > > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS > >> > > > > (oldstable) and regular security (stable) upload of clamav? > >> > > > >> > > Stable is already done through stable proposed updates (which is the > >> > > normal > >> > > path for clamav). We leave the LTS releases to the LTS team. Base > >> > >> your > >> > >> > > work > >> > > on what's in stable. > >> > > > >> > > > > Question to maintainers and Security team. Should we synchronize > >> > >> the > >> > >> > > > > efforts here and have you already started on the stable update? > >> > > > > > >> > > > > If not I have a few questions: > >> > > > > 1) Do you know the binary compatibility between libclamav7 and > >> > > > >> > > libclamav9? > >> > > > >> > > > > I have noticed that the package in sid produces libclamav9 while > >> > >> the > >> > >> > > one > >> > > > >> > > > > in jessie provides libclamav7. Do you think this can be an issue? > >> > > > >> > > Yes. It's guaranteed to be an issue. We have a stable transition > >> > > prepared > >> > > and will do it (once the srm blesses) after the next point release in > >> > > April. > >> > > Note that the security team doesn't support clamav. > >> > > > >> > > > > 2) Do you think backporting the package in sid is better than > >> > >> simply > >> > >> > > > > updating to the latest upstream while keeping most scripts in > >> > > > >> > > oldstable? I > >> > > > >> > > > > had to copy over the split-archive.sh to be able to generate a > >> > >> proper > >> > >> > > orig > >> > > > >> > > > > tarball. > >> > > > >> > > No. Use what's in stable proposed updates. > >> > > > >> > > > > - I personally think the package in sid have a little too much > >> > >> updates > >> > >> > > to > >> > > > >> > > > > make that safe, especially since it produces new library > >> > > > > packages. > >> > > > >> > > Agreed. That would definitely be a bad idea. > >> > > > >> > > > > - On the other hand, I had to do some modifications already to > >> > >> make > >> > >> > > allow > >> > > > >> > > > > the package to be generated and I have not even started building > >> > >> yet. > >> > >> > > > > There > >> > > > > may be many fixes needed to make this package work in > >> > > > > oldstable... > >> > > > >> > > I suspect that what's in stable will work in oldstable, but I haven't > >> > > tried > >> > > it. It'll certainly take less work than what's in sid. > >> > > > >> > > > > I guess we cannot generate new library package version, or? > >> > > > >> > > Generally one does not, but for clamav you kind of have to at some > >> > >> point. > >> > >> > > Note that for libclamav7 -> libclamav9 there are also API changes, so > >> > > libclamav-dev reverse builld-depends need patching in addition to > >> > > rebuilding. > >> > > Once we've done that in stable, it should be easy enough to adapt for > >> > > oldstable when the time comes. Don't worry about it now. > >> > > > >> > > Scott K > > > > -- > > > > --- Inguza Technology AB --- MSc in Information Technology ---- > > > > | ola@inguza.com opal@debian.org | > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > > > > ---------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part.