Re: ClamAV update in jessie
On Fri, Oct 04, 2019 at 11:37:29AM +0200, Hugo Lefeuvre wrote:
> Regarding the DLAs. I plan to release a DLA per upload (one DLA for clamav
> and one for each reverse dependency). Announcing all five uploads under a
> single DLA seems a bit messy to me.
I would say it depends a bit, I would say. It might be clear, but just
to be on safe side stating it here: the CVEs fixed for clamav are not
to be associated with those rebuild packages as well.
I was thinking if I remember similar cases for DSAs. Let me see, on
top of the head I do not recall actually much such special cases. Only
two I remembered and looked up, there might be more!
DSA-3433-1 was a case where we needed an update for ldb first, and
then a rebuild of samba as well with that version in place. So not
really exactly what you have here.
CVE-2013-7439 was another case, more similar to the one which is to be
handled by you. As the list there was too long, we decided back then
to put the list in the tracker, this is not very optimal though. If
you have only those couple of rebuilds, then you simply can state this
in the DLA for clamav, that package x, y and z are to be rebuild for
the ABI changes.
Of course you can decide to release single DLAs for the 'package
update due to the need of rebuild', but I guess it should be made
clear then in the text of the DLA that they are just needed due to the
ABI change in clamav.