Re: Can a new ClamAV be considered for sarge?
In gmane.linux.debian.devel.release Stephen Gran wrote:
>> > Since version 0.84 of clamav made it into sarge, upstream has (again)
>> > done some work on the scanning engine, which means that certain
>> > signatures retrieved by the clam updater are not usable by the version
>> > of clamav in sarge. This doesn't render the version in sarge useless -
>> > it still uses most of the signatures, just not those of the newest type.
>>
>> But in that case it should be removed from Sarge; it gives a false sense
>> of security.
>
> I raised this idea months ago on -devel, and was shouted down for saying
> that fast moving targets might not be supportable in a stable release.
> It was already my intention to work with the people managin volatile,
> and as for what is releasing (or not) with sarge, I will do my best for
> it, but it will of course be rapidly sub optimal. Witness woody's
> spamassassin.
>
> Steve, whatever you think is best for these packages. So far the
> inclination has been to release them anyway, so I guess I am not asking
> to rock the boat. This seems to me to be a discussion that really needs
> to happen for etch, what ever we do today.
But in contrast to spamassassin a virus scan engine, which cannot use the
latest signatures has security effects for every admin that relies on virus
scanning to protect his systems (which may be a flawed, but still widely
adopted concept). If a half-usable clamav stays in sarge the majority of
all admins will no notice this failure; if it's not included they'll find
volatile.debian.net as the primary Google hit for "clamav debian" and use
it instead.
So I guess it should either be removed or prominently pointed out that you
should update it as soon as possible. (e.g. in the release notes)
Cheers,
Moritz
Reply to: