Re: Can a new ClamAV be considered for sarge?

To: debian-release@lists.debian.org
Subject: Re: Can a new ClamAV be considered for sarge?
From: Stephen Gran <sgran@debian.org>
Date: Fri, 20 May 2005 16:51:10 -0400
Message-id: <[🔎] 20050520205110.GA2608@www.lobefin.net>
Mail-followup-to: debian-release@lists.debian.org
In-reply-to: <[🔎] 20050520194600.GA6475@informatik.uni-bremen.de>
References: <[🔎] 20050517205101.GA25329@www.lobefin.net> <[🔎] 20050519171344.GA6141@informatik.uni-bremen.de> <[🔎] 20050519203652.GB13134@www.lobefin.net> <[🔎] 20050520194600.GA6475@informatik.uni-bremen.de>

This one time, at band camp, Moritz Muehlenhoff said:
> In gmane.linux.debian.devel.release Stephen Gran wrote:
> > I raised this idea months ago on -devel, and was shouted down for
> > saying that fast moving targets might not be supportable in a stable
> > release.  It was already my intention to work with the people
> > managin volatile, and as for what is releasing (or not) with sarge,
> > I will do my best for it, but it will of course be rapidly sub
> > optimal.  Witness woody's spamassassin.
> 
> But in contrast to spamassassin a virus scan engine, which cannot use
> the latest signatures has security effects for every admin that relies
> on virus scanning to protect his systems (which may be a flawed, but
> still widely adopted concept). If a half-usable clamav stays in sarge
> the majority of all admins will no notice this failure; if it's not
> included they'll find volatile.debian.net as the primary Google hit
> for "clamav debian" and use it instead.

Well, I would hesitate to call it a security problem, as it doesn't
directly affect the host machine.  And similarly, an old spamassassin
can't catch the new spams, so they are roughly equivalent in failing to
do the things they set out to do.  But otherwise, I agree - aged
versions of these types of software are not helpful, and may lead
foolish people to think they are protected when they aren't.

> So I guess it should either be removed or prominently pointed out that
> you should update it as soon as possible. (e.g. in the release notes)

Don't worry - clam will tell you itself that it needs an upgrade.  It
prints a big warning about it in fact, see #292483 :)

All this aside, I feel this is just adding noise to a list dedicated to
getting a release out.  If you feel really strongly that clam shouldn't
be released with stable, file a bug or speak with one of the RM's about
it, and let them pull it.  As I said, I am amenable to clam not
releasing with stable, but not without some consensus that this is the
right approach for this kind of software.

Take care,
-- 
 -----------------------------------------------------------------
|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |
 -----------------------------------------------------------------

Attachment: pgprScQBMewoB.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Can a new ClamAV be considered for sarge?
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Can a new ClamAV be considered for sarge?
  - From: Stephen Gran <sgran@debian.org>
- Re: Can a new ClamAV be considered for sarge?
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Can a new ClamAV be considered for sarge?
  - From: Stephen Gran <sgran@debian.org>
- Re: Can a new ClamAV be considered for sarge?
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Emacsen in the 'desktop' task
Next by Date: Re: what to do about fluxbox?
Previous by thread: Re: Can a new ClamAV be considered for sarge?
Next by thread: Re: Can a new ClamAV be considered for sarge?
Index(es):
- Date
- Thread