Dear Release Team, In the clamav packaging team we had recurring discussion about how to deal with clamav in the near (== lenny) and more distant (>= squeeze) future. The current situation is as follows: - We've got severly outdated clamav packages in etch(-security). - A few packages depend on clamav; those depends are not necessarily versioned. - Any sensible use of clamav requires the packages from volatile to be able to handle all features of upstream's current signature database. - We've had 16 security updates since the release of etch, which constantly required backporting of upstream's fixes that were included in the volatile releases. We could of course continue this game of telling users that nothing but the clamav from volatile is what one should use on production systems, but maybe there are other options as well. Let me see what options we have: - Stick with the current scheme. Possible, but neither user- nor maintainer-friendly. - Move clamav to volatile only. This would, however, also require that all depending packages go to volatile, even the depends are unversioned. - Do fairly large updates (i.e., possibly new major versions) through stable-proposed-updates. - ??? We don't necessarily seek a solution for lenny, but would like to start a discussion and receive some comments from people involved in release management to see which further options we have, or which of the proposed are acceptable. Thanks, Michael PS.: Please keep the pkg-clamav-devel list CC'ed for other clamav devs to chime in.
Attachment:
pgp6nSLRtDkEJ.pgp
Description: PGP signature