Re: [Pkg-clamav-devel] The future of clamav wrt. stable/volatile

To: pkg-clamav-devel@lists.alioth.debian.org, debian-release@lists.debian.org
Subject: Re: [Pkg-clamav-devel] The future of clamav wrt. stable/volatile
From: Stephen Gran <sgran@debian.org>
Date: Sun, 25 Jan 2009 16:37:49 +0000
Message-id: <[🔎] 20090125163749.GB11540@www.lobefin.net>
Mail-followup-to: pkg-clamav-devel@lists.alioth.debian.org, debian-release@lists.debian.org
In-reply-to: <[🔎] 20090125151057.GD29960@finlandia.home.infodrom.org>
References: <[🔎] 20090125141325.GC38667@l03.local> <[🔎] 20090125151057.GD29960@finlandia.home.infodrom.org>

This one time, at band camp, Martin Schulze said:
> Michael Tautschnig wrote:
> > In the clamav packaging team we had recurring discussion about how to deal with
> > clamav in the near (== lenny) and more distant (>= squeeze) future. The current
> > situation is as follows:
> > 
> > - We've got severly outdated clamav packages in etch(-security).
> > - A few packages depend on clamav; those depends are not necessarily versioned.
> > - Any sensible use of clamav requires the packages from volatile to be able to
> >   handle all features of upstream's current signature database.
> > - We've had 16 security updates since the release of etch, which constantly
> >   required backporting of upstream's fixes that were included in the volatile
> >   releases.
> > 
> > We could of course continue this game of telling users that nothing but the
> > clamav from volatile is what one should use on production systems, but maybe
> > there are other options as well. Let me see what options we have:
> > 
> > - Stick with the current scheme. Possible, but neither user- nor
> >   maintainer-friendly.
> > - Move clamav to volatile only. This would, however, also require that all
> >   depending packages go to volatile, even the depends are unversioned.
> 
> Does the clamav interface change between versions?

Yes, clamav had several soname changes during the etch release, and
several configuration and command line options changed.  I don't think
we can depend on it staying stable during lenny.

> If not, would it be possible that a sufficiently stable version will
> be included in stable and updates (including new versions) be handled
> via volatile - including a large note in the clamav package to include
> volatile.

That's roughly what we're doing now - try to get the most stable
version we can into the stable release, and track changes via volatile.
The downside for both users and maintainers is that depending packages
frequently don't get updated for the changed clamav, leaving them
performing poorly, or not catching new viruses, or both.  The downside
for us as maintainers is that we have to support a version of clamav in
stable that no one actually uses.  I've done this for 2 releases now,
and it always feels vaguely pointless by the end of the release cycle.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: [Pkg-clamav-devel] The future of clamav wrt. stable/volatile
  - From: Martin Schulze <joey@infodrom.org>

References:
- The future of clamav wrt. stable/volatile
  - From: Michael Tautschnig <mt@debian.org>
- Re: The future of clamav wrt. stable/volatile
  - From: Martin Schulze <joey@infodrom.org>

Prev by Date: proposing gcc-4.1 / gcc-4.2 for testing
Next by Date: Re: Debian 5.0 ("lenny") release notes: Call for translations, again
Previous by thread: Re: The future of clamav wrt. stable/volatile
Next by thread: Re: [Pkg-clamav-devel] The future of clamav wrt. stable/volatile
Index(es):
- Date
- Thread