[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-clamav-devel] [SRM] clamav 0.94.x EOL



On Fri, 9 Oct 2009 16:39:41 +0200 Philipp Kern <pkern@debian.org> wrote:
>On Thu, Oct 08, 2009 at 08:31:49AM -0400, Scott Kitterman wrote:
>> I do not think removal is the approach that would be best for users.  It 
>> would leave them with an orhpaned, non-working package and they will 
have 
>> to upgrade systems to a newer release, install from external sources 
(e.g. 
>> volatile), or compile from dource directly.
>> 
>> Updating clamav and needed rdepends to something that upstream supports 
>> would be more benificial for users.  With a half a year of notice, I 
think 
>> this is managable.
>> 
>> This is the approach Ubuntu will be taking (they already have a full set 
of 
>> updates in their backport repository that is tested and almost ready).
>
>Especially as there is no use in keeping old versions of a virus scanner
>around which cannot be updated anymore and as a sufficient amount of people do
>want a virus scanner on their box.
>
>I ask me, though, how many people are actually using the version Lenny
>provides.  If they do, they probably do not know it better to use volatile,
>or do not trust it because it's not as official as the stable suite is.
>Of course we could do a noisy drop of clamav out of Lenny and point people 
to
>volatile, I just wonder if that's actually a disservice to our users.

One reason to use Lenny's is if you are using it with one of the libclamav 
rdepends, the volatile clamav wonalt work, since the updated rdepends are 
not in volatile.

>For squeeze I see two proposals:
> a) Either we could relax the policy for clamav a bit if sufficient upgrade
>    testing is ensured (like Ubuntu already does, thanks to Scott's work)

I can attest that this is a significant amount of work, but it is 
achievable.

> or
> b) We push volatile to be a really official service alongside the stable
>    tree residing on our normal infrastructure as a goal for squeeze.
>    Volatile updates are currently undergoing testing (thanks to the clamav
>    team) but maybe a coordinated effort in reviewing for stable 
suitability
>    of the Ubuntu and Debian counterparts of clamav maintainance would help
>    us to convince a possible set of people not using volatile yet.

It would also need to deal with rdepends to be a suitable replacement for 
the official archive.

My view is that it's pointless to try to keep stability in anti-virus.  
Staying still is actually a regression as the bad guys start new ways of 
causing problems.

Debian users ought to be able to just update their systems with what is 
provided by Debian in confidence that their software will keep working.  
Currently, at least for the subset using libclamav rdepends, they don't 
have that at all.

Scott K


Reply to: