[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [volatile] Updated clamav-related packages available for testing

As a user of this software in production environments and a long time Debian user at various levels I must admit this Clamav issue is simply a pain. It seems like this whole issue has lasted years now in many various forms and it is frustrating when you are relying on a piece of software to do a certain task and one day it just stops updating or even working. Sure there are other options including commercial stuff but we all know how that goes when trying to stick to the Debian way of doing things, this required lib isn't in stable, that one is only available in unstable which has no security stuff happening etc etc.. Although I LOVE the Debian security model, it seems even after years of a stable methodology, the world STILL seems to think production servers should use bleeding edge software that has had no time for maturity/security to set in and the one distribution that understands this concept, folks seem to simply refuse to work with. I fail to understand this, and I'm no genius but there must be a way for the entire Debian team to figure some sort of elegant, permanent, and secure solution to this whole thing instead of patching it with bubble gum and bailing wire every time this link in the chain breaks. I mean really, the developers must realize that some things in this technical world change too fast for inclusion in the standard repositories yet these packages are something no publicly facing machine should do without. I would hope the Debian Security team realizes that lacking this type of software is a huge security risk within itself in some situations. Granted we have to do what we have to do, but there must be some sort of solid STABLE middle ground available which everyone can stand upon. Just my 2 cents from a different perspective with no intentions of belittling or offending anyone.

Jason Kolpin

Adam D. Barratt wrote:
On Thu, 2010-04-15 at 20:58 +0200, Kurt Roeckx wrote:
On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote:
The clamav project have announced that they will be publishing a
specially formed virus signature which disables older versions of the
software, including the version in lenny.  If you have not yet migrated
to using the volatile packages, now would be a good time to do so. :-)
What does this mean exactly?  Will it now tell that everything is
not a virus, even for things that it used to be able to detect?

That doesn't seem particularly easy to determine from the announcements
provided by upstream, unless I'm looking in the wrong places; the
wording I used was very much based on their EOL announcement.

I've CCed the package maintainers in the hope that they might have more
of an insight.

What about providing a working version in stable-security and/or
proposed-updates before that happens?

The security team have already indicated that they're unwilling to
support the stable versions of clamav and directed users towards
volatile instead - see

Many people are unwilling to use packages from p-u that haven't been
officially released as part of a point release so that doesn't
necessarily help the situation much; it would also break all of the
reverse-dependencies in stable.  Looking at including the volatile
versions of the r-deps as well would be a possibility, but to my
knowledge we don't yet have any reports of success, or otherwise, using
those packages.



Reply to: