Re: [Pkg-clamav-devel] [volatile] Updated clamav-related packages available for testing
"Jason Kolpin" <email@example.com> wrote:
>As a user of this software in production environments and a long time
>Debian user at various levels I must admit this Clamav issue is simply a
>pain. It seems like this whole issue has lasted years now in many
>various forms and it is frustrating when you are relying on a piece of
>software to do a certain task and one day it just stops updating or even
>working. Sure there are other options including commercial stuff but we
>all know how that goes when trying to stick to the Debian way of doing
>things, this required lib isn't in stable, that one is only available in
>unstable which has no security stuff happening etc etc.. Although I LOVE
>the Debian security model, it seems even after years of a stable
>methodology, the world STILL seems to think production servers should
>use bleeding edge software that has had no time for maturity/security to
>set in and the one distribution that understands this concept, folks
>seem to simply refuse to work with. I fail to understand this, and I'm
>no genius but there must be a way for the entire Debian team to figure
>some sort of elegant, permanent, and secure solution to this whole thing
>instead of patching it with bubble gum and bailing wire every time this
>link in the chain breaks. I mean really, the developers must realize
>that some things in this technical world change too fast for inclusion
>in the standard repositories yet these packages are something no
>publicly facing machine should do without. I would hope the Debian
>Security team realizes that lacking this type of software is a huge
>security risk within itself in some situations. Granted we have to do
>what we have to do, but there must be some sort of solid STABLE middle
>ground available which everyone can stand upon. Just my 2 cents from a
>different perspective with no intentions of belittling or offending anyone.
I work on clamav and related packages in both Debian and Ubuntu.
In fairness to Clamav upstream, they gave months of warning before taking this step. Additionally, anti-virus software is not like most other software. It faces a continuously escalating set of requirements. Running the same old version will cause regression in capability over time.
In Ubuntu we have taken a different approach. The clamav and related packages have an exception to the normal policy for updates. There is, a defined test and qualification process that, in our experience substantially mitigates the risks associated with major post release updates. Today, with the exception of one release that is two weeks from EOL, one can get clamav 0.95.3 from the regular security and updates repositories.
Since Ubuntu has a more bleeding edge approach than Debian, one might argue it's more appropriate there, but I wish Debian had taken a similar approach. The marginal amount of testing needed for one more release is not large (clamav and the related packages generally have little or no divergence from their Debian counterparts).