This one time, at band camp, Jan Lühr said: > The imho more interesting point is: What does it mean in the long term? > The current situation is: > Volatile has clamav 0.95, while upstream has 0.96. There are security related > issues in 0.95 (DoS etc.?) [1] that might affect(?) volatile - futhermore the > clamav-people are suggesting to use the latest version [2] - that is 0.96. > Volatile itself is not supported by the security team [3] and the security > team refuses the support the current stable version [4]. > > As a sysop running lenny/clamav on a few hosts, I started building clamav from > source and reading clamav's announce list. > But I wonder, what does it mean in the long run: > - Will volatile be updated to 0.96 soon? Yes - we always test bugs in the upgrade path in unstable first, and we found some, so we are fixing them there first. Once that is complete, we'll upload to volatile. > - Will clamav (in volatile) receive official security support? So far it has been handled by the Debian clamav team. > - Are there any (better supported) alternatives to clamav in lenny? Not to my knowledge. > - Afair there is no specific EOL-/Kill-Switch in clamav: ClamAV <= 0.94 is > unable to handle "big" incremental updates and a "too" big update was > shipped. Is it - from a naive point of view - just a bug that can be fixed in > debian [5]? Just apply the given patch [6] in lenny's clamav and be > happy? ;-) That patch does not address the issue. That is a sigtool problem, not a clamd one. The clamd one is harder to get right and the change set is much larger. Cheers, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature