[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[VUA 2-2] Automatically updated clamav-data packages contain current patterns - Process Update

Debian Volatile Update Announcement VUA 2-2      http://volatile.debian.net
debian-volatile@lists.debian.org                                 Marc Haber

Package              : clamav-data

Clamav-data is a Debian package which contains a set of Clamav Virus
Databases. It is meant to be used in situations where http access is
not readily available and thus clamav-freshclam cannot be used.

Every 30 minutes, a cron job on a volatile.debian.net host uses
clamav-freshclam to find out whether clamav upstream has released new
databases. If new databases have been found, an automatic process is
then triggered which
  * downloads new databases
  * packages them into a new clamav-data .deb, using the
    clamav-getfiles package which is available from Debian.
  * It then proceeds to install that .deb in multiple chroots:
    * plain sarge
    * sarge+volatile
    * etch
    * sid
    and tries to scan clamav-testfiles and eicar.com with the clamav
    binary from the respective distribution and the databases from the
    new clamav-data .deb.
  * Only if all these tests succeed, the packages are automatically
    moved to the volatile archive.
  * Since the package description of clamav-data in sarge points
    people to people.debian.org for automatically built .debs, the newly
    built packages are - again automatically - rsynced there.
  * If the package build process or the tests fail, no new packages
    are moved anywhere (so the last known good state remains), and an
    Administrator is alerted.

The processes described above run automatically without human
intervention. This means that the clamav-data packages in
debian-volatile are not reviewed by a human before being moved to the
archive. Thus, they do not bear a maintainer signature. However,
clamav upstream signs the actual databases, so you should be able to
verify the databases' authenticity after the clamav-data .deb has been
installed on your system.

Since installing unsigned packages is always a risk, our
recommendation is to use clamav-freshclam locally instead of
clamav-data whenever possible.

To double-check that the automatic process is operational, a cron job
on a different host checks the contents of the volatile Packages.bz2
file and alerts an Administrator if no new clamav-data package has
been found for 36 hours. This time span might be adapted to upstream's
release cycles. This reminder cron job runs every six hours.

Obsolete clamav-data packages are removed from the debian-volatile
archive 15 days after they have dropped out of any debian-volatile
Packages file.

Clamav-data packages are available in sarge/volatile.

Upgrade Instructions
- --------------------

You can get the packages at


and install them with dpkg, or add

 deb http://volatile.debian.net/debian-volatile sarge/volatile main
 deb-src http://volatile.debian.net/debian-volatile sarge/volatile main

to your /etc/apt/sources.list. You can also use any of our mirrors.
Please see http://volatile.debian.net/mirrors.html for the full list
of mirrors.  The archive signing key can be downloaded from

For further information about debian-volatile, please refer to

If there are any issues, please don't hesitate to get in touch with the
volatile team.

Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Attachment: signature.asc
Description: Digital signature

Reply to: