Re: Any plans to include chkrootkit?

To: debian-volatile@lists.debian.org
Subject: Re: Any plans to include chkrootkit?
From: Kyle Wheeler <kyle@memoryhole.net>
Date: Sun, 10 Jul 2005 12:01:39 -0500
Message-id: <[🔎] 20050710170138.GR6936@tunican.local>
In-reply-to: <[🔎] 42D1479B.60503@schulte.it>
References: <[🔎] 7093dffb0507091714721358e5@mail.gmail.com> <[🔎] 20050710031409.GN6936@tunican.local> <[🔎] 42D1479B.60503@schulte.it>

On Sunday, July 10 at 06:06 PM, quoth Christian Schulte:

Kyle Wheeler schrieb:
On Sunday, July 10 at 10:14 AM, quoth Robert S:
Are there any plans to put chkrootkit onto volatile? I think thatthis would satisfy the criteria for inclusion.
What seems increasingly obvious that most people don't seem to get isthat "volatile" does not go scavenge for software it would like toinclude. "volatile" is a place where software maintainers (that havebeen approved) may place software designed to run on pure-stable.
Please correct me if I am wrong but <http://volatile.debian.net>
confusingly states the opposite.

[...]
"The main issue of volatile is to allow system administrators to updatetheir systems in a nice, consistent way without getting the drawbacks ofusing unstable, even without getting the drawback for the selectedpackages."


Indeed. Now, what are the drawbacks of unstable?

   1. It's *UNSTABLE*
   2. It updates everything very frequently
   3. It frequently depends on very recent versions of libraries

None of those are addressed by "volatile" administrators grabbing newpackages as they come out and proclaiming them sufficient to install onstable.

[...]
"volatile is not just another place for backports, but should onlycontain changes to stable programs that are necessary to keep themfunctional;"

This doesn't contradict my explanation either. This is, essentially, amission statement. Volatile's goal is to allow package maintainers toavoid letting their package become irrelevant on debian-stable.

Here is what happened when I asked on debian-user-german for help withthe clamav packages from sarge. I asked for a solution of
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.
People there suggested to use the clamav packages from volatile. Iinstalled these packages and relied on "...without getting the drawbacksof using unstable...". I have apt-listbugs installed and rely on it todisplay bugs for packages I install. It did not show up any bugs for theclamav packages from volatile although there already was a securityupdate to the clamav packages from sarge which still is not applied tothe volatile clamav packages, as I was told. The clamav packages fromvolatile seem to be "just" backports of the clamav packages fromunstable without the same security fixes applied as to the sargepackages, although the website suggests the opposite!

The clamav packages in volatile are version 0.86.1. This version isnecessary to avoid the warnings about outdated engines that youindicated above. It also contains the security fix, though the fix didnot have to be backported, like the sarge security fix did.

The point is that this is at the behest of the clamav packagemaintainers. THEY put 0.86.1 into volatile.

If the chkrootkit developer feels like making sure his package willinstall cleanly on sarge/stable, then he can ask to have it included involatile. This is what clamav does, for example.
It installs cleanly on sarge and introduces a security problem alreadyfixed in sarge by the security team.

Wait, what? The version in stable is 0.44-2. The version in Unstable is0.45-1. There haven't been any security postings about chkrootkit AT ALL(http://www.debian.org/security/2005/). What "security problem alreadyfixed in sarge by the security team" does 0.45-1 fix?

You get an updated engine which detects more viruses than the sargeversion does however.

Then the chkrootkit developer can post a message here requesting thatthe new version be hosted on the volatile servers.


Is this really that confusing? It works like this:

1. Maintainer of package X realizes that the debian-stable versionof his package no longer works2. Maintainer of package X puts together a package that solves theproblem and compiles and installs cleanly on debian-stablewithout dependencies on anything not in debian-stable3. Maintainer of package X contacts volatile and says "my package isbroken on debian-stable, here's a package that fixes it"

   4. Volatile maintainers decide whether or not to accept it

Unfortunately, users (like us) don't get a say in what goes intovolatile. What goes in may be a backport, or may be the most recentversion that links against stable, but that's entirely up to the packagemaintainer. The onus is on the package maintainer to make a "volatile"package and submit it to the volatile group. The volatile group does notgrab unstable packages and turn them into volatile packages.


~Kyle

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Any plans to include chkrootkit?
  - From: Christian Schulte <cs@schulte.it>

References:
- Any plans to include chkrootkit?
  - From: Robert S <robert.spam.me.senseless@gmail.com>
- Re: Any plans to include chkrootkit?
  - From: Kyle Wheeler <kyle@memoryhole.net>
- Re: Any plans to include chkrootkit?
  - From: Christian Schulte <cs@schulte.it>

Prev by Date: Re: Any plans to include chkrootkit?
Next by Date: Re: Any plans to include chkrootkit?
Previous by thread: Re: Any plans to include chkrootkit?
Next by thread: Re: Any plans to include chkrootkit?
Index(es):
- Date
- Thread