This one time, at band camp, Jim Popovitch said: > So avscan (or any other V project) could prevent critical updates from > reaching end-users. That seems like a security problem to me. > Suppose some virus spammers convince ($$) some avscan (or other > project) developer to drag their feet on releasing a fix? Then, as I have before, I'll fix the product for volatile myself. The simplest fix for avscan is to disable a whole swath of functionality in avscan, so I'd rather not take the simple approach. If the resolution is going to take more than a short while, I can do a targetted fix to resolve the DoS present in 0.91. It is a two line patch that fixes a bug that does not allow for code execution, so it is hardly a critical update. New upstream versions are not, by their very nature, "critical updates" in my mind, sorry. There are some nice feature fixes in 0.91.1 over 0.91, but none of them so important as to warrant hyperbole. If the security issues addressed in the latest release were more severe, I would have already coordinated a volatile security point release, as I have already done for stable and testing. > Wouldn't it be better to advise of the dependent project's problem in > the release notes, and advise against applying the clamav update on > just those avscan systems? What release notes? You mean a volatile update announcement? Is it OK with you to break systems where people do automated upgrades? Even though the charter for volatile says that it is designed to be as easy to integrate as security.d.o, and it's not just another random backports site that doesn't mind breaking your system because they don't test? > Does murphy.d.o use avscan or clamav? I assume it uses clamav, yes. I also assume that the DSA team can evaluate the risks to the archive and to their machines and make choices, just like everyone else. Sorry if this comes off as angry, but the implication that we're sitting on our hands giving someone time to break into your systems is a bit much. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature