Re: clamav needs updating

To: debian-volatile@lists.debian.org
Subject: Re: clamav needs updating
From: Stephen Gran <sgran@debian.org>
Date: Mon, 23 Jul 2007 15:37:53 +0100
Message-id: <20070723143753.GA18889@www.lobefin.net>
In-reply-to: <1185199678.8737.9.camel@localhost>
References: <1185178162.3386.8.camel@localhost.localdomain> <20070723092643.GA20305@www.lobefin.net> <1185198054.8737.2.camel@localhost> <20070723135857.GA3131@www.lobefin.net> <1185199678.8737.9.camel@localhost>

This one time, at band camp, Jim Popovitch said:
> So avscan (or any other V project) could prevent critical updates from
> reaching end-users.  That seems like a security problem to me.
> Suppose some virus spammers convince ($$) some avscan (or other
> project) developer to drag their feet on releasing a fix?  

Then, as I have before, I'll fix the product for volatile myself.  The
simplest fix for avscan is to disable a whole swath of functionality in
avscan, so I'd rather not take the simple approach.

If the resolution is going to take more than a short while, I can do a
targetted fix to resolve the DoS present in 0.91.  It is a two line
patch that fixes a bug that does not allow for code execution, so it is
hardly a critical update.  New upstream versions are not, by their very
nature, "critical updates" in my mind, sorry.  There are some nice
feature fixes in 0.91.1 over 0.91, but none of them so important as to
warrant hyperbole.  If the security issues addressed in the latest
release were more severe, I would have already coordinated a volatile
security point release, as I have already done for stable and testing.

> Wouldn't it be better to advise of the dependent project's problem in
> the release notes, and advise against applying the clamav update on
> just those avscan systems?

What release notes?  You mean a volatile update announcement?  Is it OK
with you to break systems where people do automated upgrades?  Even
though the charter for volatile says that it is designed to be as easy
to integrate as security.d.o, and it's not just another random backports
site that doesn't mind breaking your system because they don't test?

> Does murphy.d.o use avscan or clamav?

I assume it uses clamav, yes.  I also assume that the DSA team can
evaluate the risks to the archive and to their machines and make
choices, just like everyone else.

Sorry if this comes off as angry, but the implication that we're sitting
on our hands giving someone time to break into your systems is a bit
much.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>

References:
- Re: clamav needs updating
  - From: Javier Amor García <javier.amor.garcia@warp.es>
- Re: clamav needs updating
  - From: Stephen Gran <sgran@debian.org>
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>
- Re: clamav needs updating
  - From: Stephen Gran <sgran@debian.org>
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>

Prev by Date: Re: clamav needs updating
Next by Date: Re: clamav needs updating
Previous by thread: Re: clamav needs updating
Next by thread: Re: clamav needs updating
Index(es):
- Date
- Thread