[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: clamav needs updating

This one time, at band camp, Jim Popovitch said:
> So avscan (or any other V project) could prevent critical updates from
> reaching end-users.  That seems like a security problem to me.
> Suppose some virus spammers convince ($$) some avscan (or other
> project) developer to drag their feet on releasing a fix?  

Then, as I have before, I'll fix the product for volatile myself.  The
simplest fix for avscan is to disable a whole swath of functionality in
avscan, so I'd rather not take the simple approach.

If the resolution is going to take more than a short while, I can do a
targetted fix to resolve the DoS present in 0.91.  It is a two line
patch that fixes a bug that does not allow for code execution, so it is
hardly a critical update.  New upstream versions are not, by their very
nature, "critical updates" in my mind, sorry.  There are some nice
feature fixes in 0.91.1 over 0.91, but none of them so important as to
warrant hyperbole.  If the security issues addressed in the latest
release were more severe, I would have already coordinated a volatile
security point release, as I have already done for stable and testing.

> Wouldn't it be better to advise of the dependent project's problem in
> the release notes, and advise against applying the clamav update on
> just those avscan systems?

What release notes?  You mean a volatile update announcement?  Is it OK
with you to break systems where people do automated upgrades?  Even
though the charter for volatile says that it is designed to be as easy
to integrate as security.d.o, and it's not just another random backports
site that doesn't mind breaking your system because they don't test?

> Does murphy.d.o use avscan or clamav?

I assume it uses clamav, yes.  I also assume that the DSA team can
evaluate the risks to the archive and to their machines and make
choices, just like everyone else.

Sorry if this comes off as angry, but the implication that we're sitting
on our hands giving someone time to break into your systems is a bit
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: