Re: clamav needs updating

To: debian-volatile@lists.debian.org
Subject: Re: clamav needs updating
From: Stephen Gran <sgran@debian.org>
Date: Mon, 23 Jul 2007 17:29:11 +0100
Message-id: <20070723162911.GA556@www.lobefin.net>
In-reply-to: <20070723161555.GA2070@localhost.localdomain> <1185204822.13429.10.camel@localhost>
References: <20070723135857.GA3131@www.lobefin.net> <20070723161317.GA1942@localhost.localdomain> <20070723161555.GA2070@localhost.localdomain> <1185178162.3386.8.camel@localhost.localdomain> <20070723092643.GA20305@www.lobefin.net> <1185198054.8737.2.camel@localhost> <20070723135857.GA3131@www.lobefin.net> <1185199678.8737.9.camel@localhost> <20070723143753.GA18889@www.lobefin.net> <1185204822.13429.10.camel@localhost>

This one time, at band camp, Jim Popovitch said:
> On Mon, 2007-07-23 at 15:37 +0100, Stephen Gran wrote:
> > Then, as I have before, I'll fix the product for volatile myself.  The
> > simplest fix for avscan is to disable a whole swath of functionality in
> > avscan, so I'd rather not take the simple approach.
> 
> I can appreciate that.  What I haven't seen/heard is whether or not the
> avscan folks have even started on an approach.  

I did say that I was talking to them and they are working on a fix, but
maybe it got missed.

> > If the resolution is going to take more than a short while, I can do a
> > targetted fix to resolve the DoS present in 0.91.  
> 
> Are we talking about waiting 1 day, 1 week, 1 month, or 1 year on the
> avscan folks?

More than a day, but less than a week.

> Yes, at some point I do believe it is OK to break systems that depend on
> other software that isn't maintained in a timely fashion.  Is it OK with
> you to leave a DoS app in production while a less used application waits
> for an unspecified amount of time to be fixed.  Interestingly enough
> Amavis and other ClamAV dependent applications don't suffer from those
> nuances.

Sorry, but this really isn't how my understanding of stable, security,
or volatile works.  If you are OK with upgrades on a stable system
breaking software, we might have different ideas about what 'stable'
means.

This one time, at band camp, paddy@panici.net said:
> On Mon, Jul 23, 2007 at 04:13:18PM +0000, paddy@panici.net wrote:
> > 
> > Can the new clam packages conflict against an avscan version that 
> > hasn't been released yet but will have the fix in it ?
> 
> sorry, 
> 
> conflict against versions *prior to* an as-yet-unreleased fixed version

If avscan was for some reason your mission critical app, would that be a
good solution for you?  It's a fallback possibility, yes, but one I'd
like to use as a last resort.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: clamav needs updating
  - From: Stephen Gran <sgran@debian.org>
- Re: clamav needs updating
  - From: paddy@panici.net
- Re: clamav needs updating
  - From: paddy@panici.net
- Re: clamav needs updating
  - From: Javier Amor García <javier.amor.garcia@warp.es>
- Re: clamav needs updating
  - From: Stephen Gran <sgran@debian.org>
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>
- Re: clamav needs updating
  - From: Stephen Gran <sgran@debian.org>
- Re: clamav needs updating
  - From: Jim Popovitch <yahoo@jimpop.com>

Prev by Date: Re: clamav needs updating
Next by Date: Re: clamav needs updating
Previous by thread: Re: clamav needs updating
Next by thread: Re: clamav needs updating
Index(es):
- Date
- Thread