Re: [volatile] Updated clamav-related packages available for testing

[Jason Kolpin <jasonk@ncat.org>]

As a user of this software in production environments and a long time 
Debian user at various levels I must admit this Clamav issue is simply a 
pain. It seems like this whole issue has lasted years now in many 
various forms and it is frustrating when you are relying on a piece of 
software to do a certain task and one day it just stops updating or even 
working. Sure there are other options including commercial stuff but we 
all know how that goes when trying to stick to the Debian way of doing 
things, this required lib isn't in stable, that one is only available in 
unstable which has no security stuff happening etc etc.. Although I LOVE 
the Debian security model, it seems even after years of a stable 
methodology, the world STILL seems to think production servers should 
use bleeding edge software that has had no time for maturity/security to 
set in and the one distribution that understands this concept, folks 
seem to simply refuse to work with. I fail to understand this, and I'm 
no genius but there must be a way for the entire Debian team to figure 
some sort of elegant, permanent, and secure solution to this whole thing 
instead of patching it with bubble gum and bailing wire every time this 
link in the chain breaks. I mean really, the developers must realize 
that some things in this technical world change too fast for inclusion 
in the standard repositories yet these packages are something no 
publicly facing machine should do without. I would hope the Debian 
Security team realizes that lacking this type of software is a huge 
security risk within itself in some situations. Granted we have to do 
what we have to do, but there must be some sort of solid STABLE middle 
ground available which everyone can stand upon. Just my 2 cents from a 
different perspective with no intentions of belittling or offending anyone.

Jason Kolpin





Adam D. Barratt wrote:
> On Thu, 2010-04-15 at 20:58 +0200, Kurt Roeckx wrote:
>   
> > On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote:
> >     
> > > The clamav project have announced that they will be publishing a
> > > specially formed virus signature which disables older versions of the
> > > software, including the version in lenny.  If you have not yet migrated
> > > to using the volatile packages, now would be a good time to do so. :-)
> > >       
> > What does this mean exactly?  Will it now tell that everything is
> > not a virus, even for things that it used to be able to detect?
> >     
>
> That doesn't seem particularly easy to determine from the announcements
> provided by upstream, unless I'm looking in the wrong places; the
> wording I used was very much based on their EOL announcement.
>
> I've CCed the package maintainers in the hope that they might have more
> of an insight.
>
>   
> > What about providing a working version in stable-security and/or
> > proposed-updates before that happens?
> >     
>
> The security team have already indicated that they're unwilling to
> support the stable versions of clamav and directed users towards
> volatile instead - see
> http://lists.debian.org/debian-security-announce/2009/msg00228.html
>
> Many people are unwilling to use packages from p-u that haven't been
> officially released as part of a point release so that doesn't
> necessarily help the situation much; it would also break all of the
> reverse-dependencies in stable.  Looking at including the volatile
> versions of the r-deps as well would be a possibility, but to my
> knowledge we don't yet have any reports of success, or otherwise, using
> those packages.
>
> Regards,
>
> Adam
>
>
>