This one time, at band camp, Robert de Bath said: > LibClamAV Warning: ******************************************************** > LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** > LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** > LibClamAV Warning: ******************************************************** > > The current version in stable claims that it is a security risk.
Just to be clear, it does not say it is a security risk. It says that if you want to catch all the latest virus outbreaks, you'll need to upgrade. These are related, but orthogonal, issues. > IMO this should be viewed as a security bug and fixed as such, however, > just before I fired off a bug report to that effect I looked at the URL > above (I had already checked the Debian package and bug pages) and found > the reference to the volatile project. > > Now this is a problem; I still see a bug here but I'm now not sure > who's bug it is. In reality it's probably not a clamav bug because the > 'volatile' package fixes it. It probably should be a bug in the policy > for security-fix packages but it would appear that that it's a large > political problem that it being addressed by the people behind the > 'volatile' project. The 'bug' is that software projects move on, and stable remains stable. It is a design decision of the project, and from an administrative point of view, a good one. The clamav suite includes a library, and some other packages in Debian link to it. Including the latest upstream would mean not only releasing the latest clamav, but also hunting down all the other packages that use the library (or interface with it in some way - sendmail, amavis, exim, etc) and making sure the upgrade doesn't break anything. Doing this sort of automated testing in a vacuum is sure to miss some corner cases, and this means that blindly releasing new versions of upstream software in a stable release is going to break someone's setup, if not today, then at some point during the release cycle. This is just clamav we are talking about here - what if we were talking about something more fundamental like the kernel or the toolchain? The volatile project exists to try to bridge the gap for people who don't mind a little administrative hassle in order to have the latest upstream version of some piece of software. The volatile project aims at easy integration with stable, but it is not guaranteed in the same way stable is to have an unchanging interface. At some point, things will break. > In the mean time I still had to go away from Debian to find that Debian > could actually fix the bug with clamav/stable so IMHO there should be > a very obvious reference that debian-security is not supporting this > package and that you need to go to debian-volatile to get security fixes. The security team is supporting clamav. You will find that all of the security vulnerabilities found in the sarge version of clamav have been fixed by uploads to the security archive. Again, you are using the word security in a way I don't normally use it. > So can I suggest that you leave this bug open (perhaps with a can't fix > or won't fix flag) so that it can prevent somebody going off and buying > f-prot because Debian can't do the job :-) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310549 Is already open, and I have tagged it sarge, I believe. Would you agree that this is roughly a duplicate of that unfixable-by-design bug? > OTOH: If you know where to put a bug against the debian website that > might be a good place to assign this ... The only possibly appropriate place would be a bug against policy, asking that the stable release policy be changed so you can get a newer version of an anti-virus scanner. Since most of the things clamav detects don't affect linux systems, I have a feeling I can guess the answer to that bug report. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
