Re: Klamav Updates

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)

Scott Kitterman napisał(a):
> These are all good points and were mostly ones I argued during the meeting. 
>  The fundamental concern I have is I know (now) that the packaged clamav 
> will interact with the local version without particularly complaining about 
> it.  This is sufficiently risky in my book to trump the other arguements.  
> There are other issues too, like the clamav updates downloaded by klamav 
> won't have any of the Debian/Ubuntu patches installed.

And what are these patches for? Are they really important or just change
paths, etc.?
Maybe Clamav should be packaged exactly as upstream, without patches, so
that it could update itself without problems?

> Recently the clamav support picture has improved significantly.  Is you 
> look at Feisty, it's had three security updates since release and all 
> security fixes from the later releases are incorporated.  Additionally, the 
> current version of clamav is available via feisty-backports.  Because of 
> the improved volunteer support through the packaging system, I think the 
> need for individuals to upgrade directly from upstream is much less than it 
> has generally been.

I think it is not enough. In case of outburst of some nasty virus the
update should be delivered within hours, maximum 1 day, and I do not
think this deadline can be met if it is repackaged.

And providing newer version in -backports is not a good idea. Not
everyone enables -backports, especially on servers, so they would be
excluded from important security update. This might be good enough for
feature release, not release which has to do with security.

        Krzysztof Lichota

signature.asc
Description: OpenPGP digital signature