[Pkg-clamav-devel] Etch backported security fixes
Moritz Muehlenhoff
jmm at inutil.org
Wed Nov 12 00:07:11 UTC 2008
On Wed, Nov 12, 2008 at 12:51:01AM +0100, Michael Tautschnig wrote:
> [...]
> > >
> > > Attached please find the complete changeset to fix this issue. I'm just about
> > > to build the package, which could get uploaded to security-master whenever you
> > > like.
> >
> > From my experience at work, the Etch version of ClamAV is completely useless
> > since freshclam processes current signatures _extremely_ slow due to missing
> > scan engine features, resulting to postfix being blocked for up to two hours.
> >
> > Am I missing something here?
> >
>
> Just to be sure: You're not talking about any kind of regression, are you?
No, it's not a regression, but apparently the standard behaviour of clamav
with current signature databases. There's also a bug about it: #454587.
(Note that according to my experience it's much worse than described in the
bug nowadays).
> Of
> course, almost everybody wants to run the -volatile version of clamav (and so do
> I, so I can't really comment on that issue). Still, we're formally supporting
> the package in etch and thus also provide security fixes as the are deemed
> necessary. If the security team perfers to stop support for clamav, which has
> kept you guys quite busy (that upload would be etch16, after all), so be it.
We don't support stuff for formal reasons, but to solve genuine problems. Unless
someone sees clamav from Etch currently being useful for anything, we should
just stop it.
BTW, I've said it several times that clamav is unsuitable for a stable release, but
it's claimed it should be kept due to rdeps. Since all these rdeps will break
along with clamav that's even _more_ reason to move it to volatile only.
Stephen previously said he's all for it, you don't run the stable clamav at all,
so what's stopping us from fixing this for Lenny?
Cheers,
Moritz
More information about the Pkg-clamav-devel
mailing list