[Pkg-clamav-devel] Bug#888484: Bug#888484: Updates for stretch/jessie not in security repo

[Scott Kitterman]

On Wednesday, January 31, 2018 12:52:35 PM Klaus Keppler wrote:
> Hi,
> 
> is there a special reason why the updates are not published through the
> "security" repositories of Debian Stretch/Jessie?
> 
> - on Debian 7, the update is in "wheezy" (via security)
> - on Debian 8, the update is in "jessie-updates"
> - on Debian 9, the update is in "stretch-updates"
> 
> With regard of the severity of the bug, I can't understand this release
> strategy. Or am I just too impatient?
> 
> Many "sources.list" files do not contain the "-updates" repository, for
> example unmodified Xen instances created with "xen-create-image".
> 
> So I suggest to push this update also into debian-security.
> 
> Thanks for your efforts & best regards

The reason is that typically clamav updates include much more than just 
security fixes (as far as I can recall in roughly a decade of clamav 
maintenance this is the first time it's happened), so are not considered 
suitable for the security repository.

We believe that keeping clamav up to date so that, as a package that provides 
a security service, it is always kept as capable as possible is of overriding 
importance for clamav.

Wheezy is done through 'security' because it's no longer supported by the 
Debian project, but by the Long Term Support team.  The LTS team publishes ALL 
updates (security or not) via the security repository.  For Debian supported 
releases, clamav will always go via updates.

If you are just discovering this now, you've been missing out of clamav 
updates for a long time.  Debian started publishing Stable Update 
Announcements in March, 2011.  The very first clamav stable update 
announcement was published that same month[1].  These clamav updates virtually 
always include security relevant fixes.

Scott K


[1] https://lists.debian.org/debian-stable-announce/2011/03/msg00003.html