[Pkg-clamav-devel] Bug#888484: Packages still not available?

Roberto C. Sánchez roberto at debian.org
Mon Jan 29 13:59:55 UTC 2018 

On Mon, Jan 29, 2018 at 02:30:01PM +0100, Fared Ghijas wrote:
> 
>    The fixed versions seem not to be available at
>    [1]https://packages.debian.org/search?keywords=clamav&searchon=names&suite=all&section=all        
>    .
> 
It should be shortly.

>    Why does it take so long for such a critical bug.

Because Debian has a process for issuing both security and non-security
updates. That process involves the review of multiple parties. In the
case of ClamAV, the updates are frequent enough that they are handled
via the proposed-updates mechanism, which requires the review and
approval of a release manager. This is explained in the discussion
history of this bug.

>    This means DOS and
>    remote code execution vulnerability for a whole lot of mail gateways,
>    which might expose communication, abuse those systems for spam or use them
>    to get into trusted networks. The vulnerability is already actively used.

Everybody involved is well aware of this.

>    The answer cannot be to compile a new version on our own. This is not the
>    reason for having a long term support distribution, maybe with a small
>    footprint without a compiler. It took already more than 72h while the
>    patch was available.
> 
I cannot tell if you are serious or if you are trolling here. Debian is
in use on hundreds of thousands, if not millions, of systems worldwide.
It helps nobody to have patches rushed out without proper testing and
review. Additionally, much of the work on Debian is being done by
unpaid volunteers in their spare time.

Additionally, the manner in which upstream made the release involved
changing the version numbering of a release that was already planned,
which complicated matters a bit.

If you are so dependent on having updates in a particular time frame,
then you should consider developing the ability to build your own
security updates (yes, compiling the updates for yourself can certainly
be a valid answer). If that is not possible or desirable for you, then
you should contract with a commercial entity that can provide that
support. There are numerous individuals and companies, including quite
a few Debian developers, who would be more than happy to furnish you a
support contract with a specified service level agreement response time.

>    The open source world usually does a great job on fast security updates
>    and I’m sure you guys do too.
> 
I am not convinced that you understand and appreciate the amount of
effort involved.

>    Could you please provide this update as soon as any possible or give us
>    some information how long it will take?
> 
If you look at the messages recorded in the bug history prior to your
message, the packages for jessie and stretch were uploaded about 15
hours prior to you sending your message. It takes some time for
packages to be built for all supported architectures and then to be
distributed across the worldwide archive mirror network. The stretch
packages have all been built for a few hours now and should show up in
the archive mirrors within a few hours.

Regards,

-Roberto

-- 
Roberto C. Sánchez

More information about the Pkg-clamav-devel mailing list