The way Linux updates are done in practice is significantly different from ClamAV virus signature updates.
With ClamAV, freshclam is automatically run periodically, sees (by some low-cost means) that a new file version is *supposed* to be available and tries to download it. If either it can't, or worse yet, it's the wrong one, it tries the next mirror. This all takes time and bandwidth. With Linux updates, I explicitly ask (via aptitude) what new updates are available: It takes some time to retrieve the list. Then I select the ones I want and ask to install them. I have *never*, *ever* seen this mechanism deliver the wrong version and thus fail to install it. This is due to the fact that the same Debian mirror machine provides the new versions of a group of files as provides the list of new versions. Thus there is an almost zero chance of a race condition (unless some idiot adds a version to the list before uploading the actual deb file). Even if set to auto update, I think the *lists* always come from the same servers as the files. It's not a matter of using DNS TXT records, it's a matter of sourcing them on a *different* computer than the actual files. This separation virtually begs for synchronization problems. On Tue, 3 Jul 2018 09:14:31 +0200 Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >> On Mon, 02 Jul 2018 04:02:58 -0700 > >> Al Varnell wrote: > >>> Does the evidence available infivsyr that it's the mirrors that > >>> are out-of-date or is it DNS? Everything I've seen shows that > >>> they are not in sync, but I'm not sure which get's updated first. > > >Am 02.07.2018 um 13:22 schrieb Brian Morrison: > >> It should not matter if the mirrors are ahead of DNS, they will > >> simply provide the latest version for download. > >> > >> The problem is when a given set of mirrors are not available for a > >> particular requester, eventually you completely run out of mirrors > >> and no updates happen at all. There should be fall backs to > >> prevent this... > > On 02.07.18 13:27, Reindl Harald wrote: > >it's not rocket science to have a metafile on the mirror which > >inicates the latest available version, > > because it's much easier, faster and effective </irony> to connect to > mirror to check a metafile instead of checking single small DNS > record. > > > linux distributions doing that for decades > >and they have way larger metadata > > that's exactly because they have way larger metadata. If their > metadata was as big as Clamav's, they'd use DNS too. > > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml