On Thu, Feb 17, 2011 at 1:53 PM, Camaleón <noela...@gmail.com> wrote:
> On Thu, 17 Feb 2011 11:20:44 -0600, Boyd Stephen Smith Jr. wrote: > > > On Thursday 17 February 2011 11:05:42 Camaleón wrote: > > >> > From what I understand, the clamav binaries are only updated in > >> > stable (even in stable/volatile or stable-updates) when a new version > >> > is needed in order to use the updated virus definitions, or for the > >> > normal stable update criteria. > >> > >> Uh? Is that true? I thought the whole volatile repo was also handling > >> "oldstable" packages? :-? > > > > I wasn't clear. I mean that just because there is a new upstream > > version of ClamAV, that doesn't mean it will get included in volatile. > > It might be appropriate for volatile, but not all new upstream versions > > are. > > Yes, I know that and I'm fine with that policy. What made me getting a > bit nervous was not seeing much activity in volatile's mailing list. > > >> > However clamav (and more and more software) starts getting noisy as > >> > soon as upstream provides a new version, for whatever reason. Even > >> > in A/V software, not every upgrade is appropriate for stable. > >> > >> Well, I don't read all and each of the ClamAV new released changelogs > >> to see what has been patched, but being an AV I'd expect a new version > >> corrects some severe bugs and not just "cosmetic" errors. > > > > While I don't think your expectation is well-founded, if it is the case > > that the new version corrects some severe bugs, I would expect it not > > only in lenny-volatile but also lenny-proposed-updates. Maybe not > > lenny-proposed- updates, but I think the RC-level bug fix policy in > > oldstable is roughly the same as stable. > > Here is the changelog... you finally made me to read it ;-) > > > http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97 > > >From 0.96.5 (released on Tue Nov 30) to 0.97 (released on Mon Feb 7) I > can't see any pacth that can be considered dangerous or remotely > exploitable, so all seems okay. I'll patiently wait and see. > > Greetings, > > -- > Camaleón > What I'm seeing now puzzles me. I'm considering the same situation, except for squeeze. The packages site says .97 is available in lenny-volatile. But .97 is not showing up in squeeze-updates, which is supposed to replace volatile. I can understand the conservative path, but the whole point of the fork in the tree is to give people the choice to run the more cutting edge releases of volatile style packages. This should not require compiling source to achieve. We choose Debian over Slackware et. al. because we prefer to work within a package management system. Some of us are not maintaining hobby boxes. When it comes to virus scanning, there is little point in getting an update which now supports last year's viruses. We need to be current with this one for the package to have any value at all. I'm OK with seeing the warning from ClamAV for 30 days or so, but if there are any massive glitches to be concerned about, they should show up within that Window and we should be safe to upgrade. I question whether the squeeze-updates really works as a replacement for volatile. I don't see mention of it in the debian packages reports. e.g.: http://packages.debian.org/search?keywords=clamav --Donald