Re: [Pkg-clamav-devel] [volatile] Updated clamav-related packages available for testing
"Jason Kolpin" wrote: >As a user of this software in production environments and a long time >Debian user at various levels I must admit this Clamav issue is simply a >pain. It seems like this whole issue has lasted years now in many >various forms and it is frustrating when you are relying on a piece of >software to do a certain task and one day it just stops updating or even >working. Sure there are other options including commercial stuff but we >all know how that goes when trying to stick to the Debian way of doing >things, this required lib isn't in stable, that one is only available in >unstable which has no security stuff happening etc etc.. Although I LOVE >the Debian security model, it seems even after years of a stable >methodology, the world STILL seems to think production servers should >use bleeding edge software that has had no time for maturity/security to >set in and the one distribution that understands this concept, folks >seem to simply refuse to work with. I fail to understand this, and I'm >no genius but there must be a way for the entire Debian team to figure >some sort of elegant, permanent, and secure solution to this whole thing >instead of patching it with bubble gum and bailing wire every time this >link in the chain breaks. I mean really, the developers must realize >that some things in this technical world change too fast for inclusion >in the standard repositories yet these packages are something no >publicly facing machine should do without. I would hope the Debian >Security team realizes that lacking this type of software is a huge >security risk within itself in some situations. Granted we have to do >what we have to do, but there must be some sort of solid STABLE middle >ground available which everyone can stand upon. Just my 2 cents from a >different perspective with no intentions of belittling or offending anyone. > I work on clamav and related packages in both Debian and Ubuntu. In fairness to Clamav upstream, they gave months of warning before taking this step. Additionally, anti-virus software is not like most other software. It faces a continuously escalating set of requirements. Running the same old version will cause regression in capability over time. In Ubuntu we have taken a different approach. The clamav and related packages have an exception to the normal policy for updates. There is, a defined test and qualification process that, in our experience substantially mitigates the risks associated with major post release updates. Today, with the exception of one release that is two weeks from EOL, one can get clamav 0.95.3 from the regular security and updates repositories. Since Ubuntu has a more bleeding edge approach than Debian, one might argue it's more appropriate there, but I wish Debian had taken a similar approach. The marginal amount of testing needed for one more release is not large (clamav and the related packages generally have little or no divergence from their Debian counterparts). Scott K Scott Kitterman
Re: [volatile] Updated clamav-related packages available for testing
On Thu, Apr 15, 2010 at 02:29:58PM -0600, Jason Kolpin wrote: seem to simply refuse to work with. I fail to understand this, and I'm no genius but there must be a way for the entire Debian team to figure some sort of elegant, permanent, and secure solution to this whole thing instead of patching it with bubble gum and bailing wire every time this link in the chain breaks. I mean really, the developers must realize that some things in this technical world change too fast for inclusion in the standard repositories yet these packages are something no publicly facing machine should do without. deb http://volatile.debian.net/debian-volatile lenny/volatile main -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1d084ac0-48d3-11df-9b6a-001cc0cda...@msgid.mathom.us
Re: [volatile] Updated clamav-related packages available for testing
As a user of this software in production environments and a long time Debian user at various levels I must admit this Clamav issue is simply a pain. It seems like this whole issue has lasted years now in many various forms and it is frustrating when you are relying on a piece of software to do a certain task and one day it just stops updating or even working. Sure there are other options including commercial stuff but we all know how that goes when trying to stick to the Debian way of doing things, this required lib isn't in stable, that one is only available in unstable which has no security stuff happening etc etc.. Although I LOVE the Debian security model, it seems even after years of a stable methodology, the world STILL seems to think production servers should use bleeding edge software that has had no time for maturity/security to set in and the one distribution that understands this concept, folks seem to simply refuse to work with. I fail to understand this, and I'm no genius but there must be a way for the entire Debian team to figure some sort of elegant, permanent, and secure solution to this whole thing instead of patching it with bubble gum and bailing wire every time this link in the chain breaks. I mean really, the developers must realize that some things in this technical world change too fast for inclusion in the standard repositories yet these packages are something no publicly facing machine should do without. I would hope the Debian Security team realizes that lacking this type of software is a huge security risk within itself in some situations. Granted we have to do what we have to do, but there must be some sort of solid STABLE middle ground available which everyone can stand upon. Just my 2 cents from a different perspective with no intentions of belittling or offending anyone. Jason Kolpin Adam D. Barratt wrote: On Thu, 2010-04-15 at 20:58 +0200, Kurt Roeckx wrote: On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote: The clamav project have announced that they will be publishing a specially formed virus signature which disables older versions of the software, including the version in lenny. If you have not yet migrated to using the volatile packages, now would be a good time to do so. :-) What does this mean exactly? Will it now tell that everything is not a virus, even for things that it used to be able to detect? That doesn't seem particularly easy to determine from the announcements provided by upstream, unless I'm looking in the wrong places; the wording I used was very much based on their EOL announcement. I've CCed the package maintainers in the hope that they might have more of an insight. What about providing a working version in stable-security and/or proposed-updates before that happens? The security team have already indicated that they're unwilling to support the stable versions of clamav and directed users towards volatile instead - see http://lists.debian.org/debian-security-announce/2009/msg00228.html Many people are unwilling to use packages from p-u that haven't been officially released as part of a point release so that doesn't necessarily help the situation much; it would also break all of the reverse-dependencies in stable. Looking at including the volatile versions of the r-deps as well would be a possibility, but to my knowledge we don't yet have any reports of success, or otherwise, using those packages. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4bc77746.30...@ncat.org
Re: [volatile] Updated clamav-related packages available for testing
On 2010-04-15 22:49, Adam D. Barratt wrote: On Thu, 2010-04-15 at 20:58 +0200, Kurt Roeckx wrote: On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote: The clamav project have announced that they will be publishing a specially formed virus signature which disables older versions of the software, including the version in lenny. If you have not yet migrated to using the volatile packages, now would be a good time to do so. :-) What does this mean exactly? Will it now tell that everything is not a virus, even for things that it used to be able to detect? That doesn't seem particularly easy to determine from the announcements provided by upstream, unless I'm looking in the wrong places; the wording I used was very much based on their EOL announcement. Run freshclam and you'll see. clamd 0.94.2 says: LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** LibClamAV Error: cli_hex2str(): Malformed hexstring: This ClamAV version has reached End of Life! Please upgrade to version 0.95 or later. For more information see www.clamav.net/eol-clamav-094 and www.clamav.net/download (length: 169) LibClamAV Error: Problem parsing database at line 742 Best regards, --Edwin -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4bc77142.5030...@gmail.com
Re: [volatile] Updated clamav-related packages available fortesting
Kurt Roeckx wrote .. > What does this mean exactly? It means that versions older than 0.95 will be remotely disabled by the ClamAV folks once your copy of ClamAV gets the CVD update that includes what I like to call the special "self-destruct" code. :) It means that you need to be running least version 0.95 of ClamAV, and preferably always the latest & greatest version, to be protected. Outdated anti- virus software is not effective.
Re: [volatile] Updated clamav-related packages available fortesting
On Thu, Apr 15, 2010 at 12:52:47PM -0700, Jason Self wrote: > Kurt Roeckx wrote .. > > > What does this mean exactly? > > It means that versions older than 0.95 will be remotely disabled by the > ClamAV > folks once your copy of ClamAV gets the CVD update that includes what I like > to > call the special "self-destruct" code. :) > > It means that you need to be running least version 0.95 of ClamAV, and > preferably always the latest & greatest version, to be protected. Outdated > anti- > virus software is not effective. I forgot about DSA 1906 in october which basicly already announced it. Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100415201641.ga...@roeckx.be
Re: [volatile] Updated clamav-related packages available for testing
On Thu, 2010-04-15 at 20:58 +0200, Kurt Roeckx wrote: > On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote: > > > > The clamav project have announced that they will be publishing a > > specially formed virus signature which disables older versions of the > > software, including the version in lenny. If you have not yet migrated > > to using the volatile packages, now would be a good time to do so. :-) > > What does this mean exactly? Will it now tell that everything is > not a virus, even for things that it used to be able to detect? That doesn't seem particularly easy to determine from the announcements provided by upstream, unless I'm looking in the wrong places; the wording I used was very much based on their EOL announcement. I've CCed the package maintainers in the hope that they might have more of an insight. > What about providing a working version in stable-security and/or > proposed-updates before that happens? The security team have already indicated that they're unwilling to support the stable versions of clamav and directed users towards volatile instead - see http://lists.debian.org/debian-security-announce/2009/msg00228.html Many people are unwilling to use packages from p-u that haven't been officially released as part of a point release so that doesn't necessarily help the situation much; it would also break all of the reverse-dependencies in stable. Looking at including the volatile versions of the r-deps as well would be a possibility, but to my knowledge we don't yet have any reports of success, or otherwise, using those packages. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1271360986.25792.1476.ca...@kaa.jungle.aubergine.my-net-space.net
Re: [volatile] Updated clamav-related packages available for testing
On Wed, Apr 14, 2010 at 10:35:41PM +0100, Adam D. Barratt wrote: > > The clamav project have announced that they will be publishing a > specially formed virus signature which disables older versions of the > software, including the version in lenny. If you have not yet migrated > to using the volatile packages, now would be a good time to do so. :-) What does this mean exactly? Will it now tell that everything is not a virus, even for things that it used to be able to detect? What about providing a working version in stable-security and/or proposed-updates before that happens? Kurt -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100415185846.ga32...@roeckx.be
Re: [volatile] Updated clamav-related packages available for testing
On Thu, April 15, 2010 15:50, Santiago Vila wrote: > http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ > > "Starting from 15 April 2010 our CVD will contain a special signature > which disables all clamd installations older than 0.95 - that is to > say older than 1 year" > > Please tell me that "Disables the ability of older versions of the > software to receive virus signature updates" is not the same as > "Disables older versins of the software [completely]". The wording of the upstream announcement implies that the software would be disabled but I have to admit to not being entirely sure whether that's what was meant or purely the disabling of signature updates (although, as a later posted mentioned, even if the engine works it will be increasingly unuseful). Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/afc607e7e497f36ec8063a6f68729676.squir...@adsl.funky-badger.org
Re: [volatile] Updated clamav-related packages available for testing
On 04/15/2010 04:50 PM, Santiago Vila wrote: With "clamscan" i can still scan files, but it now prints LibClamAV Warning: *** LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** LibClamAV Warning: *** Same message comes in boot process. But probably you can't upgrade virus patterns anymore, and an Virus scanner without new patterns is a little bit worthless. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4bc72908.60...@david-raab.de
Re: [volatile] Updated clamav-related packages available for testing
On Wed, 14 Apr 2010, Adam D. Barratt wrote: > The clamav project have announced that they will be publishing a > specially formed virus signature which disables older versions of the > software, including the version in lenny. Ok, this is the official announce: http://www.clamav.net/lang/en/2009/10/05/eol-clamav-094/ "Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 - that is to say older than 1 year" Please tell me that "Disables the ability of older versions of the software to receive virus signature updates" is not the same as "Disables older versins of the software [completely]". Thanks. -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.1.10.1004151645040.21...@kolmogorov.unex.es
Re: [volatile] Updated clamav-related packages available for testing
On Wed, 14 Apr 2010, Adam D. Barratt wrote: > [reply-to set to -volatile] Sorry, not subscribed to volatile. Moreover, this reply is about Debian releasing clamav in its current state at all, be it in volatile or in another section/repository. > The clamav project have announced that they will be publishing a > specially formed virus signature which disables older versions of the > software, including the version in lenny. What? Do we release software which may be "disabled" remotely? Seems like a DRM system. Is this acceptable for Debian at all? -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.1.10.1004151627160.21...@kolmogorov.unex.es
Bug#573486: RM: emacs22/22.3+1-1.2
Sven Joachim writes: > It's not so easy since there are a few packages which would be broken: ... > Note that this comes from xemacs21 not being in testing; the xemacs21 > maintainer's lack of response to RC bugs suggests that maybe it will not > be released with squeeze. Yesterday xemacs21 entered into testing again, which makes those packages usable with xemacs21 and without emacs22, so maybe emacs22 can be now removed from testing. -- Tommi Vainikainen -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ochlcfim@thv.iki.fi