Hi Eric, On Wed, Mar 14, 2007 at 07:06:25AM -0600, Eric Krieger wrote: > Why is clamav not being maintained for all ubuntu versions (at least > back to Dapper LTS)? Some of us actually use clamav in a production > enviroment in conjuntion with spam filtering.
No one (that I've seen) has stepped up to take ownership of clamav. I do, however, try to make time to release security updates for it, since I recognize that a lot of people use it and I don't want to leave them vulnerable. (Lacking new features in a virus scanner, however, could be seen as "vulnerable" too -- that's true. Regardless, it doesn't change the need for performing lots of testing on updates.) Normally for security updates, we don't do full-version upgrades of software since there may be unintended breakage. Security updates (which don't change the base version number) have been ongoing, though, which you can see, for example, in the Dapper changelog[1]. From that, you can also see that backports have happened at times. Usually those need to be explicitly requested (and tested). The best situation would be to have clamav go through a full SRU[2]. > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Local version: 0.88.4 Recommended version: 0.90.1 > WARNING: Your ClamAV installation is OUTDATED! > WARNING: Current functionality level = 8, recommended = 14 So, to recap, I see three things that are possible for clamav: 1) let it age without security updates (ugly) 2) let it age, but backport security updates (middle-ground) 3) always have the latest version (wonderful) Right now I've been treating clamav as "regular" software, and have just been backporting security flaws -- I built some simple tests to do validation, so it doesn't take much time to do basic tests. Doing full-version upgrades will require more testing (e.g. did the library or unix-socket interfaces change?) before it gets published. What's needed to get us to "3" is someone to update the package, file an SRU, and then follow it through the SRU testing process. I'm happy to help test (I use clamav myself), but I don't have the time to drive the process at the moment. Would you be willing to help out with the SRUs? Thanks, -Kees [1] https://launchpad.net/ubuntu/dapper/+source/clamav/+changelog [2] https://wiki.ubuntu.com/StableReleaseUpdates -- Kees Cook
signature.asc
Description: Digital signature
-- Ubuntu-motu mailing list Ubuntu-motu@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
