[Pkg-clamav-devel] Bug#1063476: the sanesecurity configuration is not suitable for a release
Scott Kitterman
debian at kitterman.com
Sat Feb 17 18:05:01 GMT 2024
On Fri, 16 Feb 2024 09:17:40 -0500 Scott Kitterman <debian at kitterman.com>
wrote:
> On Thu, 8 Feb 2024 19:35:50 +0100 Marco d'Itri <md at linux.it> wrote:
> > Source: fangfrisch
> > Version: 1.7.0-1
> > Severity: grave
> > Tags: upstream
> >
> > Control: forwarded -1 https://github.com/rseichter/fangfrisch/issues/30
> >
> > The sanesecurity section of default configuration, if enabled, relies on
> > an unofficial HTTP mirror which is seriously overloaded and probably
> > seriously expensive for their operators, since it is located in
> > Australia.
> > The only other known HTTP mirror is mentioned on
> > https://wiki.gentoo.org/wiki/ClamAV_Unofficial_Signatures, with a vague
> > note about it being available to the public.
> >
> > Until fangfrisch will implement rsync support, I do not think that it is
> > safe to include fangfrisch in a Debian release due to the possible
> > effect on unsuspecting third party mirrors.
> >
> > This has also been discussed upstream:
> > https://github.com/rseichter/fangfrisch/issues/30
>
> I don't know that I'd call this fixed upstream, since the package is not
> directly using rsync, but the fact that he's now rsyncing from sanesecurity
> and running his own mirror is progress (that only person he can DoS is
> himself) is progress.
>
> If we update to 1.8.0, I don't think we should mark this bug done, but it
> might be reasonable to change the severity to Important. What do you think?
Upon further reflection, I'm going to mark this as done in 1.8.0. The specific
issue raised in the bug is resolved. Direct support for rsync would be
better, but I think we've cleared this particular hurdle for releasability.
Scott K
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20240217/185438e3/attachment.sig>
More information about the Pkg-clamav-devel
mailing list