[Pkg-clamav-devel] The future of clamav wrt. stable/volatile

[Michael Tautschnig]

Dear Release Team,

In the clamav packaging team we had recurring discussion about how to deal with
clamav in the near (== lenny) and more distant (>= squeeze) future. The current
situation is as follows:

- We've got severly outdated clamav packages in etch(-security).
- A few packages depend on clamav; those depends are not necessarily versioned.
- Any sensible use of clamav requires the packages from volatile to be able to
  handle all features of upstream's current signature database.
- We've had 16 security updates since the release of etch, which constantly
  required backporting of upstream's fixes that were included in the volatile
  releases.

We could of course continue this game of telling users that nothing but the
clamav from volatile is what one should use on production systems, but maybe
there are other options as well. Let me see what options we have:

- Stick with the current scheme. Possible, but neither user- nor
  maintainer-friendly.
- Move clamav to volatile only. This would, however, also require that all
  depending packages go to volatile, even the depends are unversioned.
- Do fairly large updates (i.e., possibly new major versions) through
  stable-proposed-updates.
- ???

We don't necessarily seek a solution for lenny, but would like to start a
discussion and receive some comments from people involved in release management
to see which further options we have, or which of the proposed are acceptable.

Thanks,
Michael

PS.: Please keep the pkg-clamav-devel list CC'ed for other clamav devs to chime
in.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20090125/b9955723/attachment.pgp