[Pkg-clamav-devel] Including 20+ MB of signatures in clamav-base
Scott Kitterman
debian at kitterman.com
Sat Mar 13 04:37:03 UTC 2010
Stephen and I discussed this a bit on IRC today...
To recap, we (Debian and Ubuntu both) both include the main and daily cvd files
in clamav-base. This is, by a large margin, the bulk of the clamav package by
size. A while ago a user filed a bug against the Ubuntu clamav package asking
that it not be shipped:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/460316
I asked upstream (aCaB) their view and he said they originally included it in
the tarball to reduce the load on their update mirrors, but that this had not
been a recent concern.
Stephen (sgran) expressed concern that it's preferred not to have a package
rely on network access to be useful, so even if we stopped including the cvd
files in clamav-base, it would still have to depend on clamav-data and so the
download size (or the size on CD, which is a concern for Ubuntu Server)
wouldn't change significantly.
I've been thinking this over a bit. Whether you're trying to stuff more
packages onto a CD or install a package over a slow internet connection, 20MB
can be a lot.
I think the package description for the clamav binary is very clear that
updates are required for the package to be useful:
"For scanning to work, a virus database is needed. There are two options
for getting it:
- clamav-freshclam: updates the database from Internet. This is
recommended with Internet access.
- clamav-data: for users without Internet access. The package is
not updated once installed. The clamav-getfiles package allows
creating custom packages from an Internet-connected computer."
While I agree that packages ought not require internet access to be useful, I
think that the utility of clamav without updates of some kind is very limited
and so the presence of an initial set of signatures does not materially affect
the utility of the package.
I'd appreciate feedback on this. I don't think dropping the initial signature
files hurts users in any material way and will help users with limited
bandwidth (the shipped cvd file quickly ages and will need a lot of updates, so
it's almost like having to download it twice).
Scott K
More information about the Pkg-clamav-devel
mailing list