[Pkg-clamav-devel] LTS update of clamav and call for advice

Ola Lundqvist ola at inguza.com
Thu Apr 4 05:42:41 BST 2019


Great! Thank you.

Sent from a phone

Den mån 1 apr. 2019 15:13Scott Kitterman <debian at kitterman.com> skrev:

> I believe you've misunderstood.
>
> The version in stable is 0.100.3 and does not have a soname bump (nor does
> it
> need one).  You should be able to update the LTS with that package with
> little
> more (maybe no more) than an updated changelog.
>
> Scott K
>
> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> > Hi Scott and LTS team
> >
> > Thank you. I'll see if I can backport the required fixes. That may solve
> > the library issue.
> >
> > Alternatively we state that clamav is not supported. Maybe someone in the
> > LTS team can advice on that.
> >
> > Best regards
> >
> > // Ola
> >
> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian at kitterman.com>
> wrote:
> > > Comments inline.
> > >
> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> > > > Hi
> > > >
> > > > I missed to include the clamav maintainers. Sorry about that.
> > > >
> > > > // Ola
> > > >
> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola at inguza.com> wrote:
> > > > > Dear maintainers, LTS team and Debian Secutiry team
> > > > >
> > > > > I have started to look at the clamav package update due to
> > > > > CVE-2019-1787
> > > > > CVE-2019-1788
> > > > > CVE-2019-1789
> > > > > (the other three vulnerabilities are not affecting jessie or
> stretch
> > >
> > > as I
> > >
> > > > > understand it)
> > >
> > > That's correct.
> > >
> > > > > I have understood that the clamav package is typically updated to
> the
> > > > > latest version also in stable and oldstable. However when doing so
> I
> > > > > encountered quite a few things that I would like to ask your advice
> > > > > on.
> > > > >
> > > > > First of all to the maintainers. Do you want to handle also LTS
> > > > > (oldstable) and regular security (stable) upload of clamav?
> > >
> > > Stable is already done through stable proposed updates (which is the
> > > normal
> > > path for clamav).  We leave the LTS releases to the LTS team.  Base
> your
> > > work
> > > on what's in stable.
> > >
> > > > > Question to maintainers and Security team. Should we synchronize
> the
> > > > > efforts here and have you already started on the stable update?
> > > > >
> > > > > If not I have a few questions:
> > > > > 1) Do you know the binary compatibility between libclamav7 and
> > >
> > > libclamav9?
> > >
> > > > >  I have noticed that the package in sid produces libclamav9 while
> the
> > >
> > > one
> > >
> > > > > in jessie provides libclamav7. Do you think this can be an issue?
> > >
> > > Yes.  It's guaranteed to be an issue.  We have a stable transition
> > > prepared
> > > and will do it (once the srm blesses) after the next point release in
> > > April.
> > > Note that the security team doesn't support clamav.
> > >
> > > > > 2) Do you think backporting the package in sid is better than
> simply
> > > > > updating to the latest upstream while keeping most scripts in
> > >
> > > oldstable? I
> > >
> > > > > had to copy over the split-archive.sh to be able to generate a
> proper
> > >
> > > orig
> > >
> > > > > tarball.
> > >
> > > No.  Use what's in stable proposed updates.
> > >
> > > > > - I personally think the package in sid have a little too much
> updates
> > >
> > > to
> > >
> > > > > make that safe, especially since it produces new library packages.
> > >
> > > Agreed.  That would definitely be a bad idea.
> > >
> > > > > - On the other hand, I had to do some modifications already to make
> > >
> > > allow
> > >
> > > > > the package to be generated and I have not even started building
> yet.
> > > > > There
> > > > > may be many fixes needed to make this package work in oldstable...
> > >
> > > I suspect that what's in stable will work in oldstable, but I haven't
> > > tried
> > > it.  It'll certainly take less work than what's in sid.
> > >
> > > > > I guess we cannot generate new library package version, or?
> > >
> > > Generally one does not, but for clamav you kind of have to at some
> point.
> > > Note that for libclamav7 -> libclamav9 there are also API changes, so
> > > libclamav-dev reverse builld-depends need patching in addition to
> > > rebuilding.
> > > Once we've done that in stable, it should be easy enough to adapt for
> > > oldstable when the time comes.  Don't worry about it now.
> > >
> > > Scott K
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20190404/8aeb0c19/attachment.html>


More information about the Pkg-clamav-devel mailing list