[Pkg-clamav-devel] LTS update of clamav and call for advice
Scott Kitterman
debian at kitterman.com
Mon Apr 15 22:16:46 BST 2019
That sounds like the right approach.
Scott K
On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> Hi again
>
> I have now compared the 0.100.2 version in stretch to the version 0.100.3
> in stretch updates.
> I can then see that most of the changes that I'm worried about is not
> included.
>
> This means that I will take the .orig file and include a sub-set of the
> updates.
> The remaining updates will be:
> - Symbol updates (unavoidable I think).
> - Copyright update (not sure if it is necessary but I'll include it anyway)
>
> The rest will not be updated.
>
> Best regards
>
> // Ola
>
> On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <ola at inguza.com> wrote:
> > Hi Scott
> >
> > I have now walked through the difference in the debian directories between
> > the version in jessie and stretch updates.
> > I think there is more work than just a simple changelog update.
> >
> > 1) The changelog file contain a lot of changes. I wonder how we generally
> > should it. If I backport a package from current stable should I keep that
> > changelog and just add one entry or should I pretent that the jessie
> > version still apply and add one entry from that one... Not sure myself.
> > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a
> > patch introduced to not depend on it
> > 3) Config file moved
> > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > 4) Changes in postinst. Not sure if it is backwards compatible or not yet.
> > Preliminary not.
> > 5) Debhelper compat updated. Should be ok.
> > 6) Build dependency changes.
> > 7) clamav-dbg package no longer provided
> > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so
> > and pkgconfig moved accordingly.
> > 9) Support for llvm introduced. Should probably be ok.
> > 10) A LOT of symbols changed. They are delared private so it should be ok.
> > But you never know.
> >
> > It would be helpful if you can help me judge if any of the above means
> > backwards incompatibility.
> >
> > I'm most worried about the following:
> > - Socket change
> > - Config file change
> > - Postinst change
> > - clamav-dbg
> > - Symbol changes
> >
> > Thank you in advance
> >
> > // Ola
> >
> > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <debian at kitterman.com> wrote:
> >> I believe you've misunderstood.
> >>
> >> The version in stable is 0.100.3 and does not have a soname bump (nor
> >> does it
> >> need one). You should be able to update the LTS with that package with
> >> little
> >> more (maybe no more) than an updated changelog.
> >>
> >> Scott K
> >>
> >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> >> > Hi Scott and LTS team
> >> >
> >> > Thank you. I'll see if I can backport the required fixes. That may
> >> > solve
> >> > the library issue.
> >> >
> >> > Alternatively we state that clamav is not supported. Maybe someone in
> >>
> >> the
> >>
> >> > LTS team can advice on that.
> >> >
> >> > Best regards
> >> >
> >> > // Ola
> >> >
> >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian at kitterman.com>
> >>
> >> wrote:
> >> > > Comments inline.
> >> > >
> >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> >> > > > Hi
> >> > > >
> >> > > > I missed to include the clamav maintainers. Sorry about that.
> >> > > >
> >> > > > // Ola
> >> > > >
> >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola at inguza.com> wrote:
> >> > > > > Dear maintainers, LTS team and Debian Secutiry team
> >> > > > >
> >> > > > > I have started to look at the clamav package update due to
> >> > > > > CVE-2019-1787
> >> > > > > CVE-2019-1788
> >> > > > > CVE-2019-1789
> >> > > > > (the other three vulnerabilities are not affecting jessie or
> >>
> >> stretch
> >>
> >> > > as I
> >> > >
> >> > > > > understand it)
> >> > >
> >> > > That's correct.
> >> > >
> >> > > > > I have understood that the clamav package is typically updated to
> >>
> >> the
> >>
> >> > > > > latest version also in stable and oldstable. However when doing
> >>
> >> so I
> >>
> >> > > > > encountered quite a few things that I would like to ask your
> >>
> >> advice
> >>
> >> > > > > on.
> >> > > > >
> >> > > > > First of all to the maintainers. Do you want to handle also LTS
> >> > > > > (oldstable) and regular security (stable) upload of clamav?
> >> > >
> >> > > Stable is already done through stable proposed updates (which is the
> >> > > normal
> >> > > path for clamav). We leave the LTS releases to the LTS team. Base
> >>
> >> your
> >>
> >> > > work
> >> > > on what's in stable.
> >> > >
> >> > > > > Question to maintainers and Security team. Should we synchronize
> >>
> >> the
> >>
> >> > > > > efforts here and have you already started on the stable update?
> >> > > > >
> >> > > > > If not I have a few questions:
> >> > > > > 1) Do you know the binary compatibility between libclamav7 and
> >> > >
> >> > > libclamav9?
> >> > >
> >> > > > > I have noticed that the package in sid produces libclamav9 while
> >>
> >> the
> >>
> >> > > one
> >> > >
> >> > > > > in jessie provides libclamav7. Do you think this can be an issue?
> >> > >
> >> > > Yes. It's guaranteed to be an issue. We have a stable transition
> >> > > prepared
> >> > > and will do it (once the srm blesses) after the next point release in
> >> > > April.
> >> > > Note that the security team doesn't support clamav.
> >> > >
> >> > > > > 2) Do you think backporting the package in sid is better than
> >>
> >> simply
> >>
> >> > > > > updating to the latest upstream while keeping most scripts in
> >> > >
> >> > > oldstable? I
> >> > >
> >> > > > > had to copy over the split-archive.sh to be able to generate a
> >>
> >> proper
> >>
> >> > > orig
> >> > >
> >> > > > > tarball.
> >> > >
> >> > > No. Use what's in stable proposed updates.
> >> > >
> >> > > > > - I personally think the package in sid have a little too much
> >>
> >> updates
> >>
> >> > > to
> >> > >
> >> > > > > make that safe, especially since it produces new library
> >> > > > > packages.
> >> > >
> >> > > Agreed. That would definitely be a bad idea.
> >> > >
> >> > > > > - On the other hand, I had to do some modifications already to
> >>
> >> make
> >>
> >> > > allow
> >> > >
> >> > > > > the package to be generated and I have not even started building
> >>
> >> yet.
> >>
> >> > > > > There
> >> > > > > may be many fixes needed to make this package work in
> >> > > > > oldstable...
> >> > >
> >> > > I suspect that what's in stable will work in oldstable, but I haven't
> >> > > tried
> >> > > it. It'll certainly take less work than what's in sid.
> >> > >
> >> > > > > I guess we cannot generate new library package version, or?
> >> > >
> >> > > Generally one does not, but for clamav you kind of have to at some
> >>
> >> point.
> >>
> >> > > Note that for libclamav7 -> libclamav9 there are also API changes, so
> >> > > libclamav-dev reverse builld-depends need patching in addition to
> >> > > rebuilding.
> >> > > Once we've done that in stable, it should be easy enough to adapt for
> >> > > oldstable when the time comes. Don't worry about it now.
> >> > >
> >> > > Scott K
> >
> > --
> >
> > --- Inguza Technology AB --- MSc in Information Technology ----
> >
> > | ola at inguza.com opal at debian.org |
> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> >
> > ---------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20190415/1623c650/attachment.sig>
More information about the Pkg-clamav-devel
mailing list