[Pkg-clamav-devel] Test request Re: LTS update of clamav and call for advice

Ola Lundqvist ola at inguza.com
Mon Apr 15 22:25:39 BST 2019 

Hi

Great

Updated packages are now available on
https://apt.inguza.net/jessie-security/clamav

Testing is much appreciated since I have limited experience of clamav
myself.

I can test that the package installs properly but I'm not sure I can
regression test it properly myself.

Anyone who knows how to regression test it properly?

Best regards

// Ola


On Mon, 15 Apr 2019 at 23:16, Scott Kitterman <debian at kitterman.com> wrote:

> That sounds like the right approach.
>
> Scott K
>
> On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> > Hi again
> >
> > I have now compared the 0.100.2 version in stretch to the version 0.100.3
> > in stretch updates.
> > I can then see that most of the changes that I'm worried about is not
> > included.
> >
> > This means that I will take the .orig file and include a sub-set of the
> > updates.
> > The remaining updates will be:
> > - Symbol updates (unavoidable I think).
> > - Copyright update (not sure if it is necessary but I'll include it
> anyway)
> >
> > The rest will not be updated.
> >
> > Best regards
> >
> > // Ola
> >
> > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <ola at inguza.com> wrote:
> > > Hi Scott
> > >
> > > I have now walked through the difference in the debian directories
> between
> > > the version in jessie and stretch updates.
> > > I think there is more work than just a simple changelog update.
> > >
> > > 1) The changelog file contain a lot of changes. I wonder how we
> generally
> > > should it. If I backport a package from current stable should I keep
> that
> > > changelog and just add one entry or should I pretent that the jessie
> > > version still apply and add one entry from that one... Not sure myself.
> > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and
> a
> > > patch introduced to not depend on it
> > > 3) Config file moved
> > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > > 4) Changes in postinst. Not sure if it is backwards compatible or not
> yet.
> > > Preliminary not.
> > > 5) Debhelper compat updated. Should be ok.
> > > 6) Build dependency changes.
> > > 7) clamav-dbg package no longer provided
> > > 8) so files moved from /usr/lib/libclamav.so to
> /usr/lib/xxx/libclamav.so
> > > and pkgconfig moved accordingly.
> > > 9) Support for llvm introduced. Should probably be ok.
> > > 10) A LOT of symbols changed. They are delared private so it should be
> ok.
> > > But you never know.
> > >
> > > It would be helpful if you can help me judge if any of the above means
> > > backwards incompatibility.
> > >
> > > I'm most worried about the following:
> > > - Socket change
> > > - Config file change
> > > - Postinst change
> > > - clamav-dbg
> > > - Symbol changes
> > >
> > > Thank you in advance
> > >
> > > // Ola
> > >
> > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <debian at kitterman.com>
> wrote:
> > >> I believe you've misunderstood.
> > >>
> > >> The version in stable is 0.100.3 and does not have a soname bump (nor
> > >> does it
> > >> need one).  You should be able to update the LTS with that package
> with
> > >> little
> > >> more (maybe no more) than an updated changelog.
> > >>
> > >> Scott K
> > >>
> > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> > >> > Hi Scott and LTS team
> > >> >
> > >> > Thank you. I'll see if I can backport the required fixes. That may
> > >> > solve
> > >> > the library issue.
> > >> >
> > >> > Alternatively we state that clamav is not supported. Maybe someone
> in
> > >>
> > >> the
> > >>
> > >> > LTS team can advice on that.
> > >> >
> > >> > Best regards
> > >> >
> > >> > // Ola
> > >> >
> > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian at kitterman.com
> >
> > >>
> > >> wrote:
> > >> > > Comments inline.
> > >> > >
> > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> > >> > > > Hi
> > >> > > >
> > >> > > > I missed to include the clamav maintainers. Sorry about that.
> > >> > > >
> > >> > > > // Ola
> > >> > > >
> > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola at inguza.com>
> wrote:
> > >> > > > > Dear maintainers, LTS team and Debian Secutiry team
> > >> > > > >
> > >> > > > > I have started to look at the clamav package update due to
> > >> > > > > CVE-2019-1787
> > >> > > > > CVE-2019-1788
> > >> > > > > CVE-2019-1789
> > >> > > > > (the other three vulnerabilities are not affecting jessie or
> > >>
> > >> stretch
> > >>
> > >> > > as I
> > >> > >
> > >> > > > > understand it)
> > >> > >
> > >> > > That's correct.
> > >> > >
> > >> > > > > I have understood that the clamav package is typically
> updated to
> > >>
> > >> the
> > >>
> > >> > > > > latest version also in stable and oldstable. However when
> doing
> > >>
> > >> so I
> > >>
> > >> > > > > encountered quite a few things that I would like to ask your
> > >>
> > >> advice
> > >>
> > >> > > > > on.
> > >> > > > >
> > >> > > > > First of all to the maintainers. Do you want to handle also
> LTS
> > >> > > > > (oldstable) and regular security (stable) upload of clamav?
> > >> > >
> > >> > > Stable is already done through stable proposed updates (which is
> the
> > >> > > normal
> > >> > > path for clamav).  We leave the LTS releases to the LTS team.
> Base
> > >>
> > >> your
> > >>
> > >> > > work
> > >> > > on what's in stable.
> > >> > >
> > >> > > > > Question to maintainers and Security team. Should we
> synchronize
> > >>
> > >> the
> > >>
> > >> > > > > efforts here and have you already started on the stable
> update?
> > >> > > > >
> > >> > > > > If not I have a few questions:
> > >> > > > > 1) Do you know the binary compatibility between libclamav7 and
> > >> > >
> > >> > > libclamav9?
> > >> > >
> > >> > > > >  I have noticed that the package in sid produces libclamav9
> while
> > >>
> > >> the
> > >>
> > >> > > one
> > >> > >
> > >> > > > > in jessie provides libclamav7. Do you think this can be an
> issue?
> > >> > >
> > >> > > Yes.  It's guaranteed to be an issue.  We have a stable transition
> > >> > > prepared
> > >> > > and will do it (once the srm blesses) after the next point
> release in
> > >> > > April.
> > >> > > Note that the security team doesn't support clamav.
> > >> > >
> > >> > > > > 2) Do you think backporting the package in sid is better than
> > >>
> > >> simply
> > >>
> > >> > > > > updating to the latest upstream while keeping most scripts in
> > >> > >
> > >> > > oldstable? I
> > >> > >
> > >> > > > > had to copy over the split-archive.sh to be able to generate a
> > >>
> > >> proper
> > >>
> > >> > > orig
> > >> > >
> > >> > > > > tarball.
> > >> > >
> > >> > > No.  Use what's in stable proposed updates.
> > >> > >
> > >> > > > > - I personally think the package in sid have a little too much
> > >>
> > >> updates
> > >>
> > >> > > to
> > >> > >
> > >> > > > > make that safe, especially since it produces new library
> > >> > > > > packages.
> > >> > >
> > >> > > Agreed.  That would definitely be a bad idea.
> > >> > >
> > >> > > > > - On the other hand, I had to do some modifications already to
> > >>
> > >> make
> > >>
> > >> > > allow
> > >> > >
> > >> > > > > the package to be generated and I have not even started
> building
> > >>
> > >> yet.
> > >>
> > >> > > > > There
> > >> > > > > may be many fixes needed to make this package work in
> > >> > > > > oldstable...
> > >> > >
> > >> > > I suspect that what's in stable will work in oldstable, but I
> haven't
> > >> > > tried
> > >> > > it.  It'll certainly take less work than what's in sid.
> > >> > >
> > >> > > > > I guess we cannot generate new library package version, or?
> > >> > >
> > >> > > Generally one does not, but for clamav you kind of have to at some
> > >>
> > >> point.
> > >>
> > >> > > Note that for libclamav7 -> libclamav9 there are also API
> changes, so
> > >> > > libclamav-dev reverse builld-depends need patching in addition to
> > >> > > rebuilding.
> > >> > > Once we've done that in stable, it should be easy enough to adapt
> for
> > >> > > oldstable when the time comes.  Don't worry about it now.
> > >> > >
> > >> > > Scott K
> > >
> > > --
> > >
> > >  --- Inguza Technology AB --- MSc in Information Technology ----
> > >
> > > |  ola at inguza.com                    opal at debian.org            |
> > > |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> > >
> > >  ---------------------------------------------------------------
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola at inguza.com                    opal at debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20190415/719270d8/attachment-0001.html>

More information about the Pkg-clamav-devel mailing list