[Pkg-clamav-devel] Test request Re: LTS update of clamav and call for advice
Scott Kitterman
debian at kitterman.com
Mon Apr 15 22:40:06 BST 2019
Dropped the security team from the cc.
install clamav-daemon and clamav-testfiles and then use clamdscan to scan
them:
$ clamdscan /usr/share/clamav-testfiles/clam*
The unrar test files will come up as not infected unless you also install
libclamunrar7 from non-free. That's normal.
Scott K
On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote:
> Hi
>
> Great
>
> Updated packages are now available on
> https://apt.inguza.net/jessie-security/clamav
>
> Testing is much appreciated since I have limited experience of clamav
> myself.
>
> I can test that the package installs properly but I'm not sure I can
> regression test it properly myself.
>
> Anyone who knows how to regression test it properly?
>
> Best regards
>
> // Ola
>
> On Mon, 15 Apr 2019 at 23:16, Scott Kitterman <debian at kitterman.com> wrote:
> > That sounds like the right approach.
> >
> > Scott K
> >
> > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote:
> > > Hi again
> > >
> > > I have now compared the 0.100.2 version in stretch to the version
> > > 0.100.3
> > > in stretch updates.
> > > I can then see that most of the changes that I'm worried about is not
> > > included.
> > >
> > > This means that I will take the .orig file and include a sub-set of the
> > > updates.
> > > The remaining updates will be:
> > > - Symbol updates (unavoidable I think).
> > > - Copyright update (not sure if it is necessary but I'll include it
> >
> > anyway)
> >
> > > The rest will not be updated.
> > >
> > > Best regards
> > >
> > > // Ola
> > >
> > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <ola at inguza.com> wrote:
> > > > Hi Scott
> > > >
> > > > I have now walked through the difference in the debian directories
> >
> > between
> >
> > > > the version in jessie and stretch updates.
> > > > I think there is more work than just a simple changelog update.
> > > >
> > > > 1) The changelog file contain a lot of changes. I wonder how we
> >
> > generally
> >
> > > > should it. If I backport a package from current stable should I keep
> >
> > that
> >
> > > > changelog and just add one entry or should I pretent that the jessie
> > > > version still apply and add one entry from that one... Not sure
> > > > myself.
> > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and
> >
> > a
> >
> > > > patch introduced to not depend on it
> > > > 3) Config file moved
> > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf
> > > > 4) Changes in postinst. Not sure if it is backwards compatible or not
> >
> > yet.
> >
> > > > Preliminary not.
> > > > 5) Debhelper compat updated. Should be ok.
> > > > 6) Build dependency changes.
> > > > 7) clamav-dbg package no longer provided
> > > > 8) so files moved from /usr/lib/libclamav.so to
> >
> > /usr/lib/xxx/libclamav.so
> >
> > > > and pkgconfig moved accordingly.
> > > > 9) Support for llvm introduced. Should probably be ok.
> > > > 10) A LOT of symbols changed. They are delared private so it should be
> >
> > ok.
> >
> > > > But you never know.
> > > >
> > > > It would be helpful if you can help me judge if any of the above means
> > > > backwards incompatibility.
> > > >
> > > > I'm most worried about the following:
> > > > - Socket change
> > > > - Config file change
> > > > - Postinst change
> > > > - clamav-dbg
> > > > - Symbol changes
> > > >
> > > > Thank you in advance
> > > >
> > > > // Ola
> > > >
> > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <debian at kitterman.com>
> >
> > wrote:
> > > >> I believe you've misunderstood.
> > > >>
> > > >> The version in stable is 0.100.3 and does not have a soname bump (nor
> > > >> does it
> > > >> need one). You should be able to update the LTS with that package
> >
> > with
> >
> > > >> little
> > > >> more (maybe no more) than an updated changelog.
> > > >>
> > > >> Scott K
> > > >>
> > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote:
> > > >> > Hi Scott and LTS team
> > > >> >
> > > >> > Thank you. I'll see if I can backport the required fixes. That may
> > > >> > solve
> > > >> > the library issue.
> > > >> >
> > > >> > Alternatively we state that clamav is not supported. Maybe someone
> >
> > in
> >
> > > >> the
> > > >>
> > > >> > LTS team can advice on that.
> > > >> >
> > > >> > Best regards
> > > >> >
> > > >> > // Ola
> > > >> >
> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <debian at kitterman.com
> > > >>
> > > >> wrote:
> > > >> > > Comments inline.
> > > >> > >
> > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote:
> > > >> > > > Hi
> > > >> > > >
> > > >> > > > I missed to include the clamav maintainers. Sorry about that.
> > > >> > > >
> > > >> > > > // Ola
> > > >> > > >
> > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <ola at inguza.com>
> >
> > wrote:
> > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team
> > > >> > > > >
> > > >> > > > > I have started to look at the clamav package update due to
> > > >> > > > > CVE-2019-1787
> > > >> > > > > CVE-2019-1788
> > > >> > > > > CVE-2019-1789
> > > >> > > > > (the other three vulnerabilities are not affecting jessie or
> > > >>
> > > >> stretch
> > > >>
> > > >> > > as I
> > > >> > >
> > > >> > > > > understand it)
> > > >> > >
> > > >> > > That's correct.
> > > >> > >
> > > >> > > > > I have understood that the clamav package is typically
> >
> > updated to
> >
> > > >> the
> > > >>
> > > >> > > > > latest version also in stable and oldstable. However when
> >
> > doing
> >
> > > >> so I
> > > >>
> > > >> > > > > encountered quite a few things that I would like to ask your
> > > >>
> > > >> advice
> > > >>
> > > >> > > > > on.
> > > >> > > > >
> > > >> > > > > First of all to the maintainers. Do you want to handle also
> >
> > LTS
> >
> > > >> > > > > (oldstable) and regular security (stable) upload of clamav?
> > > >> > >
> > > >> > > Stable is already done through stable proposed updates (which is
> >
> > the
> >
> > > >> > > normal
> > > >> > > path for clamav). We leave the LTS releases to the LTS team.
> >
> > Base
> >
> > > >> your
> > > >>
> > > >> > > work
> > > >> > > on what's in stable.
> > > >> > >
> > > >> > > > > Question to maintainers and Security team. Should we
> >
> > synchronize
> >
> > > >> the
> > > >>
> > > >> > > > > efforts here and have you already started on the stable
> >
> > update?
> >
> > > >> > > > > If not I have a few questions:
> > > >> > > > > 1) Do you know the binary compatibility between libclamav7
> > > >> > > > > and
> > > >> > >
> > > >> > > libclamav9?
> > > >> > >
> > > >> > > > > I have noticed that the package in sid produces libclamav9
> >
> > while
> >
> > > >> the
> > > >>
> > > >> > > one
> > > >> > >
> > > >> > > > > in jessie provides libclamav7. Do you think this can be an
> >
> > issue?
> >
> > > >> > > Yes. It's guaranteed to be an issue. We have a stable
> > > >> > > transition
> > > >> > > prepared
> > > >> > > and will do it (once the srm blesses) after the next point
> >
> > release in
> >
> > > >> > > April.
> > > >> > > Note that the security team doesn't support clamav.
> > > >> > >
> > > >> > > > > 2) Do you think backporting the package in sid is better than
> > > >>
> > > >> simply
> > > >>
> > > >> > > > > updating to the latest upstream while keeping most scripts in
> > > >> > >
> > > >> > > oldstable? I
> > > >> > >
> > > >> > > > > had to copy over the split-archive.sh to be able to generate
> > > >> > > > > a
> > > >>
> > > >> proper
> > > >>
> > > >> > > orig
> > > >> > >
> > > >> > > > > tarball.
> > > >> > >
> > > >> > > No. Use what's in stable proposed updates.
> > > >> > >
> > > >> > > > > - I personally think the package in sid have a little too
> > > >> > > > > much
> > > >>
> > > >> updates
> > > >>
> > > >> > > to
> > > >> > >
> > > >> > > > > make that safe, especially since it produces new library
> > > >> > > > > packages.
> > > >> > >
> > > >> > > Agreed. That would definitely be a bad idea.
> > > >> > >
> > > >> > > > > - On the other hand, I had to do some modifications already
> > > >> > > > > to
> > > >>
> > > >> make
> > > >>
> > > >> > > allow
> > > >> > >
> > > >> > > > > the package to be generated and I have not even started
> >
> > building
> >
> > > >> yet.
> > > >>
> > > >> > > > > There
> > > >> > > > > may be many fixes needed to make this package work in
> > > >> > > > > oldstable...
> > > >> > >
> > > >> > > I suspect that what's in stable will work in oldstable, but I
> >
> > haven't
> >
> > > >> > > tried
> > > >> > > it. It'll certainly take less work than what's in sid.
> > > >> > >
> > > >> > > > > I guess we cannot generate new library package version, or?
> > > >> > >
> > > >> > > Generally one does not, but for clamav you kind of have to at
> > > >> > > some
> > > >>
> > > >> point.
> > > >>
> > > >> > > Note that for libclamav7 -> libclamav9 there are also API
> >
> > changes, so
> >
> > > >> > > libclamav-dev reverse builld-depends need patching in addition to
> > > >> > > rebuilding.
> > > >> > > Once we've done that in stable, it should be easy enough to adapt
> >
> > for
> >
> > > >> > > oldstable when the time comes. Don't worry about it now.
> > > >> > >
> > > >> > > Scott K
> > > >
> > > > --
> > > >
> > > > --- Inguza Technology AB --- MSc in Information Technology ----
> > > >
> > > > | ola at inguza.com opal at debian.org |
> > > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> > > >
> > > > ---------------------------------------------------------------
More information about the Pkg-clamav-devel
mailing list