Hi again I have now compared the 0.100.2 version in stretch to the version 0.100.3 in stretch updates. I can then see that most of the changes that I'm worried about is not included.
This means that I will take the .orig file and include a sub-set of the updates. The remaining updates will be: - Symbol updates (unavoidable I think). - Copyright update (not sure if it is necessary but I'll include it anyway) The rest will not be updated. Best regards // Ola On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist <o...@inguza.com> wrote: > Hi Scott > > I have now walked through the difference in the debian directories between > the version in jessie and stretch updates. > I think there is more work than just a simple changelog update. > > 1) The changelog file contain a lot of changes. I wonder how we generally > should it. If I backport a package from current stable should I keep that > changelog and just add one entry or should I pretent that the jessie > version still apply and add one entry from that one... Not sure myself. > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > patch introduced to not depend on it > 3) Config file moved > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > Preliminary not. > 5) Debhelper compat updated. Should be ok. > 6) Build dependency changes. > 7) clamav-dbg package no longer provided > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > and pkgconfig moved accordingly. > 9) Support for llvm introduced. Should probably be ok. > 10) A LOT of symbols changed. They are delared private so it should be ok. > But you never know. > > It would be helpful if you can help me judge if any of the above means > backwards incompatibility. > > I'm most worried about the following: > - Socket change > - Config file change > - Postinst change > - clamav-dbg > - Symbol changes > > Thank you in advance > > // Ola > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman <deb...@kitterman.com> wrote: > >> I believe you've misunderstood. >> >> The version in stable is 0.100.3 and does not have a soname bump (nor >> does it >> need one). You should be able to update the LTS with that package with >> little >> more (maybe no more) than an updated changelog. >> >> Scott K >> >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: >> > Hi Scott and LTS team >> > >> > Thank you. I'll see if I can backport the required fixes. That may solve >> > the library issue. >> > >> > Alternatively we state that clamav is not supported. Maybe someone in >> the >> > LTS team can advice on that. >> > >> > Best regards >> > >> > // Ola >> > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman <deb...@kitterman.com> >> wrote: >> > > Comments inline. >> > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: >> > > > Hi >> > > > >> > > > I missed to include the clamav maintainers. Sorry about that. >> > > > >> > > > // Ola >> > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist <o...@inguza.com> wrote: >> > > > > Dear maintainers, LTS team and Debian Secutiry team >> > > > > >> > > > > I have started to look at the clamav package update due to >> > > > > CVE-2019-1787 >> > > > > CVE-2019-1788 >> > > > > CVE-2019-1789 >> > > > > (the other three vulnerabilities are not affecting jessie or >> stretch >> > > >> > > as I >> > > >> > > > > understand it) >> > > >> > > That's correct. >> > > >> > > > > I have understood that the clamav package is typically updated to >> the >> > > > > latest version also in stable and oldstable. However when doing >> so I >> > > > > encountered quite a few things that I would like to ask your >> advice >> > > > > on. >> > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS >> > > > > (oldstable) and regular security (stable) upload of clamav? >> > > >> > > Stable is already done through stable proposed updates (which is the >> > > normal >> > > path for clamav). We leave the LTS releases to the LTS team. Base >> your >> > > work >> > > on what's in stable. >> > > >> > > > > Question to maintainers and Security team. Should we synchronize >> the >> > > > > efforts here and have you already started on the stable update? >> > > > > >> > > > > If not I have a few questions: >> > > > > 1) Do you know the binary compatibility between libclamav7 and >> > > >> > > libclamav9? >> > > >> > > > > I have noticed that the package in sid produces libclamav9 while >> the >> > > >> > > one >> > > >> > > > > in jessie provides libclamav7. Do you think this can be an issue? >> > > >> > > Yes. It's guaranteed to be an issue. We have a stable transition >> > > prepared >> > > and will do it (once the srm blesses) after the next point release in >> > > April. >> > > Note that the security team doesn't support clamav. >> > > >> > > > > 2) Do you think backporting the package in sid is better than >> simply >> > > > > updating to the latest upstream while keeping most scripts in >> > > >> > > oldstable? I >> > > >> > > > > had to copy over the split-archive.sh to be able to generate a >> proper >> > > >> > > orig >> > > >> > > > > tarball. >> > > >> > > No. Use what's in stable proposed updates. >> > > >> > > > > - I personally think the package in sid have a little too much >> updates >> > > >> > > to >> > > >> > > > > make that safe, especially since it produces new library packages. >> > > >> > > Agreed. That would definitely be a bad idea. >> > > >> > > > > - On the other hand, I had to do some modifications already to >> make >> > > >> > > allow >> > > >> > > > > the package to be generated and I have not even started building >> yet. >> > > > > There >> > > > > may be many fixes needed to make this package work in oldstable... >> > > >> > > I suspect that what's in stable will work in oldstable, but I haven't >> > > tried >> > > it. It'll certainly take less work than what's in sid. >> > > >> > > > > I guess we cannot generate new library package version, or? >> > > >> > > Generally one does not, but for clamav you kind of have to at some >> point. >> > > Note that for libclamav7 -> libclamav9 there are also API changes, so >> > > libclamav-dev reverse builld-depends need patching in addition to >> > > rebuilding. >> > > Once we've done that in stable, it should be easy enough to adapt for >> > > oldstable when the time comes. Don't worry about it now. >> > > >> > > Scott K >> >> > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > | o...@inguza.com o...@debian.org | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > --------------------------------------------------------------- > > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------