On Mon, 2007-07-23 at 14:58 +0100, Stephen Gran wrote: > This one time, at band camp, Jim Popovitch said: > > On Mon, 2007-07-23 at 10:26 +0100, Stephen Gran wrote: > > > This one time, at band camp, Javier Amor García said: > > > > Hello, > > > > we are interested in the new version of clamav to use it in the new > > > > release of eBox [0]. > > > > An updated ClamAV is one of the last missing pieces left for the release > > > > so we would like to know when the volatile package will be ready. > > > > It will be ready in the first half of this week? > > > > > > No, probably not. As I feared, we have found a piece of software > > > (avscan) that is broken by some changes in the clamav public API in this > > > release. I have been talking to the maintainer, and he is working on a > > > patch with upstream. Once I have some idea of how that's going, I will > > > upload to volatile, but not until we have a supportable path that > > > doesn't break other software in the archive, sorry. > > > > How long will you wait on the dependent project avscan before releasing > > clamav? > > My interpretation of volatile's role with regard to the archive means > that the only answer possible is "when avscan is ready". Maybe the > other volatile team members will have a different opinion.
So avscan (or any other V project) could prevent critical updates from reaching end-users. That seems like a security problem to me. Suppose some virus spammers convince ($$) some avscan (or other project) developer to drag their feet on releasing a fix? Wouldn't it be better to advise of the dependent project's problem in the release notes, and advise against applying the clamav update on just those avscan systems? Does murphy.d.o use avscan or clamav? -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
