Bug#337454: Stable package out of date
On Mon, Nov 07, 2005 at 12:47:51PM +, Robert de Bath said: On Sun, Nov 06, 2005 at 08:03:26PM +, Stephen Gran wrote: The existence of the debian security project is predicated on the idea that some changes MUST be made to keep the system secure. The only way that this bug fails _that_ test is in that it applies outside the Linux machine that clamav is running on (ie. I was taking the concept of 'system' too far). For only that reason I now agree that clamav upgrades don't fit directly in 'security'. Take note here I am distingushing between 'stable' and 'security'. But it's nature stable doesn't move one byte and only changes when a new release is made but 'security' is a different animal. OK. The volatile project exists to try to bridge the gap for people who don't mind a little administrative hassle in order to have the latest upstream version of some piece of software. The volatile project aims at easy integration with stable, but it is not guaranteed in the same way stable is to have an unchanging interface. At some point, things will break. No that's the aim of a normal backports project, volatile has in it's aims: but should only contain changes to stable programs that are necessary to keep them functional; and they should be confident that nothing is broken by [that] using 'volatile' as people currently use 'security' Normal backports are for extra features, 'volatile' is so that existing features continue to work in a hostile world. The problem with volatile is that at some point upstream _will_ break an interface, or an API, or change a config file option. Every effort will be made to work around the changes, and keep it working for users of stable, but the simple fact is that when you change the code base, you introduce new bugs. Something will go wrong, even though we are all trying very hard to make sure it doesn't. I sincerely hope that we can do a high enough quality job that the claims of volatile remain fulfilled. However, given the level of complexity of the task, I am fairly certain that at some point over the life of sarge, some things will go wrong. This is especially true for people using libraries and API's provided by other programs. The only possibly appropriate place would be a bug against policy, asking that the stable release policy be changed so you can get a newer version of an anti-virus scanner. Since most of the things clamav detects don't affect linux systems, I have a feeling I can guess the answer to that bug report. Definitly not. The release policies for a new version of stable have nothing, directly, to do with this. I realise that most of the changes that are for a new stable release come from 'security' but even if this were included in 'security' it doesn't have to be included in the eventual release of the next 'stable' update. Now that I've had a little while to think about the volatile project I can see the distinction between that and 'security' so I now believe that this is definitly a Debian website bug. IMO the volatile project should be given a high level billing close to the 'security' links or pages. Now who do I send this to ... :-) Unfortunately, for now, volatile is still an unofficial project, and likely to remain unofficial throughout the lifetime of sarge, at the very least. You could ask the people on debian-www (I think that's the list that deals with website issues), or you could file a bug report against the website. At any rate, I am not certain that we are discussing a bug in clamav. How do you fell about closing this bug, and opening a discussion with the website people? Take care, -- -- | Stephen Gran | Gravity brings me down. | | [EMAIL PROTECTED] | | | http://www.lobefin.net/~steve | | -- signature.asc Description: Digital signature
Bug#337454: Stable package out of date
LibClamAV Warning: LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: The current version in stable claims that it is a security risk. IMO this should be viewed as a security bug and fixed as such, however, just before I fired off a bug report to that effect I looked at the URL above (I had already checked the Debian package and bug pages) and found the reference to the volatile project. Now this is a problem; I still see a bug here but I'm now not sure who's bug it is. In reality it's probably not a clamav bug because the 'volatile' package fixes it. It probably should be a bug in the policy for security-fix packages but it would appear that that it's a large political problem that it being addressed by the people behind the 'volatile' project. In the mean time I still had to go away from Debian to find that Debian could actually fix the bug with clamav/stable so IMHO there should be a very obvious reference that debian-security is not supporting this package and that you need to go to debian-volatile to get security fixes. So can I suggest that you leave this bug open (perhaps with a can't fix or won't fix flag) so that it can prevent somebody going off and buying f-prot because Debian can't do the job :-) OTOH: If you know where to put a bug against the debian website that might be a good place to assign this ... -- Rob. (Robert de Bath robert$ @ debath.co.uk) http://www.debath.co.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#337454: Stable package out of date
This one time, at band camp, Robert de Bath said: LibClamAV Warning: LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/faq.html *** LibClamAV Warning: The current version in stable claims that it is a security risk. Just to be clear, it does not say it is a security risk. It says that if you want to catch all the latest virus outbreaks, you'll need to upgrade. These are related, but orthogonal, issues. IMO this should be viewed as a security bug and fixed as such, however, just before I fired off a bug report to that effect I looked at the URL above (I had already checked the Debian package and bug pages) and found the reference to the volatile project. Now this is a problem; I still see a bug here but I'm now not sure who's bug it is. In reality it's probably not a clamav bug because the 'volatile' package fixes it. It probably should be a bug in the policy for security-fix packages but it would appear that that it's a large political problem that it being addressed by the people behind the 'volatile' project. The 'bug' is that software projects move on, and stable remains stable. It is a design decision of the project, and from an administrative point of view, a good one. The clamav suite includes a library, and some other packages in Debian link to it. Including the latest upstream would mean not only releasing the latest clamav, but also hunting down all the other packages that use the library (or interface with it in some way - sendmail, amavis, exim, etc) and making sure the upgrade doesn't break anything. Doing this sort of automated testing in a vacuum is sure to miss some corner cases, and this means that blindly releasing new versions of upstream software in a stable release is going to break someone's setup, if not today, then at some point during the release cycle. This is just clamav we are talking about here - what if we were talking about something more fundamental like the kernel or the toolchain? The volatile project exists to try to bridge the gap for people who don't mind a little administrative hassle in order to have the latest upstream version of some piece of software. The volatile project aims at easy integration with stable, but it is not guaranteed in the same way stable is to have an unchanging interface. At some point, things will break. In the mean time I still had to go away from Debian to find that Debian could actually fix the bug with clamav/stable so IMHO there should be a very obvious reference that debian-security is not supporting this package and that you need to go to debian-volatile to get security fixes. The security team is supporting clamav. You will find that all of the security vulnerabilities found in the sarge version of clamav have been fixed by uploads to the security archive. Again, you are using the word security in a way I don't normally use it. So can I suggest that you leave this bug open (perhaps with a can't fix or won't fix flag) so that it can prevent somebody going off and buying f-prot because Debian can't do the job :-) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310549 Is already open, and I have tagged it sarge, I believe. Would you agree that this is roughly a duplicate of that unfixable-by-design bug? OTOH: If you know where to put a bug against the debian website that might be a good place to assign this ... The only possibly appropriate place would be a bug against policy, asking that the stable release policy be changed so you can get a newer version of an anti-virus scanner. Since most of the things clamav detects don't affect linux systems, I have a feeling I can guess the answer to that bug report. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Bug#337454: Stable package out of date
package: clamav version: 0.84-2.sarge.4 This page needs a reference to the debian volatile project. http://volatile.debian.net/mirrors.html URLs Like this in your sources.list deb http://ftp.uk.debian.org/debian-volatile sarge/volatile main Oh, look there's one :-) -- Rob. (Robert de Bath robert$ @ debath.co.uk) http://www.debath.co.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#337454: Stable package out of date
This one time, at band camp, Robert de Bath said: package: clamav version: 0.84-2.sarge.4 This page needs a reference to the debian volatile project. http://volatile.debian.net/mirrors.html URLs Like this in your sources.list deb http://ftp.uk.debian.org/debian-volatile sarge/volatile main Oh, look there's one :-) What problem is this bug report trying to address, and how would you suggest it be fixed? I understand that the version of clamav available in stable is not the latest release, but that is how stable works. If you don't want that, you need to seek out the other solutions in Debian, which you clearly have. I am not sure what the problem is. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature