Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On Mon, 2019-04-15 at 20:00 +0200, Ola Lundqvist wrote: > Hi Scott > > I have now walked through the difference in the debian directories between > the version in jessie and stretch updates. > I think there is more work than just a simple changelog update. > > 1) The changelog file contain a lot of changes. I wonder how we generally > should it. If I backport a package from current stable should I keep that > changelog and just add one entry or should I pretent that the jessie > version still apply and add one entry from that one... Not sure myself. [...] Assuming that you are going to take almost all the changes from stretch: 1. Add all the newer changelog entries from stretch to jessie's debian/changelog. 2. Add an entry for the backport version. 3. Use the -v option with the previous jessie version when building the source package. Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Dropped the security team from the cc. install clamav-daemon and clamav-testfiles and then use clamdscan to scan them: $ clamdscan /usr/share/clamav-testfiles/clam* The unrar test files will come up as not infected unless you also install libclamunrar7 from non-free. That's normal. Scott K On Monday, April 15, 2019 11:25:39 PM Ola Lundqvist wrote: > Hi > > Great > > Updated packages are now available on > https://apt.inguza.net/jessie-security/clamav > > Testing is much appreciated since I have limited experience of clamav > myself. > > I can test that the package installs properly but I'm not sure I can > regression test it properly myself. > > Anyone who knows how to regression test it properly? > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 23:16, Scott Kitterman wrote: > > That sounds like the right approach. > > > > Scott K > > > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > > Hi again > > > > > > I have now compared the 0.100.2 version in stretch to the version > > > 0.100.3 > > > in stretch updates. > > > I can then see that most of the changes that I'm worried about is not > > > included. > > > > > > This means that I will take the .orig file and include a sub-set of the > > > updates. > > > The remaining updates will be: > > > - Symbol updates (unavoidable I think). > > > - Copyright update (not sure if it is necessary but I'll include it > > > > anyway) > > > > > The rest will not be updated. > > > > > > Best regards > > > > > > // Ola > > > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > > > Hi Scott > > > > > > > > I have now walked through the difference in the debian directories > > > > between > > > > > > the version in jessie and stretch updates. > > > > I think there is more work than just a simple changelog update. > > > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > > > > generally > > > > > > should it. If I backport a package from current stable should I keep > > > > that > > > > > > changelog and just add one entry or should I pretent that the jessie > > > > version still apply and add one entry from that one... Not sure > > > > myself. > > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > > > > a > > > > > > patch introduced to not depend on it > > > > 3) Config file moved > > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > > > > yet. > > > > > > Preliminary not. > > > > 5) Debhelper compat updated. Should be ok. > > > > 6) Build dependency changes. > > > > 7) clamav-dbg package no longer provided > > > > 8) so files moved from /usr/lib/libclamav.so to > > > > /usr/lib/xxx/libclamav.so > > > > > > and pkgconfig moved accordingly. > > > > 9) Support for llvm introduced. Should probably be ok. > > > > 10) A LOT of symbols changed. They are delared private so it should be > > > > ok. > > > > > > But you never know. > > > > > > > > It would be helpful if you can help me judge if any of the above means > > > > backwards incompatibility. > > > > > > > > I'm most worried about the following: > > > > - Socket change > > > > - Config file change > > > > - Postinst change > > > > - clamav-dbg > > > > - Symbol changes > > > > > > > > Thank you in advance > > > > > > > > // Ola > > > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman > > > > wrote: > > > >> I believe you've misunderstood. > > > >> > > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > > >> does it > > > >> need one). You should be able to update the LTS with that package > > > > with > > > > > >> little > > > >> more (maybe no more) than an updated changelog. > > > >> > > > >> Scott K > > > >> > > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > > >> > Hi Scott and LTS team > > > >> > > > > >> > Thank you. I'll see if I can backport the required fixes. That may > > > >> > solve > > > >> > the library issue. > > > >> > > > > >> > Alternatively we state that clamav is not supported. Maybe someone > > > > in > > > > > >> the > > > >> > > > >> > LTS team can advice on that. > > > >> > > > > >> > Best regards > > > >> > > > > >> > // Ola > > > >> > > > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > > >> > > > >> wrote: > > > >> > > Comments inline. > > > >> > > > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > >> > > > Hi > > > >> > > > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > > > >> > > > > > > >> > > > // Ola > > > >> > > > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist > > > > wrote: > > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > > > >> > > > > > > > >> > > > > I have started to look at the clamav package update due to > > > >> > > > >
Test request Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Great Updated packages are now available on https://apt.inguza.net/jessie-security/clamav Testing is much appreciated since I have limited experience of clamav myself. I can test that the package installs properly but I'm not sure I can regression test it properly myself. Anyone who knows how to regression test it properly? Best regards // Ola On Mon, 15 Apr 2019 at 23:16, Scott Kitterman wrote: > That sounds like the right approach. > > Scott K > > On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > > Hi again > > > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > > in stretch updates. > > I can then see that most of the changes that I'm worried about is not > > included. > > > > This means that I will take the .orig file and include a sub-set of the > > updates. > > The remaining updates will be: > > - Symbol updates (unavoidable I think). > > - Copyright update (not sure if it is necessary but I'll include it > anyway) > > > > The rest will not be updated. > > > > Best regards > > > > // Ola > > > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > > Hi Scott > > > > > > I have now walked through the difference in the debian directories > between > > > the version in jessie and stretch updates. > > > I think there is more work than just a simple changelog update. > > > > > > 1) The changelog file contain a lot of changes. I wonder how we > generally > > > should it. If I backport a package from current stable should I keep > that > > > changelog and just add one entry or should I pretent that the jessie > > > version still apply and add one entry from that one... Not sure myself. > > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and > a > > > patch introduced to not depend on it > > > 3) Config file moved > > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > > 4) Changes in postinst. Not sure if it is backwards compatible or not > yet. > > > Preliminary not. > > > 5) Debhelper compat updated. Should be ok. > > > 6) Build dependency changes. > > > 7) clamav-dbg package no longer provided > > > 8) so files moved from /usr/lib/libclamav.so to > /usr/lib/xxx/libclamav.so > > > and pkgconfig moved accordingly. > > > 9) Support for llvm introduced. Should probably be ok. > > > 10) A LOT of symbols changed. They are delared private so it should be > ok. > > > But you never know. > > > > > > It would be helpful if you can help me judge if any of the above means > > > backwards incompatibility. > > > > > > I'm most worried about the following: > > > - Socket change > > > - Config file change > > > - Postinst change > > > - clamav-dbg > > > - Symbol changes > > > > > > Thank you in advance > > > > > > // Ola > > > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman > wrote: > > >> I believe you've misunderstood. > > >> > > >> The version in stable is 0.100.3 and does not have a soname bump (nor > > >> does it > > >> need one). You should be able to update the LTS with that package > with > > >> little > > >> more (maybe no more) than an updated changelog. > > >> > > >> Scott K > > >> > > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > >> > Hi Scott and LTS team > > >> > > > >> > Thank you. I'll see if I can backport the required fixes. That may > > >> > solve > > >> > the library issue. > > >> > > > >> > Alternatively we state that clamav is not supported. Maybe someone > in > > >> > > >> the > > >> > > >> > LTS team can advice on that. > > >> > > > >> > Best regards > > >> > > > >> > // Ola > > >> > > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > > > >> > > >> wrote: > > >> > > Comments inline. > > >> > > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > >> > > > Hi > > >> > > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > > >> > > > > > >> > > > // Ola > > >> > > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist > wrote: > > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > > >> > > > > > > >> > > > > I have started to look at the clamav package update due to > > >> > > > > CVE-2019-1787 > > >> > > > > CVE-2019-1788 > > >> > > > > CVE-2019-1789 > > >> > > > > (the other three vulnerabilities are not affecting jessie or > > >> > > >> stretch > > >> > > >> > > as I > > >> > > > > >> > > > > understand it) > > >> > > > > >> > > That's correct. > > >> > > > > >> > > > > I have understood that the clamav package is typically > updated to > > >> > > >> the > > >> > > >> > > > > latest version also in stable and oldstable. However when > doing > > >> > > >> so I > > >> > > >> > > > > encountered quite a few things that I would like to ask your > > >> > > >> advice > > >> > > >> > > > > on. > > >> > > > > > > >> > > > > First of all to the maintainers. Do you want to handle also > LTS > > >> > > > > (oldstable) and regular security (stable) upload of
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
That sounds like the right approach. Scott K On Monday, April 15, 2019 10:36:31 PM Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola > > On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > > Hi Scott > > > > I have now walked through the difference in the debian directories between > > the version in jessie and stretch updates. > > I think there is more work than just a simple changelog update. > > > > 1) The changelog file contain a lot of changes. I wonder how we generally > > should it. If I backport a package from current stable should I keep that > > changelog and just add one entry or should I pretent that the jessie > > version still apply and add one entry from that one... Not sure myself. > > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > > patch introduced to not depend on it > > 3) Config file moved > > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > > Preliminary not. > > 5) Debhelper compat updated. Should be ok. > > 6) Build dependency changes. > > 7) clamav-dbg package no longer provided > > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > > and pkgconfig moved accordingly. > > 9) Support for llvm introduced. Should probably be ok. > > 10) A LOT of symbols changed. They are delared private so it should be ok. > > But you never know. > > > > It would be helpful if you can help me judge if any of the above means > > backwards incompatibility. > > > > I'm most worried about the following: > > - Socket change > > - Config file change > > - Postinst change > > - clamav-dbg > > - Symbol changes > > > > Thank you in advance > > > > // Ola > > > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > >> I believe you've misunderstood. > >> > >> The version in stable is 0.100.3 and does not have a soname bump (nor > >> does it > >> need one). You should be able to update the LTS with that package with > >> little > >> more (maybe no more) than an updated changelog. > >> > >> Scott K > >> > >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > >> > Hi Scott and LTS team > >> > > >> > Thank you. I'll see if I can backport the required fixes. That may > >> > solve > >> > the library issue. > >> > > >> > Alternatively we state that clamav is not supported. Maybe someone in > >> > >> the > >> > >> > LTS team can advice on that. > >> > > >> > Best regards > >> > > >> > // Ola > >> > > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > >> > >> wrote: > >> > > Comments inline. > >> > > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > >> > > > Hi > >> > > > > >> > > > I missed to include the clamav maintainers. Sorry about that. > >> > > > > >> > > > // Ola > >> > > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > >> > > > > Dear maintainers, LTS team and Debian Secutiry team > >> > > > > > >> > > > > I have started to look at the clamav package update due to > >> > > > > CVE-2019-1787 > >> > > > > CVE-2019-1788 > >> > > > > CVE-2019-1789 > >> > > > > (the other three vulnerabilities are not affecting jessie or > >> > >> stretch > >> > >> > > as I > >> > > > >> > > > > understand it) > >> > > > >> > > That's correct. > >> > > > >> > > > > I have understood that the clamav package is typically updated to > >> > >> the > >> > >> > > > > latest version also in stable and oldstable. However when doing > >> > >> so I > >> > >> > > > > encountered quite a few things that I would like to ask your > >> > >> advice > >> > >> > > > > on. > >> > > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS > >> > > > > (oldstable) and regular security (stable) upload of clamav? > >> > > > >> > > Stable is already done through stable proposed updates (which is the > >> > > normal > >> > > path for clamav). We leave the LTS releases to the LTS team. Base > >> > >> your > >> > >> > > work > >> > > on what's in stable. > >> > > > >> > > > > Question to maintainers and Security team. Should we synchronize > >> > >> the > >> > >> > > > > efforts here and have you already started on the stable update? > >> > > > > > >> > > > > If not I have a few questions: > >> > > > > 1) Do you know the binary compatibility between libclamav7 and > >> > > > >> > > libclamav9? > >> > > > >> > > > > I have noticed that the package in sid produces
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
On 2019-04-15 22:36:31 [+0200], Ola Lundqvist wrote: > Hi again > > I have now compared the 0.100.2 version in stretch to the version 0.100.3 > in stretch updates. > I can then see that most of the changes that I'm worried about is not > included. > > This means that I will take the .orig file and include a sub-set of the > updates. > The remaining updates will be: > - Symbol updates (unavoidable I think). you need to update the symbol file as we have in Stretch. The reason is that clamav-daemon (among other clamav packages) _have_ to pull in libclamav from this version. The clamav-* packages use internal symbols from that library and would complain otherwise. > - Copyright update (not sure if it is necessary but I'll include it anyway) > > The rest will not be updated. > > Best regards > > // Ola Sebastian
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi again I have now compared the 0.100.2 version in stretch to the version 0.100.3 in stretch updates. I can then see that most of the changes that I'm worried about is not included. This means that I will take the .orig file and include a sub-set of the updates. The remaining updates will be: - Symbol updates (unavoidable I think). - Copyright update (not sure if it is necessary but I'll include it anyway) The rest will not be updated. Best regards // Ola On Mon, 15 Apr 2019 at 20:00, Ola Lundqvist wrote: > Hi Scott > > I have now walked through the difference in the debian directories between > the version in jessie and stretch updates. > I think there is more work than just a simple changelog update. > > 1) The changelog file contain a lot of changes. I wonder how we generally > should it. If I backport a package from current stable should I keep that > changelog and just add one entry or should I pretent that the jessie > version still apply and add one entry from that one... Not sure myself. > 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a > patch introduced to not depend on it > 3) Config file moved > from /etc/systemd/system/clamav-daemon.socket.d/extend.conf > to /etc/systemd/system/clamav-daemon.service.d/extend.conf > 4) Changes in postinst. Not sure if it is backwards compatible or not yet. > Preliminary not. > 5) Debhelper compat updated. Should be ok. > 6) Build dependency changes. > 7) clamav-dbg package no longer provided > 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so > and pkgconfig moved accordingly. > 9) Support for llvm introduced. Should probably be ok. > 10) A LOT of symbols changed. They are delared private so it should be ok. > But you never know. > > It would be helpful if you can help me judge if any of the above means > backwards incompatibility. > > I'm most worried about the following: > - Socket change > - Config file change > - Postinst change > - clamav-dbg > - Symbol changes > > Thank you in advance > > // Ola > > On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > >> I believe you've misunderstood. >> >> The version in stable is 0.100.3 and does not have a soname bump (nor >> does it >> need one). You should be able to update the LTS with that package with >> little >> more (maybe no more) than an updated changelog. >> >> Scott K >> >> On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: >> > Hi Scott and LTS team >> > >> > Thank you. I'll see if I can backport the required fixes. That may solve >> > the library issue. >> > >> > Alternatively we state that clamav is not supported. Maybe someone in >> the >> > LTS team can advice on that. >> > >> > Best regards >> > >> > // Ola >> > >> > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman >> wrote: >> > > Comments inline. >> > > >> > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: >> > > > Hi >> > > > >> > > > I missed to include the clamav maintainers. Sorry about that. >> > > > >> > > > // Ola >> > > > >> > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: >> > > > > Dear maintainers, LTS team and Debian Secutiry team >> > > > > >> > > > > I have started to look at the clamav package update due to >> > > > > CVE-2019-1787 >> > > > > CVE-2019-1788 >> > > > > CVE-2019-1789 >> > > > > (the other three vulnerabilities are not affecting jessie or >> stretch >> > > >> > > as I >> > > >> > > > > understand it) >> > > >> > > That's correct. >> > > >> > > > > I have understood that the clamav package is typically updated to >> the >> > > > > latest version also in stable and oldstable. However when doing >> so I >> > > > > encountered quite a few things that I would like to ask your >> advice >> > > > > on. >> > > > > >> > > > > First of all to the maintainers. Do you want to handle also LTS >> > > > > (oldstable) and regular security (stable) upload of clamav? >> > > >> > > Stable is already done through stable proposed updates (which is the >> > > normal >> > > path for clamav). We leave the LTS releases to the LTS team. Base >> your >> > > work >> > > on what's in stable. >> > > >> > > > > Question to maintainers and Security team. Should we synchronize >> the >> > > > > efforts here and have you already started on the stable update? >> > > > > >> > > > > If not I have a few questions: >> > > > > 1) Do you know the binary compatibility between libclamav7 and >> > > >> > > libclamav9? >> > > >> > > > > I have noticed that the package in sid produces libclamav9 while >> the >> > > >> > > one >> > > >> > > > > in jessie provides libclamav7. Do you think this can be an issue? >> > > >> > > Yes. It's guaranteed to be an issue. We have a stable transition >> > > prepared >> > > and will do it (once the srm blesses) after the next point release in >> > > April. >> > > Note that the security team doesn't support clamav. >> > > >> > > > > 2) Do you think backporting the package in sid is better than >> simply >> > > > > updating to the latest
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Scott I have now walked through the difference in the debian directories between the version in jessie and stretch updates. I think there is more work than just a simple changelog update. 1) The changelog file contain a lot of changes. I wonder how we generally should it. If I backport a package from current stable should I keep that changelog and just add one entry or should I pretent that the jessie version still apply and add one entry from that one... Not sure myself. 2) /lib/systemd/system/clamav-daemon.socket is no longer installed and a patch introduced to not depend on it 3) Config file moved from /etc/systemd/system/clamav-daemon.socket.d/extend.conf to /etc/systemd/system/clamav-daemon.service.d/extend.conf 4) Changes in postinst. Not sure if it is backwards compatible or not yet. Preliminary not. 5) Debhelper compat updated. Should be ok. 6) Build dependency changes. 7) clamav-dbg package no longer provided 8) so files moved from /usr/lib/libclamav.so to /usr/lib/xxx/libclamav.so and pkgconfig moved accordingly. 9) Support for llvm introduced. Should probably be ok. 10) A LOT of symbols changed. They are delared private so it should be ok. But you never know. It would be helpful if you can help me judge if any of the above means backwards incompatibility. I'm most worried about the following: - Socket change - Config file change - Postinst change - clamav-dbg - Symbol changes Thank you in advance // Ola On Mon, 1 Apr 2019 at 15:13, Scott Kitterman wrote: > I believe you've misunderstood. > > The version in stable is 0.100.3 and does not have a soname bump (nor does > it > need one). You should be able to update the LTS with that package with > little > more (maybe no more) than an updated changelog. > > Scott K > > On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > > Hi Scott and LTS team > > > > Thank you. I'll see if I can backport the required fixes. That may solve > > the library issue. > > > > Alternatively we state that clamav is not supported. Maybe someone in the > > LTS team can advice on that. > > > > Best regards > > > > // Ola > > > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman > wrote: > > > Comments inline. > > > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > > Hi > > > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > > > // Ola > > > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > > > I have started to look at the clamav package update due to > > > > > CVE-2019-1787 > > > > > CVE-2019-1788 > > > > > CVE-2019-1789 > > > > > (the other three vulnerabilities are not affecting jessie or > stretch > > > > > > as I > > > > > > > > understand it) > > > > > > That's correct. > > > > > > > > I have understood that the clamav package is typically updated to > the > > > > > latest version also in stable and oldstable. However when doing so > I > > > > > encountered quite a few things that I would like to ask your advice > > > > > on. > > > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > > (oldstable) and regular security (stable) upload of clamav? > > > > > > Stable is already done through stable proposed updates (which is the > > > normal > > > path for clamav). We leave the LTS releases to the LTS team. Base > your > > > work > > > on what's in stable. > > > > > > > > Question to maintainers and Security team. Should we synchronize > the > > > > > efforts here and have you already started on the stable update? > > > > > > > > > > If not I have a few questions: > > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > > > libclamav9? > > > > > > > > I have noticed that the package in sid produces libclamav9 while > the > > > > > > one > > > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > > prepared > > > and will do it (once the srm blesses) after the next point release in > > > April. > > > Note that the security team doesn't support clamav. > > > > > > > > 2) Do you think backporting the package in sid is better than > simply > > > > > updating to the latest upstream while keeping most scripts in > > > > > > oldstable? I > > > > > > > > had to copy over the split-archive.sh to be able to generate a > proper > > > > > > orig > > > > > > > > tarball. > > > > > > No. Use what's in stable proposed updates. > > > > > > > > - I personally think the package in sid have a little too much > updates > > > > > > to > > > > > > > > make that safe, especially since it produces new library packages. > > > > > > Agreed. That would definitely be a bad idea. > > > > > > > > - On the other hand, I had to do some modifications already to make > > > > > > allow > > > > > > > > the package to be generated and I have not even started building > yet. > > > > >
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
I believe you've misunderstood. The version in stable is 0.100.3 and does not have a soname bump (nor does it need one). You should be able to update the LTS with that package with little more (maybe no more) than an updated changelog. Scott K On Monday, April 01, 2019 02:46:34 PM Ola Lundqvist wrote: > Hi Scott and LTS team > > Thank you. I'll see if I can backport the required fixes. That may solve > the library issue. > > Alternatively we state that clamav is not supported. Maybe someone in the > LTS team can advice on that. > > Best regards > > // Ola > > On Sun, 31 Mar 2019 at 22:35, Scott Kitterman wrote: > > Comments inline. > > > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > > Hi > > > > > > I missed to include the clamav maintainers. Sorry about that. > > > > > > // Ola > > > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > > > I have started to look at the clamav package update due to > > > > CVE-2019-1787 > > > > CVE-2019-1788 > > > > CVE-2019-1789 > > > > (the other three vulnerabilities are not affecting jessie or stretch > > > > as I > > > > > > understand it) > > > > That's correct. > > > > > > I have understood that the clamav package is typically updated to the > > > > latest version also in stable and oldstable. However when doing so I > > > > encountered quite a few things that I would like to ask your advice > > > > on. > > > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > > (oldstable) and regular security (stable) upload of clamav? > > > > Stable is already done through stable proposed updates (which is the > > normal > > path for clamav). We leave the LTS releases to the LTS team. Base your > > work > > on what's in stable. > > > > > > Question to maintainers and Security team. Should we synchronize the > > > > efforts here and have you already started on the stable update? > > > > > > > > If not I have a few questions: > > > > 1) Do you know the binary compatibility between libclamav7 and > > > > libclamav9? > > > > > > I have noticed that the package in sid produces libclamav9 while the > > > > one > > > > > > in jessie provides libclamav7. Do you think this can be an issue? > > > > Yes. It's guaranteed to be an issue. We have a stable transition > > prepared > > and will do it (once the srm blesses) after the next point release in > > April. > > Note that the security team doesn't support clamav. > > > > > > 2) Do you think backporting the package in sid is better than simply > > > > updating to the latest upstream while keeping most scripts in > > > > oldstable? I > > > > > > had to copy over the split-archive.sh to be able to generate a proper > > > > orig > > > > > > tarball. > > > > No. Use what's in stable proposed updates. > > > > > > - I personally think the package in sid have a little too much updates > > > > to > > > > > > make that safe, especially since it produces new library packages. > > > > Agreed. That would definitely be a bad idea. > > > > > > - On the other hand, I had to do some modifications already to make > > > > allow > > > > > > the package to be generated and I have not even started building yet. > > > > There > > > > may be many fixes needed to make this package work in oldstable... > > > > I suspect that what's in stable will work in oldstable, but I haven't > > tried > > it. It'll certainly take less work than what's in sid. > > > > > > I guess we cannot generate new library package version, or? > > > > Generally one does not, but for clamav you kind of have to at some point. > > Note that for libclamav7 -> libclamav9 there are also API changes, so > > libclamav-dev reverse builld-depends need patching in addition to > > rebuilding. > > Once we've done that in stable, it should be easy enough to adapt for > > oldstable when the time comes. Don't worry about it now. > > > > Scott K
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Hi Scott and LTS team Thank you. I'll see if I can backport the required fixes. That may solve the library issue. Alternatively we state that clamav is not supported. Maybe someone in the LTS team can advice on that. Best regards // Ola On Sun, 31 Mar 2019 at 22:35, Scott Kitterman wrote: > Comments inline. > > On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > > Hi > > > > I missed to include the clamav maintainers. Sorry about that. > > > > // Ola > > > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > > Dear maintainers, LTS team and Debian Secutiry team > > > > > > I have started to look at the clamav package update due to > > > CVE-2019-1787 > > > CVE-2019-1788 > > > CVE-2019-1789 > > > (the other three vulnerabilities are not affecting jessie or stretch > as I > > > understand it) > > That's correct. > > > > I have understood that the clamav package is typically updated to the > > > latest version also in stable and oldstable. However when doing so I > > > encountered quite a few things that I would like to ask your advice on. > > > > > > First of all to the maintainers. Do you want to handle also LTS > > > (oldstable) and regular security (stable) upload of clamav? > > Stable is already done through stable proposed updates (which is the > normal > path for clamav). We leave the LTS releases to the LTS team. Base your > work > on what's in stable. > > > > Question to maintainers and Security team. Should we synchronize the > > > efforts here and have you already started on the stable update? > > > > > > If not I have a few questions: > > > 1) Do you know the binary compatibility between libclamav7 and > libclamav9? > > > I have noticed that the package in sid produces libclamav9 while the > one > > > in jessie provides libclamav7. Do you think this can be an issue? > > Yes. It's guaranteed to be an issue. We have a stable transition > prepared > and will do it (once the srm blesses) after the next point release in > April. > Note that the security team doesn't support clamav. > > > > 2) Do you think backporting the package in sid is better than simply > > > updating to the latest upstream while keeping most scripts in > oldstable? I > > > had to copy over the split-archive.sh to be able to generate a proper > orig > > > tarball. > > No. Use what's in stable proposed updates. > > > > - I personally think the package in sid have a little too much updates > to > > > make that safe, especially since it produces new library packages. > > Agreed. That would definitely be a bad idea. > > > > - On the other hand, I had to do some modifications already to make > allow > > > the package to be generated and I have not even started building yet. > > > There > > > may be many fixes needed to make this package work in oldstable... > > I suspect that what's in stable will work in oldstable, but I haven't > tried > it. It'll certainly take less work than what's in sid. > > > > I guess we cannot generate new library package version, or? > > Generally one does not, but for clamav you kind of have to at some point. > Note that for libclamav7 -> libclamav9 there are also API changes, so > libclamav-dev reverse builld-depends need patching in addition to > rebuilding. > Once we've done that in stable, it should be easy enough to adapt for > oldstable when the time comes. Don't worry about it now. > > Scott K > -- --- Inguza Technology AB --- MSc in Information Technology | o...@inguza.como...@debian.org| | http://inguza.com/Mobile: +46 (0)70-332 1551 | ---
Re: [Pkg-clamav-devel] LTS update of clamav and call for advice
Comments inline. On Sunday, March 31, 2019 09:37:46 PM Ola Lundqvist wrote: > Hi > > I missed to include the clamav maintainers. Sorry about that. > > // Ola > > On Sun, 31 Mar 2019 at 21:21, Ola Lundqvist wrote: > > Dear maintainers, LTS team and Debian Secutiry team > > > > I have started to look at the clamav package update due to > > CVE-2019-1787 > > CVE-2019-1788 > > CVE-2019-1789 > > (the other three vulnerabilities are not affecting jessie or stretch as I > > understand it) That's correct. > > I have understood that the clamav package is typically updated to the > > latest version also in stable and oldstable. However when doing so I > > encountered quite a few things that I would like to ask your advice on. > > > > First of all to the maintainers. Do you want to handle also LTS > > (oldstable) and regular security (stable) upload of clamav? Stable is already done through stable proposed updates (which is the normal path for clamav). We leave the LTS releases to the LTS team. Base your work on what's in stable. > > Question to maintainers and Security team. Should we synchronize the > > efforts here and have you already started on the stable update? > > > > If not I have a few questions: > > 1) Do you know the binary compatibility between libclamav7 and libclamav9? > > I have noticed that the package in sid produces libclamav9 while the one > > in jessie provides libclamav7. Do you think this can be an issue? Yes. It's guaranteed to be an issue. We have a stable transition prepared and will do it (once the srm blesses) after the next point release in April. Note that the security team doesn't support clamav. > > 2) Do you think backporting the package in sid is better than simply > > updating to the latest upstream while keeping most scripts in oldstable? I > > had to copy over the split-archive.sh to be able to generate a proper orig > > tarball. No. Use what's in stable proposed updates. > > - I personally think the package in sid have a little too much updates to > > make that safe, especially since it produces new library packages. Agreed. That would definitely be a bad idea. > > - On the other hand, I had to do some modifications already to make allow > > the package to be generated and I have not even started building yet. > > There > > may be many fixes needed to make this package work in oldstable... I suspect that what's in stable will work in oldstable, but I haven't tried it. It'll certainly take less work than what's in sid. > > I guess we cannot generate new library package version, or? Generally one does not, but for clamav you kind of have to at some point. Note that for libclamav7 -> libclamav9 there are also API changes, so libclamav-dev reverse builld-depends need patching in addition to rebuilding. Once we've done that in stable, it should be easy enough to adapt for oldstable when the time comes. Don't worry about it now. Scott K
