Klamav Updates

[Stephan Hermann]

Good Morning Scott,

Scott Kitterman schrieb:
> These are all good points and were mostly ones I argued during the meeting. 
>  The fundamental concern I have is I know (now) that the packaged clamav 
> will interact with the local version without particularly complaining about 
> it.  This is sufficiently risky in my book to trump the other arguements.  
> There are other issues too, like the clamav updates downloaded by klamav 
> won't have any of the Debian/Ubuntu patches installed.
>   

Another alternative would be to patch Klamav, that it's not looking for 
new clamav updates but updates to the ubuntu clamav package.

> Recently the clamav support picture has improved significantly.  Is you 
> look at Feisty, it's had three security updates since release and all 
> security fixes from the later releases are incorporated.  Additionally, the 
> current version of clamav is available via feisty-backports.  Because of 
> the improved volunteer support through the packaging system, I think the 
> need for individuals to upgrade directly from upstream is much less than it 
> has generally been.
>   
There is just a problem with a vital package like clamav...
Community Supported Software is not secure enough to be installed in a 
production environment.
Who gives me ( as a customer^Wuser ) the waranty that this tool will be 
updated in time, knowing that no version upgrades
will come through but backported patches?


And thinking about *-backports. No one I know who runs Ubuntu in a 
serious environment had enabled *-backports.

Regards,

\sh