Input for MOTU Meeting on Clamav

[Scott Kitterman]

This agenda item should probably wait for a meeting that keescook can make it 
to (he's offline the rest of this week for travel).  I am unable to make 
today's meeting either.  Here is what I was thinking in case you go ahead and 
discuss it:

Dapper and Edgy have clamav 0.8x.  Upstream has moved on to 0.9x and there are 
API changes that make a 0.9x backport outside the scope of what backport 
policy would permit.  OTOH, clamav is a security sensitive application and 
particularly for Dapper (because it's LTS) just leaving them stuck at 0.88 
seems problematic.

There is a new 0.88-4 package out from Debian for Sarge that we should 
probably look at for updating Dapper/Edgy, but in the end I think that the 
0.88 series is not likely to be mainatinable for another 4 years.

My suggestion is that we backport clamav 0.90.2 as a new backport package 
something like clamav-09 so that people who want to upgrade Dapper/Edgy can 
do so if they are willing to work through whatever breakage this causes 
elsewhere (I think clamav-daemon will work fine, but am not certain).

I've built 0.90.2 on Edgy and Dapper.  Dapper took some minor dependency 
adjustment, but produced a functional package.  I'd be willing to put the 
initial backports packages on REVU, but am not qualified to keep them patched 
for new security issues.

Scott K