Kees Cook kees at
Wed Mar 14 21:32:01 GMT 2007

Hi Eric,

On Wed, Mar 14, 2007 at 07:06:25AM -0600, Eric Krieger wrote:
> Why is clamav not being maintained for all ubuntu versions (at least 
> back to Dapper LTS)? Some of us actually use clamav in a production 
> enviroment in conjuntion with spam filtering.

No one (that I've seen) has stepped up to take ownership of clamav.  I 
do, however, try to make time to release security updates for it, since 
I recognize that a lot of people use it and I don't want to leave them 
vulnerable.  (Lacking new features in a virus scanner, however, could be 
seen as "vulnerable" too -- that's true.  Regardless, it doesn't change 
the need for performing lots of testing on updates.)

Normally for security updates, we don't do full-version upgrades of 
software since there may be unintended breakage.  Security updates 
(which don't change the base version number) have been ongoing, though, 
which you can see, for example, in the Dapper changelog[1].  From that, 
you can also see that backports have happened at times.  Usually those 
need to be explicitly requested (and tested).  The best situation would 
be to have clamav go through a full SRU[2].

> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Local version: 0.88.4 Recommended version: 0.90.1
> WARNING: Your ClamAV installation is OUTDATED!
> WARNING: Current functionality level = 8, recommended = 14

So, to recap, I see three things that are possible for clamav:

1) let it age without security updates (ugly)
2) let it age, but backport security updates (middle-ground)
3) always have the latest version (wonderful)

Right now I've been treating clamav as "regular" software, and have just 
been backporting security flaws -- I built some simple tests to do 
validation, so it doesn't take much time to do basic tests.

Doing full-version upgrades will require more testing (e.g. did the 
library or unix-socket interfaces change?) before it gets published.  
What's needed to get us to "3" is someone to update the package, file an 
SRU, and then follow it through the SRU testing process.  I'm happy to 
help test (I use clamav myself), but I don't have the time to drive the 
process at the moment.  Would you be willing to help out with the SRUs?




Kees Cook
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : 

More information about the Ubuntu-motu mailing list