[SRM] clamav 0.94.x EOL

Just in case the stable release managers what to do something about it
and don't know about this yet, clamav upstream are taking some
interesting measures to "encourage" people to upgrade from the now
EOLed 0.94.x series. The mail isn't fully clear, but it seems that
clamav 0.94.x will not work at all from April 15th 2010 and will not
recieve signature updates from May 2010, so I guess removal from
stable/oldstable is in order as well as an announcement of some sort
(DSA perhaps?).

http://lurker.clamav.net/message/20091006.143601.d27bbd20.en.html

--
bye,
pabs

http://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On 2009-10-07, Paul Wise <pabs@...> wrote:
Yes, we should direct people to volatile, I've opened a ticket in
the security RT queue.

And we shouldn't repeat the same mistake for Squeeze, i.e. keep it
out of stable and in volatile only.

Cheers,
        Moritz


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Wed, 07 Oct 2009 at 14:47:21 +0800, Paul Wise wrote:
Sorry, it may seem a little harsh, but the reason is that unless the
majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
an excessive load on ClamAV database mirrors and that will harm *all*
of ClamAV users, not only the ones running old versions.

Best regards
--
 Tomasz Papszun                                     | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> Sorry, it may seem a little harsh,

Why?

>                                    but the reason is that unless the
> majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> an excessive load on ClamAV database mirrors and that will harm *all*
> of ClamAV users, not only the ones running old versions.

And a _targeted_ fix is not possible?

Bastian

--
... bacteriological warfare ... hard to believe we were once foolish
enough to play around with that.
                -- McCoy, "The Omega Glory", stardate unknown


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, 08 Oct 2009 at 13:09:02 +0200, Bastian Blank wrote:
> On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> > Sorry, it may seem a little harsh,
>
> Why?

Well, from the Paul's message I had an impression he felt so :-).

> >                                    but the reason is that unless the
> > majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> > an excessive load on ClamAV database mirrors and that will harm *all*
> > of ClamAV users, not only the ones running old versions.
>
> And a _targeted_ fix is not possible?
>
> Bastian

0.94.x is no longer officially supported, however you can fix the
problem on your own in Debian and update the internal functionality
counter to mimic 0.95. Such versions will still be working after 15
April 2010.

HTH
--
 Tomasz Papszun                                     | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, 8 Oct 2009 12:25:51 +0200 Tomasz Papszun <tomek@...> wrote: Personally, I appreciate having significant advance notice so we can do
something to prepare.

I do not think removal is the approach that would be best for users.  It
would leave them with an orhpaned, non-working package and they will have
to upgrade systems to a newer release, install from external sources (e.g.
volatile), or compile from dource directly.

Updating clamav and needed rdepends to something that upstream supports
would be more benificial for users.  With a half a year of notice, I think
this is managable.

This is the approach Ubuntu will be taking (they already have a full set of
updates in their backport repository that is tested and almost ready).

Scott K


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, Oct 08, 2009 at 02:11:39PM +0200, Tomasz Papszun wrote:
> On Thu, 08 Oct 2009 at 13:09:02 +0200, Bastian Blank wrote:
> > On Thu, Oct 08, 2009 at 12:25:51PM +0200, Tomasz Papszun wrote:
> > > Sorry, it may seem a little harsh,
> > Why?
> Well, from the Paul's message I had an impression he felt so :-).

Well, I remember the discussion before the release of Lenny, if clamav
can be part of a stable release at all. And the apprehension that clamav
upstream will kill that version completely before the security support
of this version ends got reality. So Paul have the right to sound harsh.

Please note that this decision may also affect the answer to the same
question for clamav and all related tools in a future stable release of
Debian.

> > >                                    but the reason is that unless the
> > > majority of ClamAV users upgrade to >= 0.95.x, old freshclams will put
> > > an excessive load on ClamAV database mirrors and that will harm *all*
> > > of ClamAV users, not only the ones running old versions.
> > And a _targeted_ fix is not possible?
> 0.94.x is no longer officially supported,

There are easier ways to discourage all the distributions with stable
releases to not include your software at all.

Anyway, this mail was enough to convince me that clamav can't be
released as part of a stable release.

Bastian

--
The heart is not a logical organ.
                -- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, Oct 08, 2009 at 08:31:49AM -0400, Scott Kitterman wrote: Especially as there is no use in keeping old versions of a virus scanner
around which cannot be updated anymore and as a sufficient amount of people do
want a virus scanner on their box.

I ask me, though, how many people are actually using the version Lenny
provides.  If they do, they probably do not know it better to use volatile,
or do not trust it because it's not as official as the stable suite is.
Of course we could do a noisy drop of clamav out of Lenny and point people to
volatile, I just wonder if that's actually a disservice to our users.

For squeeze I see two proposals:
 a) Either we could relax the policy for clamav a bit if sufficient upgrade
    testing is ensured (like Ubuntu already does, thanks to Scott's work)
 or
 b) We push volatile to be a really official service alongside the stable
    tree residing on our normal infrastructure as a goal for squeeze.
    Volatile updates are currently undergoing testing (thanks to the clamav
    team) but maybe a coordinated effort in reviewing for stable suitability
    of the Ubuntu and Debian counterparts of clamav maintainance would help
    us to convince a possible set of people not using volatile yet.

Now b) was already planned, but hasn't got any progress in the last months.

Kind regards,
Philipp Kern
--
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@...                         Wanna-Build Admin
  `-    finger pkern/key@...

On Fri, 9 Oct 2009 16:39:41 +0200 Philipp Kern <pkern@...> wrote:
>On Thu, Oct 08, 2009 at 08:31:49AM -0400, Scott Kitterman wrote:
>> I do not think removal is the approach that would be best for users.  It
>> would leave them with an orhpaned, non-working package and they will
have
>> to upgrade systems to a newer release, install from external sources
(e.g.
>> volatile), or compile from dource directly.
>>
>> Updating clamav and needed rdepends to something that upstream supports
>> would be more benificial for users.  With a half a year of notice, I
think
>> this is managable.
>>
>> This is the approach Ubuntu will be taking (they already have a full set
of to
>volatile, I just wonder if that's actually a disservice to our users.

One reason to use Lenny's is if you are using it with one of the libclamav
rdepends, the volatile clamav wonalt work, since the updated rdepends are
not in volatile.

>For squeeze I see two proposals:
> a) Either we could relax the policy for clamav a bit if sufficient upgrade
>    testing is ensured (like Ubuntu already does, thanks to Scott's work)

I can attest that this is a significant amount of work, but it is
achievable.

> or
> b) We push volatile to be a really official service alongside the stable
>    tree residing on our normal infrastructure as a goal for squeeze.
>    Volatile updates are currently undergoing testing (thanks to the clamav
>    team) but maybe a coordinated effort in reviewing for stable
suitability
>    of the Ubuntu and Debian counterparts of clamav maintainance would help
>    us to convince a possible set of people not using volatile yet.

It would also need to deal with rdepends to be a suitable replacement for
the official archive.

My view is that it's pointless to try to keep stability in anti-virus.  
Staying still is actually a regression as the bad guys start new ways of
causing problems.

Debian users ought to be able to just update their systems with what is
provided by Debian in confidence that their software will keep working.  
Currently, at least for the subset using libclamav rdepends, they don't
have that at all.

Scott K


--
To UNSUBSCRIBE, email to debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Hi

On Sat, 10 Oct 2009 01:39:41 am Philipp Kern wrote: provide full security support for the packages in volatile (which was already
agreed upon during the security team's meeting in Germany).

Cheers
Steffen