'Re: [Clamav-devel] The upcoming 15 April kill-switch (and a'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       clamav-devel
Subject:    Re: [Clamav-devel] The upcoming 15 April kill-switch (and a
From:       "Kamens, Jonathan" <jkamens () Advent ! COM>
Date:       2010-04-19 14:47:07
Message-ID: 40FF3EB574329C459B49338F779CE44E01854F743F () bosmail2k7 ! advent ! com
[Download RAW message or body]

On some rpm linux, eg RH5 for example, there is yum. You can provide them a private \
yum server and this will done.

On FreeBSD, there is packages, same add a correct line into /etc/make.conf and \
portupgrade -pP will fix this for you.



How about you do us all a favor and cut out the patronizing?



Everyone involved in this discussion knows how automated package upgrades work.  This \
is not the point...



6 months for a security software is big. Do you forgot to upgrade your IOS or \
Firewall software ?



The IOS and Firewall vendors provide safe, minimal upgrade paths to address security \
concerns.  They support software releases for years.  See, for example, the Symantec \
policy I referenced earlier in this discussion, which indicates that Symantec \
supports any software it releases for SEVEN YEARS after the next major version is \
released.



The ClamAV team cannot justify putting themselves in the same vote as "your IOS or \
Firewall software" unless they're willing to make the same kind of support \
commitment.  But they don't.  They put out new releases at least once per year and \
usually more than that, each new release contains substantial new functionality (and \
usually substantial new bugs to go along with it), and they don't issue security \
patches for old releases once new ones come out.



Clamav is security software,



Yes, it is, which is why it's all the more important for its authors and maintainers \
to provide reasonable upgrade paths to address security concerns for people and \
organizations who are not prepared to take the latest and greatest stuff within \
months after it is released.



Make no mistake, I think ClamAV is a nice package, I'm glad it exists, I'm grateful \
to the people who have put time and effort into creating, maintaining and enhancing \
it, and my company will continue to use it as part of our product's open-source \
platform.  However, all of these things being true does not change the fact that I \
agree with David Skoll that the ClamAV maintainers sometimes show little regard for \
the real-world consumers of the package.



The plain, simple fact is that there are other ways this could and should have been \
handled.



  Jik
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic