[arch-general] ClamAV should be update to 0.93
Hello list, clamav should be updated. -- regards, TR
On Wed, 2008-04-16 at 18:38 +0200, Tino Reichardt wrote:
Hello list,
clamav should be updated.
I read about this in the news today. http://www.computerworlduk.com/technology/security-products/prevention/news/index.cfm?RSS&newsid=8536 0.93 fixes a security bug. Tino Reichardt, can you please file a bug in bugs.archlinux.org? Set Category to 'Security' Regards, Hussam Al-Tayeb
On Wed, 2008-04-16 at 18:38 +0200, Tino Reichardt wrote:
Hello list,
clamav should be updated.
I filed a bug with the two CVE links for the two security issues fixed by clamav 0.93 here http://bugs.archlinux.org/task/10214
* Tino Reichardt <list-arch@mcmilk.de> wrote:
Hello list,
clamav should be updated.
Why does the update of clamav take so long ? Should I build a new package ? -- regards, TR
* pyther <pyther@pyther.net> wrote:
* Tino Reichardt <list-arch@mcmilk.de> wrote:
Hello list,
clamav should be updated.
Why does the update of clamav take so long ?
Should I build a new package ?
-- regards, TR
Because the developers have a life, if you need a new package use abs and compile it.
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it! My time is also short and thats the reason why I am no trusted user or the maintainer of packages like clamav. -- regards, TR
On Sun 2008-05-04 12:47 , Tino Reichardt wrote:
* pyther <pyther@pyther.net> wrote:
* Tino Reichardt <list-arch@mcmilk.de> wrote:
Hello list,
clamav should be updated.
Why does the update of clamav take so long ?
Should I build a new package ?
Because the developers have a life, if you need a new package use abs and compile it.
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
My time is also short and thats the reason why I am no trusted user or the maintainer of packages like clamav.
Being a security update it should be somewhat "high priority", if the maintainer didn't update it yet is because he simply don't have the time to do so (and test it). Your whining is not helping anyone; bear in mind that the number of devs/TUs is limited and they have to manage a huge number of packages. If you want to help someway, you could update the package, test it and send the sources (PKGBUILD and other stuff) to the maintainer or maybe even in this mailing list. tl;dr : STFU. -- Alessio (molok) Bolognino Please send personal email to themolok@gmail.com Public Key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFE0270FB GPG Key ID = 1024D / FE0270FB 2007-04-11 Key Fingerprint = 9AF8 9011 F271 450D 59CF 2D7D 96C9 8F2A FE02 70FB
On Sun, May 04, 2008 at 01:05:31PM +0200, Alessio Bolognino wrote:
If you want to help someway, you could update the package, test it and send the sources (PKGBUILD and other stuff) to the maintainer or maybe even in this mailing list.
Here is my PKGBUILD for 0.93. I have tested it on two servers. clamav restart must be done with caution cause sometimes the old incremental daily content isn't regognized, so a freshclam must be done. So restart or stop/start twice worked for me. Regards Gerhard -- OOP? Frueher haben wir die Fehler selbst programmiert, heute werden sie vererbt.
when i try to use your PKGBUILD, i got this error /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I./nsis -I./lzma -march=i686 -mtune=generic -O2 -pipe -MT regerror.lo -MD -MP -MF .deps/regerror.Tpo -c -o regerror.lo `test -f 'regex/regerror.c' || echo './'`regex/regerror.c gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I./nsis -I./lzma -march=i686 -mtune=generic -O2 -pipe -MT regerror.lo -MD -MP -MF .deps/regerror.Tpo -c regex/regerror.c -fPIC -DPIC -o .libs/regerror.o gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I./nsis -I./lzma -march=i686 -mtune=generic -O2 -pipe -MT regerror.lo -MD -MP -MF .deps/regerror.Tpo -c regex/regerror.c -o regerror.o
/dev/null 2>&1 mv -f .deps/regerror.Tpo .deps/regerror.Plo mv: cannot overwrite non-directory `.deps/regerror.Plo' with directory `.deps/regerror.Tpo' make[3]: *** [regerror.lo] Error 1 make[3]: Leaving directory `/home/solstice/abs/clamav/src/clamav-0.93/libclamav' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/solstice/abs/clamav/src/clamav-0.93/libclamav' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/solstice/abs/clamav/src/clamav-0.93' make: *** [all] Error 2 ==> ERROR: Build Failed. Aborting...
On Sun, May 04, 2008 at 03:14:24PM +0200, solsTiCe d'Hiver wrote:
when i try to use your PKGBUILD, i got this error
Sorry, but the attached PKGBUILD is only a replacement for the one in the complete clamav makepkg-tarball. Get the complete clamav directory from abs (/var/abs/extra/clamav/) and replace the PKGBUILD there with mine. Or do simply change: pkgver=0.92 to pkgver=0.93 in current PKGBUILD (yes, that's all) do a: makepkg -g >> PKGBUILD and then a: makepkg Sorry for confusing the world ;-) Yes: a simple needed change and a rebuild could be sooo strong ;-) Maybe we have a Dev with 10 minutes time for changing and rebuilding... Gerhard -- DSSP - Deutschland sucht den Super Papst Casting mit Fliege
Hello, as attachement the **complete** clamav dir 0.93 for makepkg. Tested on i686 Gerhard -- Bundestrojaner - wir sind die Guten! Nur echt mit 52 Verfassungsbruechen!
Hello, as attachement the **complete** clamav dir 0.93 for makepkg. Tested on i686 //Edit: forgot the attachement, grrr ;-) Gerhard -- Bundestrojaner - wir sind die Guten! Nur echt mit 52 Verfassungsbruechen!
* Alessio Bolognino <themolok.ml@gmail.com> wrote:
On Sun 2008-05-04 12:47 , Tino Reichardt wrote:
* pyther <pyther@pyther.net> wrote:
* Tino Reichardt <list-arch@mcmilk.de> wrote:
Hello list,
clamav should be updated.
Why does the update of clamav take so long ?
Should I build a new package ?
Because the developers have a life, if you need a new package use abs and compile it.
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
My time is also short and thats the reason why I am no trusted user or the maintainer of packages like clamav.
Being a security update it should be somewhat "high priority", if the maintainer didn't update it yet is because he simply don't have the time to do so (and test it).
This exactly is the point! Versions before 0.92 are vulnerable, that should be fixed, as soon as possible.
Your whining is not helping anyone; bear in mind that the number of devs/TUs is limited and they have to manage a huge number of packages. If you want to help someway, you could update the package, test it and send the sources (PKGBUILD and other stuff) to the maintainer or maybe even in this mailing list.
I did not whine! I build it myself clamav by just replacing the $pkgver on my private x86_64 box. I just wanted to call some attention. But Arch Linux is known to be very up to date on nearly all packages. Why not on that security realted issue ? When clamav 0.94 is released, where should I upload the new PKGBUILD including the binaries for x86_64 and i686 ? Sorry for my english, it isn't the best :) -- regards, TR
On Sonntag, 4. Mai 2008 12:47 Tino Reichardt wrote:
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
For me this is definitely too hard. And unfair because archlinux is a distribution (as a lot of other too) which is managed by private individual for private individual. The devs of archlinux gives us with abs a perfect and easy understandable way to make in the most cases updates at the time we wants it. Irony on: That is why other distros with another package magagment needs fulltime maintaining.-) And to the argument of that clamav is a "security update": This is only relevant for servers which have windows clients and in this case, sorry, this is at first the job of the admin of the server and "opps" this be you and not the maintainer of a package. See you, Attila
* Attila <attila@invalid.invalid> wrote:
On Sonntag, 4. Mai 2008 12:47 Tino Reichardt wrote:
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
For me this is definitely too hard. And unfair because archlinux is a distribution (as a lot of other too) which is managed by private individual for private individual.
The devs of archlinux gives us with abs a perfect and easy understandable way to make in the most cases updates at the time we wants it. Irony on: That is why other distros with another package magagment needs fulltime maintaining.-)
And to the argument of that clamav is a "security update": This is only relevant for servers which have windows clients and in this case, sorry, this is at first the job of the admin of the server and "opps" this be you and not the maintainer of a package.
It isn't to hard. Its just the plain truth. If the maintainer hasn't the time, he should give the package to someone else, which has the time. PS: I am not an admin of some important server which needs an update ;) -- regards, TR
* Attila <attila@invalid.invalid> wrote:
On Sonntag, 4. Mai 2008 12:47 Tino Reichardt wrote:
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
For me this is definitely too hard. And unfair because archlinux is a distribution (as a lot of other too) which is managed by private individual for private individual.
The devs of archlinux gives us with abs a perfect and easy understandable way to make in the most cases updates at the time we wants it. Irony on: That is why other distros with another package magagment needs fulltime maintaining.-)
And to the argument of that clamav is a "security update": This is only relevant for servers which have windows clients and in this case, sorry, this is at first the job of the admin of the server and "opps" this be you and not the maintainer of a package.
It isn't to hard. Its just the plain truth.
If the maintainer hasn't the time, he should give the package to someone else, which has the time.
PS: I am not an admin of some important server which needs an update ;)
-- regards, TR
What if there are no other devs/maintainer? Maintainers have to be trusted, have to prove that they know what their doing etc... I wouldn't want someone random person from the community becoming a maintainer for a package or two, because you don't know what he or she knows. I wouldn't want to install a pkg that wipes out my whole /usr dir by mistake. Also if security is a big concern arch isn't probably the best distro to be using.
On Sun, 04 May 2008 16:10:31 -0700, pyther <pyther@pyther.net> wrote:
* Attila <attila@invalid.invalid> wrote:
On Sonntag, 4. Mai 2008 12:47 Tino Reichardt wrote:
If they don't have the time to be a maintainer for some package, they shouldn't be the maintainer of it!
For me this is definitely too hard. And unfair because archlinux is a distribution (as a lot of other too) which is managed by private individual for private individual.
The devs of archlinux gives us with abs a perfect and easy understandable way to make in the most cases updates at the time we wants it. Irony on: That is why other distros with another package magagment needs fulltime maintaining.-)
And to the argument of that clamav is a "security update": This is only relevant for servers which have windows clients and in this case, sorry, this is at first the job of the admin of the server and "opps" this be you and not the maintainer of a package.
It isn't to hard. Its just the plain truth.
If the maintainer hasn't the time, he should give the package to someone else, which has the time.
PS: I am not an admin of some important server which needs an update ;)
-- regards, TR
What if there are no other devs/maintainer? Maintainers have to be trusted, have to prove that they know what their doing etc...
I wouldn't want someone random person from the community becoming a maintainer for a package or two, because you don't know what he or she knows. I wouldn't want to install a pkg that wipes out my whole /usr dir by mistake.
Also if security is a big concern arch isn't probably the best distro to be using.
This is my criticism in the Archlinux Leadership. I think there must some changes, I will not shot Aaron, I mean Aaron needs some help in form from a Lead Engineer for "community/AUR" and for "development" how can organize this. Many User like to help but can't because the developer sitting like a chicken on his eggs (packages), with no response. Now I will spam this topic here, http://bbs.archlinux.org/viewtopic.php?id=48092
On Montag, 5. Mai 2008 02:26 Uwe Vogt wrote:
This is my criticism in the Archlinux Leadership. I think there must some changes, I will not shot Aaron, I mean Aaron needs some help in form from a Lead Engineer for "community/AUR" and for "development" how can organize this. Many User like to help but can't because the developer sitting like a chicken on his eggs (packages), with no response. Now I will spam this topic here, http://bbs.archlinux.org/viewtopic.php?id=48092
There is one little but for myself important point in your topic. You say that "Users like to use it and not to build it." but abs and the very much understandable PKGBUILD's of archlinux be a plus. I'm not a dev but at first i don't think that archlinux has the resources to be Ubuntu2 and at second i'm very happy with this that i don't have to make a second study to understand how i can make my own update (or package) in comparison to a deb or rpm based distro. The devs gives all to give us users in the most time the possibility to use archlinux only but i don't think that archlinux is a distro for users who have fear before using abs/makepkg because you will never experience one of the greatest things in archlinux. See you, Attila
On Sonntag, 4. Mai 2008 22:28 Tino Reichardt wrote:
It isn't to hard. Its just the plain truth.
If the maintainer hasn't the time, he should give the package to someone else, which has the time.
Okay, if you reduce this only to "maintaining" than it could be true but i suggest to think this to the end and this means for me that every distro without a company in the backhand can't ensure fulltime maintaining. Sorry to say, but if you want a guarantee than you have to buy it. But perhaps i can't recognize the problem because i don't think that clamav is so a important package for archlinux. For me there be more ways than only to asking for an package update. Another option could be to make this update, runs it and send the maintainer an email about the result. At this point it ends for the user and the devs itselfs have to look if there is a problem with maintaining or not.
PS: I am not an admin of some important server which needs an update ;)
Everybody of us here has root acount and so at the end we all be admins.-) See you, Attila
* Attila <attila@invalid.invalid> wrote:
On Sonntag, 4. Mai 2008 22:28 Tino Reichardt wrote:
It isn't to hard. Its just the plain truth.
If the maintainer hasn't the time, he should give the package to someone else, which has the time.
Okay, if you reduce this only to "maintaining" than it could be true but i suggest to think this to the end and this means for me that every distro without a company in the backhand can't ensure fulltime maintaining.
Sorry to say, but if you want a guarantee than you have to buy it. But perhaps i can't recognize the problem because i don't think that clamav is so a important package for archlinux.
For me there be more ways than only to asking for an package update. Another option could be to make this update, runs it and send the maintainer an email
I asked that: "Should I build a new package ?"
about the result. At this point it ends for the user and the devs itselfs have to look if there is a problem with maintaining or not.
PS: I am not an admin of some important server which needs an update ;)
Everybody of us here has root acount and so at the end we all be admins.-)
Admin of an important server != admin of some private notebook ;) -- regards, TR
On Montag, 5. Mai 2008 08:12 Tino Reichardt wrote:
I asked that: "Should I build a new package ?"
Sorry, i overread this.
Admin of an important server != admin of some private notebook ;)
I want only to show that at the end everybody is an admin but okay i stop joking.-) See you, Attila
* Attila <attila@invalid.invalid> wrote:
On Montag, 5. Mai 2008 08:12 Tino Reichardt wrote:
Admin of an important server != admin of some private notebook ;)
I want only to show that at the end everybody is an admin but okay i stop joking.-)
Okay, I am sorry too. I thought you meant this seriously. -- regards, TR
participants (8)
-
Alessio Bolognino
-
Attila
-
Gerhard Brauer
-
Hussam Al-Tayeb
-
pyther
-
solsTiCe d'Hiver
-
Tino Reichardt
-
Uwe Vogt