Edwin: I've been around the 'net quite some time (1983), please excuse me if I'm expecting too much.
I think releasing the clamav item before there were bzip2 libraries out there to compile against for major distros (Fedora Core 13, RHEL4 and RHEL5 are not small install bases) and many if not most run the RPM builds (not tar.gz compiles) in a business setting for control in a large environment was probably not a great idea - though I understand you can't control the distro vendors I do know you can work with them on security issues, its done by other vendors all the time and they can get RPMs out quickly in cases like this. For example the bzip2 RPMs for Red Hat came out about 430pm (you released 0.96.3 at 17:09 CEST about 11am Chicago time USA) leaving alot of folks wondering what to do about bzip2 RPMs on the day you released clamav...if you had waited even 6 hours or so or contacted Red Hat alot of pain would have been avoided(similar story for other vendors I'm sure they all have security areas and contacts and most are pretty eager to assist). And as far as upgrade notes on the web site there's nothing out there at all about upgrading/updating bzip2 components...I just looked it says under 0.96.3 Upgrade Notes "Known Issues and Workarounds - None yet." Guys, I'm not trying to pick a fight here, but this isn't the first time a release of clamav has gone a little sideways in the last 12 months or so....and I realize that there is a free vs. commercial product provided by Sourcefire. We would be happy to go with the latter but its not available for the platform we're on and we were told if you are willing to help out by running a test build platform on the OS you need it to run on things will go smoother after the last set of issues that occurred, so we have been. Yet, here we are again with the last 2 releases having issues either with JIT copiler/llvm or now this type of thing(bzip libraries, etc). I'll admit our info security folks are picky but we have to live with that here. We're not running a home based server here, this is a production environment that serves near to over 1 million emails a day and clamav is running in the core of that process as well as on near 50 other linux hosts to scan for virus issues on a routine basis as well. What can we on a sytem admin end do to help this process in the future because frankly I'm at a loss, I'm not (and have no desire to be) a programmer hacking code. In any case its a past event and something to keep in mind next time probably. Thanks for the fish, George _______________________________________ George R. Kasica | Systems Analyst – Technical Services | Mortgage Guaranty Insurance Corporation 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6491(work) 1.414.732.8503 (cell) | 7 1.888.601.4440 or 1.414.347.2601 (fax) | * george_kas...@mgic.com or kasica_pa...@mgic.com P Please consider the environment before printing this email. This message is intended for use only by the person(s) addressed above and may contain privileged and confidential information. Disclosure or use of this message by any other person is strictly prohibited. If this message is received in error, please notify the sender immediately and delete this message. From: Török Edwin <edwinto...@gmail.com> To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: george_kas...@mgic.com Date: 09/22/2010 11:23 Subject: Re: [Clamav-users] What ever happened to the Release Candidate for 0.96.3?? Sent by: clamav-users-boun...@lists.clamav.net On Wed, 22 Sep 2010 10:14:57 -0500 George Kasica <george_kas...@mgic.com> wrote: > Tomaz: > > Typical issues as in the past...first no clue it was coming out(no > release candidate no announcement)...it just appeared, no idea it > would have issues with bzip2 There is a problem with security updates and release candidates (or announcements): - we can release only after the vulnerability is disclosed (in case of 3rdparty libraries) - we were watching upstream bzip2 to release, and released soon after that, we didn't have a reliable release date in advance - we could have told you that we are preparing a new version to fix the bzip2 vulnerability, but we couldn't release an RC with the bzip2 fix included (since that would've disclosed the vulnerability prior to upstream having a fix) - even if we were able to provide an RC, it would have told you that your bzip2 is buggy and you need to upgrade. That would have caused even more confusion, since there was no new upstream bzip2 version with the fix. Considering all this, do you think it would be useful to provide advance warning about a new security fix release in the future? Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
