El 05/03/2017 a las 13:51, Joel Esler (jesler) escribió: > The question here is, do we strive to make a package that is installable on > more machines, (even ones that are going EOL?), or do we strive to make a > package that is the best for security? > > If the package maintainers are doing a good job, ClamAV with a higher > dependency would install the higher pcre. The user would be fine. > > The problem with my grand theory is, package maintainers are incredibly slow, > largely, and most people would have to install from source. > > We have tens of thousands of new users every month, so it's definitely > something we'll have to think about. > > I am still interested in people's feedback, as right now, this thread seems > to be about 50/50 (in requiring pcre 7)
IMHO, There is no reason to choose radically between one option or another. I think you could, for example, separate the signatures requiring specific versions (pcre in this case) in different file/s of signatures, and that only load if you have that version or greater (make a test in libclamav before loading), otherwise, show warning in log that you are using less signatures cause older pcre. Another option would be to include a "static" internal version of pcre in ClamAV. Although this option I like much less... Regards, Carlos Velasco _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
