Scott K, I 100% agree. ClamAV hasn’t been following dev, testing, or security-release best practices in a number of ways and as you just pointed out - it shows.
The team and I are making a real effort to get things like this up to snuff. Fixing this exact process is my top priority right now. For the past couple of weeks, we’ve been talking about the best way to modify how we work with our public and private Git repositories, and for the past few months we’ve been working on strategies to improve our testing and release processes as a whole. For those who work with the ClamAV code, I’m going to post an announcement in a couple days to the clamav-devel mailing list describing our new Git work-flow. I appreciate feedback on issues such as this, and welcome any help brainstorming other ways in which we can improve the project. Micah Snyder Software Engineer Talos Cisco Systems, Inc. On Jan 26, 2018, at 5:34 PM, Scott Kitterman <deb...@kitterman.com<mailto:deb...@kitterman.com>> wrote: Historically, fixes for such issues would have not been part of a pre-release. They would have been added to the public VCS on release day. You may not have been able to announce the CVEs for some reason, but I don't think silently disclosing the fixes was the best thing to have done. Scott K On January 26, 2018 9:55:49 PM UTC, "Joel Esler (jesler)" <jes...@cisco.com<mailto:jes...@cisco.com>> wrote: There are outside issues that prevented us from announcing the CVEs at that time. It's not because we were trying to hide something. -- Joel Esler | Talos: Manager | jes...@cisco.com<mailto:jes...@cisco.com><mailto:jes...@cisco.com> On Jan 26, 2018, at 2:39 PM, Andreas Schulze <andreas.schu...@datev.de<mailto:andreas.schu...@datev.de><mailto:andreas.schu...@datev.de>> wrote: Am 26.01.2018 um 16:06 schrieb Tobi: As far as I understand the release notes of 99.3 its a security fix which has nothing to do with former 99.3 beta. The former beta now is 0.100 (http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html). So at least for me it makes sense that you have to remove the beta first to apply fixed 99.3 version I compared 0.99.2 and 0.99.3 and found most of the diffs be present in 0.99.3beta2 now, as the links to bugzilla.clamav.net<http://bugzilla.clamav.net><http://bugzilla.clamav.net> are public, we see, the issues where known to the developers since October/November 2017! They published these changes silent as part of "beta2". They discusses about CVE at this time! This is *not* amazing. Andreas _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net><mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
