On Wednesday, January 31, 2018 12:52:35 PM Klaus Keppler wrote: > Hi, > > is there a special reason why the updates are not published through the > "security" repositories of Debian Stretch/Jessie? > > - on Debian 7, the update is in "wheezy" (via security) > - on Debian 8, the update is in "jessie-updates" > - on Debian 9, the update is in "stretch-updates" > > With regard of the severity of the bug, I can't understand this release > strategy. Or am I just too impatient? > > Many "sources.list" files do not contain the "-updates" repository, for > example unmodified Xen instances created with "xen-create-image". > > So I suggest to push this update also into debian-security. > > Thanks for your efforts & best regards
The reason is that typically clamav updates include much more than just security fixes (as far as I can recall in roughly a decade of clamav maintenance this is the first time it's happened), so are not considered suitable for the security repository. We believe that keeping clamav up to date so that, as a package that provides a security service, it is always kept as capable as possible is of overriding importance for clamav. Wheezy is done through 'security' because it's no longer supported by the Debian project, but by the Long Term Support team. The LTS team publishes ALL updates (security or not) via the security repository. For Debian supported releases, clamav will always go via updates. If you are just discovering this now, you've been missing out of clamav updates for a long time. Debian started publishing Stable Update Announcements in March, 2011. The very first clamav stable update announcement was published that same month[1]. These clamav updates virtually always include security relevant fixes. Scott K [1] https://lists.debian.org/debian-stable-announce/2011/03/msg00003.html
