[clamav-users] Daily 23161 broke Clam
Carlos Velasco
carlos.velasco at nimastelecom.com
Sun Mar 5 13:07:18 UTC 2017
El 05/03/2017 a las 13:51, Joel Esler (jesler) escribió:
> The question here is, do we strive to make a package that is installable on more machines, (even ones that are going EOL?), or do we strive to make a package that is the best for security?
>
> If the package maintainers are doing a good job, ClamAV with a higher dependency would install the higher pcre. The user would be fine.
>
> The problem with my grand theory is, package maintainers are incredibly slow, largely, and most people would have to install from source.
>
> We have tens of thousands of new users every month, so it's definitely something we'll have to think about.
>
> I am still interested in people's feedback, as right now, this thread seems to be about 50/50 (in requiring pcre 7)
IMHO, There is no reason to choose radically between one option or another.
I think you could, for example, separate the signatures requiring specific versions (pcre in this case) in different file/s of signatures, and that only load if you have that version or greater (make a test in libclamav before loading), otherwise, show warning in log that you are using less signatures cause older pcre.
Another option would be to include a "static" internal version of pcre in ClamAV. Although this option I like much less...
Regards,
Carlos Velasco
More information about the clamav-users
mailing list