[clamav-users] We STILL cannot reliably get virus updates (since new mirrors)

Freddie Cash fjwcash at gmail.com
Tue Jul 3 12:40:18 EDT 2018


On Tue, Jul 3, 2018 at 9:28 AM, Paul Kosinski <clamav-users at iment.com>
wrote:

> The way Linux updates are done in practice is significantly different
> from ClamAV virus signature updates.
>
> With ClamAV, freshclam is automatically run periodically, sees (by
> some low-cost means) that a new file version is *supposed* to be
> available and tries to download it. If either it can't, or worse yet,
> it's the wrong one, it tries the next mirror. This all takes time and
> bandwidth.
>
> With Linux updates, I explicitly ask (via aptitude) what new updates
> are available: It takes some time to retrieve the list. Then I select
> the ones I want and ask to install them. I have *never*, *ever* seen
> this mechanism deliver the wrong version and thus fail to install it.
>

​You obviously haven't tried very hard, then.  :)  Or you don't run a local
repo mirror, at least.

We've run into issues with our local Debian repo mirror.  Usually, it's
that we're asking to install an old version of something and it's no longer
available on the mirror (ie forgot to run "aptitude update" first).  Or the
mirror ran out of disk space, so it didn't actually download the new
packages, but the index files were correctly downloaded/loaded.  Thus,
running "aptitude update" works, but it can't find any of the new files to
download/install.  Or, the Debian project decided to change how things work
in the repo, and that change didn't get propagated to our repo, so aptitude
just stops working on all our servers (the localisation changes for Jessie
were the latest niggle​ to trip us up).  Or, or, or.

The Linux updating method (at least as used in Debian) is not bulletproof.
No update method every is.


> This is due to the fact that the same Debian mirror machine provides
> the new versions of a group of files as provides the list of new
> versions. Thus there is an almost zero chance of a race condition
> (unless some idiot adds a version to the list before uploading the
> actual deb file). Even if set to auto update, I think the *lists*
> always come from the same servers as the files.
>
> It's not a matter of using DNS TXT records, it's a matter of sourcing
> them on a *different* computer than the actual files. This separation
> virtually begs for synchronization problems.


​Or, it's a matter of everyone getting in a tizzy over something that's
really minor in the grand scheme of things.  They've migrated to a new
CDN.  There's going to be teething pains with any new infrastructure.
Instead of trying to "rip-a-new-one" in the devs and demanding everything
be redone from scratch, how about we wait a bit while they work out the
bugs in the new setup.

Are updates completely broken right now?  No.  Are there occasional
hiccups?  Sure.  Are things getting better?  Yeah, they are.  Are they
perfect?  Not yet.  Should they scrap everything and start over?  Hell no.

-- 
Freddie Cash
fjwcash at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180703/9dc9f59e/attachment.html>


More information about the clamav-users mailing list