On Tue, Jul 3, 2018 at 9:28 AM, Paul Kosinski <clamav-users@iment.com> wrote:

The way Linux updates are done in practice is significantly different
from ClamAV virus signature updates.

With ClamAV, freshclam is automatically run periodically, sees (by
some low-cost means) that a new file version is *supposed* to be
available and tries to download it. If either it can't, or worse yet,
it's the wrong one, it tries the next mirror. This all takes time and
bandwidth.

With Linux updates, I explicitly ask (via aptitude) what new updates
are available: It takes some time to retrieve the list. Then I select
the ones I want and ask to install them. I have *never*, *ever* seen
this mechanism deliver the wrong version and thus fail to install it.

​You obviously haven't tried very hard, then.  :)  Or you don't run a local repo mirror, at least.

We've run into issues with our local Debian repo mirror.  Usually, it's that we're asking to install an old version of something and it's no longer available on the mirror (ie forgot to run "aptitude update" first).  Or the mirror ran out of disk space, so it didn't actually download the new packages, but the index files were correctly downloaded/loaded.  Thus, running "aptitude update" works, but it can't find any of the new files to download/install.  Or, the Debian project decided to change how things work in the repo, and that change didn't get propagated to our repo, so aptitude just stops working on all our servers (the localisation changes for Jessie were the latest niggle​ to trip us up).  Or, or, or.

The Linux updating method (at least as used in Debian) is not bulletproof.  No update method every is.

This is due to the fact that the same Debian mirror machine provides
the new versions of a group of files as provides the list of new
versions. Thus there is an almost zero chance of a race condition
(unless some idiot adds a version to the list before uploading the
actual deb file). Even if set to auto update, I think the *lists*
always come from the same servers as the files.

It's not a matter of using DNS TXT records, it's a matter of sourcing
them on a *different* computer than the actual files. This separation
virtually begs for synchronization problems.

​Or, it's a matter of everyone getting in a tizzy over something that's really minor in the grand scheme of things.  They've migrated to a new CDN.  There's going to be teething pains with any new infrastructure.  Instead of trying to "rip-a-new-one" in the devs and demanding everything be redone from scratch, how about we wait a bit while they work out the bugs in the new setup.

Are updates completely broken right now?  No.  Are there occasional hiccups?  Sure.  Are things getting better?  Yeah, they are.  Are they perfect?  Not yet.  Should they scrap everything and start over?  Hell no.

Freddie Cash
fjwcash@gmail.com