Red Hat Bugzilla – Bug 1018316
Clamav should not require a specific clamav-db version
Last modified: 2018-01-09 19:49:51 EST
Description of problem:
It could be possible to update clamav without updating clamav-db.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. yum update clamav
yum adds clamav-db-0.98 as a dependancy.
clamav should require clamav-db without explicit version
Please see the following thread:
This is wrong solution for the problem. Correct solution is to not to carry db in package at all. The clamav-db should only carry %ghost files for db files because even the latest version of the antivirus db is obsolete when it is installed so frehslcam is always needed anyway to get working db.
Not carrying any clamav-db does not help in cases at offline live media, as
there might not be any Internet connectivity at all. So even older db files
are in such a case better than nothing. This was raised in the past - I am
also open to other ideas and argumentations. We could also ship a clamav-db-
empty (like Fedora did somewhen in the past) which provides clamav-db also,
but does not contain any outdated files just %ghosts.
Moreover, it is perfectly fine running clamav without the original database (and disable freshclam).
Another option towards an empty clamav-db could add a "fake" db containing only the EICAR test file.
> Expected results:
> clamav should require clamav-db without explicit version
I know this isn't the best solution, still, it's better then downloading 100MB of useless database each time we need to update Clamav.
This is true especially in countries with low bandwidth connections.
>Another option towards an empty clamav-db could add a "fake" db containing only
> the EICAR test file.
If we need to retain the constrain on clamav-db, IMHO this is a simple and elegant solution.