Bug 396171 - Review Request: clamav - Anti-virus software (for EPEL)
Summary: Review Request: clamav - Anti-virus software (for EPEL)
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-23 00:02 UTC by Kevin Fenzi
Modified: 2007-12-17 20:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-12-17 20:20:22 UTC
Type: ---

Attachments (Terms of Use)

Description Kevin Fenzi 2007-11-23 00:02:23 UTC
Spec URL: http://www.scrye.com/~kevin/fedora/clamav/clamav.spec
SRPM URL: http://www.scrye.com/~kevin/fedora/clamav/clamav-0.91.2-2.el5.src.rpm
Description: Anti-virus software


clamav was branched for EPEL long ago. The fedora maintainer (no anyone else) has expressed interest in maintaining this package in EPEL. I am happy to do so, but
I wish to use the above spec instead of the version in fedora. 


- The above spec is pretty much the spec from the Dag collection. Thanks Dag for letting me base off your spec file!

- The fedora clamav packages remove the 'clamav' user on 'postun', which means on upgrades from the old fedora version in epel, the clamav user is missing. 
Any clever ideas to get around that welcomed. Perhaps this package should just 
conflict with the old package instead of obsolete it?

- I would love to see several co-maintainers. This package has a history of security issues, and with more eyes on it we could make sure and keep up with updates. 

- There are some rpmlint complaints, but I think they can all be ignored, please point out any that should be addressed.

Comment 1 Kevin Fenzi 2007-11-23 18:51:15 UTC
Updated the package. I realized a way around the problem with upgrades from the
older version was to simply use a different user/group, so the old package
wouldn't remove it on postun. With that change, the package now can successfully
upgrade from the old ancient version. 

Testing and comments welcome. 

Spec URL: http://www.scrye.com/~kevin/fedora/clamav/clamav.spec
SRPM URL: http://www.scrye.com/~kevin/fedora/clamav/clamav-0.91.2-3.el5.src.rpm

Comment 2 Steven Pritchard 2007-12-11 02:46:31 UTC
I want to go on the record (again) that I think it is a *horrible* idea to have
different versions of clamav in EPEL and Fedora proper.

I honestly don't care all that much if we use the Fedora one in EPEL, use this
one in Fedora proper, or start over at this point, but we need to pick one.

Comment 3 Kevin Fenzi 2007-12-11 17:39:08 UTC
Yeah, I just looked at the amavisd-new spec. ;( 
It's heavily tied to the wacky way the fedora clamav is setup... (understandably). 

I guess my plan to have a sane clamav package for epel is pretty doomed. 
:( Would you be willing to let someone else maintain a amavisd-new package
working with this clamav version for epel? 

I guess if not, we should try (again) to find a group of people willing to
maintain the fedora clamav for epel. ;( 

Comment 4 Robert Scheck 2007-12-11 19:33:55 UTC
Just to mention it: At work, I'm using a rebuild of the Fedora Rawhide version
from clamav and it works - on RHEL5 and RHEL4 (okay, on RHEL4 I had to do some
small modifications to the spec).

Comment 5 Kevin Fenzi 2007-12-16 18:31:08 UTC
So, would anyone here be willing to step up and maintain the fedora clamav for

Comment 6 Robert Scheck 2007-12-16 18:52:21 UTC
I could imagine to do that, if it's necessary, yes. But then the upgrade path
has to be solved first, AFAIK the current clamav version in EPEL is not compatible
with the latest one. And I've to mention again, that clamav upstream is IMHO very
evil, means they're introducing updates which can break compatibility. And how to 
handle them within EPEL once more? At work this is so far no problem, because all
machines are maintained at least a bit by me.

Comment 7 Robert Scheck 2007-12-16 18:53:15 UTC
Kevin, what is the reason, that you're maybe switching to Fedora clamav rather
using the original package based on DAG you prepared for EPEL review?

Comment 8 Kevin Fenzi 2007-12-16 19:26:23 UTC
Well, the current amavisd-new package is very heavily tied to the way the fedora
clamav package is setup, and the maintainer (justly) doesn't want to try and
maintain two very different packages, one for fedora, one for epel. 

I guess if someone was willing to step up and maintain a amavisd-new spec that
works with this clamav that might work. Would that be acceptable to you Steve?

Otherwise, as much as I dislike the fedora clamav package, the easier course
seems to be to try and find someone willing to maintain it for epel and close
this version off. 

As for upgrades: 

- Anyone using the 0.88.4 version for epel already pretty much has a broken
setup. It's vulnerable to a number of security issues, and it doesn't even catch
many of the viruses anymore, since the functionality level is so old: 
WARNING: Current functionality level = 8, recommended = 21
I personally don't know anyone who uses this version. All the machines I
maintain use the dag version. Other folks I have talked to also use other 3rd
party repo versions. 

- There is a script available to convert old format conf files to new format. It
could be run in a post. 

- Sadly, the way the fedora package works means upgrading will get you back to
the same state as if you just installed the package, where it will not work
until you edit some config files. I don't see that as worse than having a
vulnerable/old/useless version however. Worst case, the package doesn't scan,
which is only slightly worse than running the 0.88.x version. 

Yes, the package would need to be updated a lot as upstream changes things. 
Sadly, thats just the way it would need to be IMHO. The config file format only
has changed once that I know of. 

Comment 9 Steven Pritchard 2007-12-17 16:46:30 UTC
(In reply to comment #5)
> So, would anyone here be willing to step up and maintain the fedora clamav for
> epel? 

I said before (on the mailing list) that I will.  (I'm not at all pleased by it,
but I'll do it.  :-)

Comment 10 Kevin Fenzi 2007-12-17 20:20:22 UTC
ok. Perhaps you can get a few more people interested co-maintaining as well?

In that case can you take over ownership in pkgdb
and push 0.91.2 versions for both EL4 and EL5? 

Note You need to log in before you can comment on or make changes to this bug.