Mailing List Archive

Future support of clamav in EPEL7 and EPEL8
I'm one of the maintainers of the clamav package in Fedora and Fedora
EPEL. I believe that the EPEL packages are currently one of the primary
sources for users of clamav on RHEL based distributions.

We were recently asked about the future of support for clamav in EL7 in
particular[1] since https://docs.clamav.net/faq/faq-eol.html states that
the 0.103.X release series will go EOL on Sep-14 2023. This is prior to
the EOL date for EL7 of Jun-30 2024, and much before the EOL date for
EL8 of May 31, 2029. (See
https://access.redhat.com/support/policy/updates/errata)

This email is to start a discussion of what will happen with clamav
support in EPEL7 and EPEL8. In particular, to inform everyone that it
will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of
rust support. Fedora packaging policies prohibit the downloading of
files from the internet during builds, and the rust/rpm versions in
EL7/EL8 are too old to support the current Fedora rust ecosystem.

Perhaps this will not be an issue and people can simply start using the
RPMs provided by clamav upstream.

We might be able to provide a version of the Fedora EPEL clamav RPMs via
COPR[2], as COPR does not have the restrictions on internet downloads.
However, it won't have the "EPEL" appellation.

I am hopeful that we will be able to provide clamav 1.X in EPEL9.

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=2170297#c3
[2] - https://copr.fedorainfracloud.org/
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 https://www.nwra.com/
Re: Future support of clamav in EPEL7 and EPEL8 [ In reply to ]
On February 18, 2023 10:40:55 PM UTC, Orion Poplawski via clamav-users <clamav-users@lists.clamav.net> wrote:
>I'm one of the maintainers of the clamav package in Fedora and Fedora EPEL. I believe that the EPEL packages are currently one of the primary sources for users of clamav on RHEL based distributions.
>
>We were recently asked about the future of support for clamav in EL7 in particular[1] since https://docs.clamav.net/faq/faq-eol.html states that the 0.103.X release series will go EOL on Sep-14 2023. This is prior to the EOL date for EL7 of Jun-30 2024, and much before the EOL date for EL8 of May 31, 2029. (See https://access.redhat.com/support/policy/updates/errata)
>
>This email is to start a discussion of what will happen with clamav support in EPEL7 and EPEL8. In particular, to inform everyone that it will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of rust support. Fedora packaging policies prohibit the downloading of files from the internet during builds, and the rust/rpm versions in EL7/EL8 are too old to support the current Fedora rust ecosystem.
>
>Perhaps this will not be an issue and people can simply start using the RPMs provided by clamav upstream.
>
>We might be able to provide a version of the Fedora EPEL clamav RPMs via COPR[2], as COPR does not have the restrictions on internet downloads. However, it won't have the "EPEL" appellation.
>
>I am hopeful that we will be able to provide clamav 1.X in EPEL9.
>
>[1] - https://bugzilla.redhat.com/show_bug.cgi?id=2170297#c3
>[2] - https://copr.fedorainfracloud.org/

Although I don't know precisely when mainline support for the current Debian stable release will end (it's a year after the next release, which will be when it's ready), we will have a similar situation for support for our current stable release (Bullseye).

The following release (Bookworm) has 1.0, so it should be okay for at least awhile.

Is there any chance Cisco would consider an extension for the support period? If you could extend it to align to the EL7 end date that would really help us too.

Scott K
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Future support of clamav in EPEL7 and EPEL8 [ In reply to ]
On 2023-02-18 15:40:55, Orion Poplawski via clamav-users wrote:
>
> This email is to start a discussion of what will happen with clamav
> support in EPEL7 and EPEL8. In particular, to inform everyone that it
> will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of
> rust support. Fedora packaging policies prohibit the downloading of
> files from the internet during builds, and the rust/rpm versions in
> EL7/EL8 are too old to support the current Fedora rust ecosystem.

I'll be backporting security fixes for as long as that's less work
than removing clamav from our mail system (or until newer signatures
are incompatible with the old engine). Feel free to watch the Gentoo
tree and steal our patches.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Future support of clamav in EPEL7 and EPEL8 [ In reply to ]
On February 19, 2023 1:26:44 AM UTC, Michael Orlitzky via clamav-users <clamav-users@lists.clamav.net> wrote:
>On 2023-02-18 15:40:55, Orion Poplawski via clamav-users wrote:
>>
>> This email is to start a discussion of what will happen with clamav
>> support in EPEL7 and EPEL8. In particular, to inform everyone that it
>> will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of
>> rust support. Fedora packaging policies prohibit the downloading of
>> files from the internet during builds, and the rust/rpm versions in
>> EL7/EL8 are too old to support the current Fedora rust ecosystem.
>
>I'll be backporting security fixes for as long as that's less work
>than removing clamav from our mail system (or until newer signatures
>are incompatible with the old engine). Feel free to watch the Gentoo
>tree and steal our patches.

We'll do the same after 0.103 is no longer supported. It would be nice to get upstream support for a little while longer though.

Scott K
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Future support of clamav in EPEL7 and EPEL8 [ In reply to ]
Hi Scott, Michael, Orion,

You make some good points. In particular as Linux/Unix distributions are still learning how to package Rust software.

We're starting the discussion within Cisco to consider this ask. We do not expect to extend ClamAV's LTS policy, but we will discuss the specific case of 0.103 LTS because of the added complications caused by the switch to a hybrid C/Rust project. We adopted the Rust toolchain within ClamAV and while a big step, it is one that we maintain is right for the project.

I'm certain there have been discussions along how to package/distribute Rust itself within each distro. I am a fan of the approach that OpenSUSE has taken: https://en.opensuse.org/Rust I hope that some of the other distributions adopt a similar strategy.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Scott Kitterman via clamav-users <clamav-users@lists.clamav.net>
Sent: Saturday, February 18, 2023 5:43 PM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Scott Kitterman <debian@kitterman.com>
Subject: Re: [clamav-users] Future support of clamav in EPEL7 and EPEL8



On February 19, 2023 1:26:44 AM UTC, Michael Orlitzky via clamav-users <clamav-users@lists.clamav.net> wrote:
>On 2023-02-18 15:40:55, Orion Poplawski via clamav-users wrote:
>>
>> This email is to start a discussion of what will happen with clamav
>> support in EPEL7 and EPEL8. In particular, to inform everyone that it
>> will be impossible to build clamav 1.X in EPEL7 and EPEL8 due to lack of
>> rust support. Fedora packaging policies prohibit the downloading of
>> files from the internet during builds, and the rust/rpm versions in
>> EL7/EL8 are too old to support the current Fedora rust ecosystem.
>
>I'll be backporting security fixes for as long as that's less work
>than removing clamav from our mail system (or until newer signatures
>are incompatible with the old engine). Feel free to watch the Gentoo
>tree and steal our patches.

We'll do the same after 0.103 is no longer supported. It would be nice to get upstream support for a little while longer though.

Scott K
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: Future support of clamav in EPEL7 and EPEL8 [ In reply to ]
On Thu, 2023-02-23 at 01:27 +0000, Micah Snyder (micasnyd) via clamav-
users wrote:
> Hi Scott, Michael, Orion,
>
> You make some good points. In particular as Linux/Unix distributions
> are still learning how to package Rust software.
>

It's not a matter of knowing how to package rust. It's just another
compiled language. But it's new, and...

* Currently at the peak of its fad language phase.
* Unstable; has no specification, breaking changes in every release.
* Mainly used by people who want to write rust for the sake of 
writing rust, rather than for writing and maintaining programs 
that solve real problems.
* Comes with a NIH build system that only works with rust code.
* Has its own package manager that encourages you to pin specific
versions and bundle them into your package.
* Has its own code hosting platform that bypasses our supply-chain
security.
* Doesn't work on the platforms we support.

So: it's a matter of maturity. There's simply no way to package it
right now that meets the quality standards that we've set for ourselves
and for our users. It will be many years (if ever) before there's a
rust specification, and before the fad chasers have moved on and we're
left with people doing actual software engineering.

Or, it could never happen. I wrote a lot of things in Haskell, which
does everything rust does but better and did it decades earlier. Ask me
how that's going.

The problem isn't specific to rust. You only hear about it with rust
because a few high-profile projects (Firefox, ClamAV, librsvg, python
cryptography, etc.) have added bits of rust into their non-rust
codebases *after* becoming popular. Faced with the prospect of deleting
those packages and everything that depends on them, distros were
instead forced to compromise a few principles. But rust isn't really to
blame; the same problem would arise if you tried to add a few lines of
Zig code to a popular C++ package. Luckily with most other languages no
one has been crazy enough to do it [0].


> I'm certain there have been discussions along how to
> package/distribute Rust itself within each distro. I am a fan of the
> approach that OpenSUSE has taken: https://en.opensuse.org/Rust I hope
> that some of the other distributions adopt a similar strategy.

Despite the page title, they're not packaging it in the usual sense.
They're shipping you a giant executable that never gets security
updates. (It's the same with rust on Gentoo and every other distro.)
That's how Windows software is "packaged," and it's just not good
enough -- especially for a network-facing daemon whose job is to be fed
malicious code.



[0] Patiently awaiting the day I don't need Ruby to build webkit. 
Remember that week when Ruby was cool?

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat