Mailing List Archive

[clamav-users] Clamav EOL Policy and Signatures
I don't know if this is new or if I missed it before, but, now that I've
looked at https://docs.clamav.net/faq/faq-eol.html again, I have questions/
comments about the provision of signature support to EOL releases.

A little over a month ago (Feb 18) one of the Fedora clamav maintainers raised
concerns about the planned EOL date for 0.103.

First, I see the planned EOL data on clamav.net is the same as then. Is the
assessment about extending the support period still ongoing?

Second, we had some discussions about distros patching for security updates
after the support period if needed. I noticed today that the scheduled
termination date for being able to download signatures is the same as the EOL
date. That's a problem.

If 0.103 is going to be unable to download signatures as soon as Sep-14 2023,
then that means it's useless after that date. My recollection is that
historically signatures were only blocked for older versions when it was
technically unavoidable. As long as users can download signatures, then
distros can support users on older releases for as long as they can manage to
backport security fixes. If that's no longer the case, I don't know that it's
going to be feasible to ship it in a release.

Am I misunderstanding the table?

Scott K
Re: [clamav-users] Clamav EOL Policy and Signatures [ In reply to ]
Hi Scott,

> First, I see the planned EOL data on clamav.net is the same as then. Is the
assessment about extending the support period still ongoing?

We discussed it and agreed to a 1-year extension for 0.103 LTS (specifically) but not all LTS versions. We have a blog draft in review at this moment to formally announce this and explain the finer details. I just asked for a hold on publishing this for a few days, given the next topic.

> Second, we had some discussions about distros patching for security updates
after the support period if needed. I noticed today that the scheduled
termination date for being able to download signatures is the same as the EOL
date. That's a problem.

You're right, our EOL policy states that signature download support is the same as security patch support for LTS versions.

I already had concerns that LTS versions will be so popular that immediately cutting it off on the EOL date would be a problem. And at the time we wrote the EOL policy, we failed to consider distributions wanting to backport security patches to continue support for those versions on their own.

For LTS versions, I believe we should consider supporting signature download after we stop security patch support for an extra 6-months, or maaaybe 12-months.

It's also worth mentioning that new signatures may focus on features available in newer versions. For example, right now we're getting a lot of value out of image fuzzy hash signatures and those are not used by the 0.103 release. It is not quite the case right now, but in future years it is possible that much of the new signature content is not used by ClamAV versions past EOL. Our Cloudflare CDN is pretty expensive, so that is one argument I have heard for wanting to block downloads sooner than later.

Anyways, we have some folks on PTO right now, including my manager. I want to talk about it with them some more before we make any decisions. But I didn't want to leave you hanging either.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Scott Kitterman via clamav-users <clamav-users@lists.clamav.net>
Sent: Thursday, March 23, 2023 2:32 PM
To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
Cc: Scott Kitterman <debian@kitterman.com>
Subject: [clamav-users] Clamav EOL Policy and Signatures

I don't know if this is new or if I missed it before, but, now that I've
looked at https://docs.clamav.net/faq/faq-eol.html again, I have questions/
comments about the provision of signature support to EOL releases.

A little over a month ago (Feb 18) one of the Fedora clamav maintainers raised
concerns about the planned EOL date for 0.103.

First, I see the planned EOL data on clamav.net is the same as then. Is the
assessment about extending the support period still ongoing?

Second, we had some discussions about distros patching for security updates
after the support period if needed. I noticed today that the scheduled
termination date for being able to download signatures is the same as the EOL
date. That's a problem.

If 0.103 is going to be unable to download signatures as soon as Sep-14 2023,
then that means it's useless after that date. My recollection is that
historically signatures were only blocked for older versions when it was
technically unavoidable. As long as users can download signatures, then
distros can support users on older releases for as long as they can manage to
backport security fixes. If that's no longer the case, I don't know that it's
going to be feasible to ship it in a release.

Am I misunderstanding the table?

Scott K
Re: [clamav-users] Clamav EOL Policy and Signatures [ In reply to ]
That sounds like things are on the right track. I appreciate the feedback.

For Debian, we want to always release with the latest clamav LTS and support
it through the lifecycle of a Debian release. We can, if needed move to a
newer release, particularly if libclamav binary compatibility is maintained
(we have done library transitions in the stable release in the past, but it's
been a tough ride - to be avoided if at all possible).

We release roughly every two years and support each release for a year after
the next release. There is an external group that does Debian long term
support that maintains things after that (they are Debian contributors, but
it's not formally part of the Debian project).

https://wiki.debian.org/DebianReleases#Production_Releases

The one year extension for 0.103.X will (as discussed in February) support our
Debian 11 (Bullseye) main support requirements. Maintaining the ability for
0.103.X users to download signatures beyond that date will help with Debian
LTS support. Eventually they will have to either figure out upgrading to 1.0.X
or dropping support for the package (LTS support is not for the entire Debian
archive).

Generically, I think allowing signature download for a year past EOL for
clamav LTS versions would allow us to manage things adequately through our
support window. Ultimately we'd have to assess the trade-offs between
continuing to patch an EOL'ed LTS versus a post-release upgrade.

Thanks,

Scott K

On March 24, 2023 8:12:46 PM UTC, "Micah Snyder (micasnyd)"
<micasnyd@cisco.com> wrote:
>Hi Scott,
>
>> First, I see the planned EOL data on clamav.net is the same as then. Is
the
>assessment about extending the support period still ongoing?
>
>We discussed it and agreed to a 1-year extension for 0.103 LTS (specifically)
but not all LTS versions. We have a blog draft in review at this moment to
formally announce this and explain the finer details. I just asked for a hold
on publishing this for a few days, given the next topic.
>
>> Second, we had some discussions about distros patching for security updates
>after the support period if needed. I noticed today that the scheduled
>termination date for being able to download signatures is the same as the EOL
>date. That's a problem.
>
>You're right, our EOL policy states that signature download support is the
same as security patch support for LTS versions.
>
>I already had concerns that LTS versions will be so popular that immediately
cutting it off on the EOL date would be a problem. And at the time we wrote the
EOL policy, we failed to consider distributions wanting to backport security
patches to continue support for those versions on their own.
>
>For LTS versions, I believe we should consider supporting signature download
after we stop security patch support for an extra 6-months, or maaaybe 12-
months.
>
>It's also worth mentioning that new signatures may focus on features
available in newer versions. For example, right now we're getting a lot of
value out of image fuzzy hash signatures and those are not used by the 0.103
release. It is not quite the case right now, but in future years it is
possible that much of the new signature content is not used by ClamAV versions
past EOL. Our Cloudflare CDN is pretty expensive, so that is one argument I
have heard for wanting to block downloads sooner than later.
>
>Anyways, we have some folks on PTO right now, including my manager. I want to
talk about it with them some more before we make any decisions. But I didn't
want to leave you hanging either.
>
>Regards,
>Micah
>
>
>Micah Snyder
>ClamAV Development
>Talos
>Cisco Systems, Inc.
>
>________________________________
>From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Scott
Kitterman via clamav-users <clamav-users@lists.clamav.net>
>Sent: Thursday, March 23, 2023 2:32 PM
>To: clamav-users@lists.clamav.net <clamav-users@lists.clamav.net>
>Cc: Scott Kitterman <debian@kitterman.com>
>Subject: [clamav-users] Clamav EOL Policy and Signatures
>
>I don't know if this is new or if I missed it before, but, now that I've
>looked at https://docs.clamav.net/faq/faq-eol.html again, I have questions/
>comments about the provision of signature support to EOL releases.
>
>A little over a month ago (Feb 18) one of the Fedora clamav maintainers
raised
>concerns about the planned EOL date for 0.103.
>
>First, I see the planned EOL data on clamav.net is the same as then. Is the
>assessment about extending the support period still ongoing?
>
>Second, we had some discussions about distros patching for security updates
>after the support period if needed. I noticed today that the scheduled
>termination date for being able to download signatures is the same as the EOL
>date. That's a problem.
>
>If 0.103 is going to be unable to download signatures as soon as Sep-14 2023,
>then that means it's useless after that date. My recollection is that
>historically signatures were only blocked for older versions when it was
>technically unavoidable. As long as users can download signatures, then
>distros can support users on older releases for as long as they can manage to
>backport security fixes. If that's no longer the case, I don't know that it's
>going to be feasible to ship it in a release.
>
>Am I misunderstanding the table?
>
>Scott K