> The ClamAV 0.103 LTS release is nearing end-of-life (EOL) with regards to > security vulnerability fix support from our team. This end of life date will > be Sept. 14, 2024. > > After Sept. 14, 2025, we may block ClamAV 0.103 from downloading signature > updates. We need to decide what we're going to do about this. Given the upstream dependency on Rust for all later versions we're going to have to live with dropping the HPPA keyword; we've known that this is coming for a while. If someone (mjo?) is willing to backport any security fixes we can keep the package on life support for another 10 months, however after this we would need (at the very least) to run our own ClamAV database mirror to enable older clients to update. This seems like a lot of overhead for a vanishingly small userbase. My opinion is that we should drop the package in early 2025 (happy new years?). The 1.x LTS subslot has been available (and stable where possible) for all arches other than HPPA for some time now with no reported major bugs. We should consider p.masking this package in the near future to provide a migration path (and act as a scream test). CC Security, QA for any input they may have.
I'll either backport any security fixes, or give up and mask it when things become too hard to backport. When September 2025 comes, I'll patch freshclam to lie about which version it is. Bundling every library into a daemon that is intended to parse malicious input is unconscionable to me. When the signatures finally stop working, I'd rather delete it.
> I'll either backport any security fixes, or give up and mask it when things become too hard to backport. I think that works for us, so I'm not sure there's anything in particular actionable for us (for now), but we'll hold you to it to mask when the time comes ;)
