[csw-maintainers] ClamAV - to include the (obsolete) signatures or not?

[Peter Bonivart]

I'm packaging ClamAV (please help test it, see link below) and I'm
wondering what you think about including the virus signatures. The
signature database files are about 18 MB if I remember correctly and
doesn't compress much so the package becomes around 20 MB. From a
security point of view it's not wise to use ClamAV with the included
signatures since they are becoming more obsolete for every day passing
since source release (November 26th). On the other hand you can't scan
at all without a signature database and must start by downloading one
with the freshclam command, which is really what everyone should do
anyway.

Should we provide a 20 MB package fully operational which needs
updating or should we provide a 2 MB package which *must* be updated?

If the second alternative, is it good enough to inform the user about
this via the postinstall script for example? An automated run of
freshclam will not work in most cases without some simple
configuration which can't be guessed by me.

A third alternative would be, like many Linux dists do, to separate
the database to its own package but I only see that as viable option
if I would constantly update that package which would
be...stupid...when there's a perfect solution provided with ClamAV for
that. If we make the signature package not a required dependency to
main ClamAV users will miss it and we're no better off.

http://buildfarm.opencsw.org/testing.html (look for clamav and libclamav)

-- 
/peter