[yocto] [meta-security][PATCH] clamav: freshclam need bind to run

Adrian Bunk bunk at stusta.de
Sun Apr 7 00:16:01 PDT 2019 

On Sun, Apr 07, 2019 at 11:45:18AM +0530, akuster808 wrote:
> 
> 
> On 4/7/19 10:42 AM, Adrian Bunk wrote:
> > On Sun, Apr 07, 2019 at 01:38:38AM +0530, akuster808 wrote:
> >>
> >> On 4/6/19 8:31 PM, Adrian Bunk wrote:
> >>> On Sat, Apr 06, 2019 at 08:15:40PM +0530, Armin Kuster wrote:
> >>>> Add it to the rdepends for that package
> >>>>
> >>>> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> >>>> ---
> >>>>  recipes-security/clamav/clamav_0.99.4.bb | 2 ++
> >>>>  1 file changed, 2 insertions(+)
> >>>>
> >>>> diff --git a/recipes-security/clamav/clamav_0.99.4.bb b/recipes-security/clamav/clamav_0.99.4.bb
> >>>> index 6219d9e..dbe903f 100644
> >>>> --- a/recipes-security/clamav/clamav_0.99.4.bb
> >>>> +++ b/recipes-security/clamav/clamav_0.99.4.bb
> >>>> @@ -152,3 +152,5 @@ RCONFLICTS_${PN} += "${PN}-systemd"
> >>>>  SYSTEMD_SERVICE_${PN} = "${BPN}.service"
> >>>>  
> >>>>  RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav"
> >>>> +
> >>>> +RDEPENDS_freshclam = "bind"
> >>> freshclam depending on a DNS server looks very wrong.
> >> got talk to clamav folks then.
> >>
> >>> What is the actual problem?
> >> ClamAV update process started at Sat Apr  6 14:59:25 2019
> >> WARNING: Can't query current.cvd.clamav.net
> >> WARNING: Invalid DNS reply. Falling back to HTTP mode.
> >> ERROR: Can't get information about database.clamav.net: Temporary failure in name resolution
> >> ERROR: Can't download main.cvd from database.clamav.net
> >> Giving up on database.clamav.net...
> >>
> >> because 
> >>
> >> Use DNS to verify virus database version. Freshclam uses DNS TXT records
> >> to verify database and software versions 
> >>
> >> therefor I am including bind.
> > freshclam needing DNS information makes sense, which means it must be 
> > configured how to access a DNS server.
> >
> > On the local machine you need only DNS client funtionality,
> > just like every user needs for a web browser.
> 
> >
> > Forcing installation of a DNS server is not the correct solution
> > when the actual problem is just a configuration issue on the
> > machine where you were trying it.
> 
> So I can expect a patch to provide such configuration. I would like to
> see how you would solve this.

How are you configuring networking on your device?

> Maybe an FAQ we can add to the layer for this package?

>From the error message you gave it is not obvious that there is any
problem that would be specific to this package.

I would guess that DNS configuration is missing or incorrect on your 
device, and that "ping www.google.com" would also fail with a name 
resolution error.

> - armin

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

More information about the yocto mailing list