Malware scanning
****************

Certain CI builds can be configured with ClamAV integration, so that builds
have a basic malware scan performed on their output files.  This is not yet
very generalized (it currently only works for builds in the private ``soss``
distribution), and should not be expected to be robust.

To enable this in a local Launchpad installation, set this in
``launchpad-lazr.conf`` (or otherwise arrange for ``"scan_malware": true``
to be included in the arguments dispatched to the builder)::

    [cibuild.soss]
    scan_malware: True

``database.clamav.net`` rate-limits clients.  To avoid this, and generally
to be good citizens, we maintain a `private mirror
<https://docs.clamav.net/appendix/CvdPrivateMirror.html>`_ of the ClamAV
database.  This is organized using the `clamav-database-mirror
<https://charmhub.io/clamav-database-mirror>`_ charm, deployed via the
`vbuilder
<https://git.launchpad.net/~launchpad/launchpad-mojo-specs/+git/private/tree/vbuilder?h=vbuilder>`_
Mojo spec (Canonical-internal); on production, this is exposed to builders
as ``clamav-database-mirror.lp.internal``.  `launchpad-buildd-image-modifier
<https://git.launchpad.net/charm-launchpad-buildd-image-modifier>`_ is
configured to pass a suitable local URL on to ``launchpad-buildd``, but you
can also do this in a local installation by adding something like the
following to ``/etc/launchpad-buildd/default``::

    [proxy]
    clamavdatabase = http://clamav-database-mirror.test/