Malware scanning

Certain CI builds can be configured with ClamAV integration, so that builds have a basic malware scan performed on their output files. This is not yet very generalized (it currently only works for builds in the private soss distribution), and should not be expected to be robust.

To enable this in a local Launchpad installation, set this in launchpad-lazr.conf (or otherwise arrange for "scan_malware": true to be included in the arguments dispatched to the builder):

[cibuild.soss]
scan_malware: True

database.clamav.net rate-limits clients. To avoid this, and generally to be good citizens, we maintain a private mirror of the ClamAV database. This is organized using the clamav-database-mirror charm, deployed via the vbuilder Mojo spec (Canonical-internal); on production, this is exposed to builders as clamav-database-mirror.lp.internal. launchpad-buildd-image-modifier is configured to pass a suitable local URL on to launchpad-buildd, but you can also do this in a local installation by adding something like the following to /etc/launchpad-buildd/default:

[proxy]
clamavdatabase = http://clamav-database-mirror.test/