Enrico Scholz wrote:
[ Since I am the author of the clamav package at fedora.us I am
little
bit biased ]
tmus(a)get2net.dk ("Thomas Munck Steenholdt") writes:
>Neither is the case with the clamav packages from fedora.us. First of all
>a number of manual customizations has to be made in order to start the
>daemon... including installing the default conf file, adding init scripts
>and a lot of other things...
>
>This is not how things should work,
>
>
No, this is exactly how things should work. Default clamav configuration
is broken:
* daemon runs as root by default -> bad flaw since it works as non-root
also. Please do not begin with SELinux; it's not the solution for all
security problems and not available in FC1 or below.
* default logging and sockets are suggested to be under /tmp
-> man symlink-attack, man tmpwatch
* no crontab entries for database update and logrotating
That's why it would be natural to fix those kinds of things in a
package, so that it would work
immediately after installation... Again - I realize that a default
configuration will not suit
all, but it should consist of a sane and working config along with all
normally needed
script located in the right places.
Then, if somebody wants to change something, he can modify the
clamav.conf file or even
create some scripts to acomplise non-generic tasks.
It is ok when the package itself has these flaws, but some tasks of
package-management is the providing of a secure and preconfigured
setup. I do not want a package which just puts the results of 'make
install' in the filesystem and where I have to spent hours to create new
users, fix broken default configurations or to write initscripts.
I agree with this completely...
But installing a package should provide a basic working setup of
whatever that package
contains. Requiring that you change the conf file for a setting or even
five before it will
run is fine by me, but all the other stuff should really be unnessecery
- especially for
something lika an antivirus package, that need to be able to scan for vira!
sane defaults and a basic working configuration out of the box, just
like the rest of the
packages for fedora that's provided by Core distribution.
QA trail at
https://bugzilla.fedora.us/show_bug.cgi?id=268 should
explain some parts of the clamav package.
Enrico