include much needed antivirus products in FC2

Thomas M Steenholdt tmus at get2net.dk
Tue Jan 6 20:52:48 UTC 2004


Enrico Scholz wrote:

>[ Since I am the author of the clamav package at fedora.us I am little
>bit biased ]
>
>tmus at get2net.dk ("Thomas Munck Steenholdt") writes:
>  
>
>>Neither is the case with the clamav packages from fedora.us. First of all
>>a number of manual customizations has to be made in order to start the
>>daemon... including installing the default conf file, adding init scripts
>>and a lot of other things...
>>
>>This is not how things should work,
>>    
>>
>
>No, this is exactly how things should work. Default clamav configuration
>is broken:
>
>* daemon runs as root by default -> bad flaw since it works as non-root
>  also. Please do not begin with SELinux; it's not the solution for all
>  security problems and not available in FC1 or below.
>
>* default logging and sockets are suggested to be under /tmp
>  -> man symlink-attack, man tmpwatch
>
>* no crontab entries for database update and logrotating
>  
>
That's why it would be natural to fix those kinds of things in a 
package, so that it would work
immediately after installation... Again - I realize that a default 
configuration will not suit
all, but it should consist of a sane and working config along with all 
normally needed
script located in the right places.
Then, if somebody wants to change something, he can modify the 
clamav.conf file or even
create some scripts to acomplise non-generic tasks.

>It is ok when the package itself has these flaws, but some tasks of
>package-management is the providing of a secure and preconfigured
>setup. I do not want a package which just puts the results of 'make
>install' in the filesystem and where I have to spent hours to create new
>users, fix broken default configurations or to write initscripts.
>  
>
I agree with this completely...
But installing a package should provide a basic working setup of 
whatever that package
contains. Requiring that you change the conf file for a setting or even 
five before it will
run is fine by me, but all the other stuff should really be unnessecery 
- especially for
something lika an antivirus package, that need to be able to scan for vira!
sane defaults and a basic working configuration out of the box, just 
like the rest of the
packages for fedora that's provided by Core distribution.

>QA trail at https://bugzilla.fedora.us/show_bug.cgi?id=268 should
>explain some parts of the clamav package.
>
>
>
>Enrico
>
>
>  
>





More information about the devel mailing list