Mailing List Archive

1 2 3 4 5 6 7 8  View All
Re: Clubbing a deceased equine [ In reply to ]
Eric Rostetter wrote:

>>> > Knowingly disabling running software on computers that is not your own
>>>>is not acceptable. It is immoral, unethical and perhaps illegal.
>>>
>>>But that's not what happened.
>
>Yes, it is what happened... People are just confused because of all
>the bogus complaints like "they shutdown my server" or "they shutdown
>my email". But they did indeed shutdown clamd for some set of older
>versions.

I'm confused - are you saying they did, or didn't shut down software
that people were running on their servers ? I think you are admitting
(thank you) that the update did what it was supposed to do and
remotely stopped some versions of ClamAV from running.

>>The **ONLY** defence I can think of is that they assumed an
>>implicit permission by virtue of the user running the update
>>process to fetch signature updates. That's a very tenuous thing to
>>infer when pushing an update that is so different in purpose to
>>what would normally be fetched.
>
>Well, since you pull the updates (they are not pushed to you), and since
>while this one signature was indeed "different in purpose" than the normal,
>you have a point. But, this "different in purpose" signature was just
>a way of warning that soon the "same in purpose" signatures _would_ stop
>the software. Would you rather they just started pushing the "normal in
>purpose signatures" that crashed it, or that they pushed a "different
>in purpose" one first, where the "purpose" was to notify users of both
>the issue, and how to fix it?

They didn't HAVE to push either to the older software - I'm not the
first to point out that there was a completely viable alternative
that would just stop supplying updates to the older software.

So my preference would be simply that they "did nothing" to my
software. If they want to stop supporting it with updates, that's
fine and it still leaves me in control of what I run and when I
update it.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
Simon--

After ~20+ postings from you on this topic, you're not saying anything new.

Unlike the poor folks running McAfee on Windows who are having their machines rendered unbootable due to a false positive with v5958 of their database, it would require far less effort on your part to either update ClamAV to a non-obsolete version, or to revert to using ClamAV antivirus definitions from 2010-4-14 and continue to operate your outdated ClamAV installation(s) for as long as you want.

If you don't choose to accept ClamAV's update policies, by all means, use something else, or feel free to actually do some useful sanity checking by reviewing automated virus updates obtained from freshclam before deploying them to systems that you care about. My assessment is that there is no chance whatsoever that you will persuade Sourcefire/ClamAV team to provide separate signatures and update servers for obsolete versions, but there is nothing preventing you from doing that yourself if you like.

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Wed, 21 Apr 2010 14:36:17 +1200
Steve Wray <steve.wray@cwa.co.nz> wrote:

> I know that in certain jurisdictions, reaching out to someone elses
> computer (ie not your property) and disabling functionality on it
> could constitute a criminal act.
> I sincerely hope that someone somewhere under such a jurisdiction
> goes to the police and reports the Clamav developers for such an
> offense.

Points to consider:

1. Everybody on the planet had 6 months warning. (In fact more if you
look at the "outdated software" warnings in your logs).

2. They chose to stop releasing updates for a prehistoric version of
the software.

3. Had they continued to allow these updates, and your systems got
borked because it wasn't stopping any current viruses, you'd still want
to sue. So basically, they were damned if they did, and they'd be
damned if they didn't.

4. What did you pay for the software?

5. Where's your contract with them?

6. The only people who are pissy about it appear to be set and forget
admins -- the ones who don't seem to properly maintain their systems
and monitor really important software like ClamAV.

7. The only systems that broke were badly configured ones. I can stop
ClamAV on my mail servers and mail will continue to flow happily, and
other milters will continue to scan mail. It's just Clam that stops.

8. Had the developers just silently stopped publishing updates for old
versions of ClamAV, then the customers of set-and-forget mail admins
would potentially be in a world of crap. Doing it this way *forced*
people to realise that their software was old and out of date, and
potentially harmful to them and their customers.
Re: Clubbing a deceased equine [ In reply to ]
Quoting Simon Hobson <linux@thehobsons.co.uk>:

> I'm confused - are you saying they did, or didn't shut down software
> that people were running on their servers ?

I've always supported the claim that they did this. And I've always
countered the claims of the like of "shutdown my server" or "shutdown
my email" or such.

> I think you are admitting (thank you) that the update did what it
> was supposed to do and remotely stopped some versions of ClamAV from
> running.

No, I'm saying the update did shutdown clamav installs older than 0.95.
I'm not saying that was what it was supposed to do, that is a matter
of intent of the people at sourcefire, and I have no access to their
intent. As such, I could only offer my opinion, and not admit to their
intent.

> They didn't HAVE to push either to the older software - I'm not the

They didn't PUSH anything to the older software. The users PULLED the
signatures with their older version of the software.

> first to point out that there was a completely viable alternative
> that would just stop supplying updates to the older software.

And this is not the first time I'll point out that your suggestions came
after the fact. And this is not the first time I'll point out they asked
for feedback and ideas for 6 months and AFAIK didn't get any such suggestions
(maybe they did, and maybe they ignored them, I don't know... But they sure
were not discussed on the mailing list or elsewhere in an effort to gain
support and change the minds of clamav/sourcefire).

> So my preference would be simply that they "did nothing" to my software.

Mine too. But what does my preference matter to them? That is up
to them to decide, not me.

> If they want to stop supporting it with updates, that's fine and it
> still leaves me in control of what I run and when I update it.

True. And a perfectly legitimate stance to hold. But that doesn't mean
sourcefire/clamav has to respect that stance...

> --
> Simon Hobson

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Spiro Harvey wrote:
> On Wed, 21 Apr 2010 14:36:17 +1200
> Steve Wray <steve.wray@cwa.co.nz> wrote:
>
>> I know that in certain jurisdictions, reaching out to someone elses
>> computer (ie not your property) and disabling functionality on it
>> could constitute a criminal act.
>> I sincerely hope that someone somewhere under such a jurisdiction
>> goes to the police and reports the Clamav developers for such an
>> offense.
>
> Points to consider:
>
> 4. What did you pay for the software?
>
> 5. Where's your contract with them?

This is part of the attitude problem from many open source projects.

They are (too often) run by technicians and programmers with no input from
the business side.

What the Clamav team did, I can't believe it would have made it through a
business analyst and I can't believe that any executive would have signed
off on something like that after considering the potential impact it could
have on their clients.

For the last 4 years or so I have had to shift my mindset from that of pure
sysadmin to taking business considerations into account; its very easy for
someone who is absorbed with programming and engineering to forget that IT
is there to support business and that business is not there to support IT.

This is something that I personally have struggled hard with, it can be
difficult for a 'geek' to move in that direction. But its very very
important if OSS is to be taken seriously in the enterprise.

So many OSS projects do not view their users as clients or customers; they
view them either as experimental subjects or as fellow experimenters. They
only take the technical considerations into account and largely ignore
potential impact on business.

This is true both of the Clamav developers and of those people who didn't
take precautions against potential problems such as the Clamav developers
introduced. (And make no mistake; a problem was *created* by the Clamav
team, a problem that did not exist prior to the changes they made).

I have been using Linux since 1991 and I have seen a lot of positive change
in that time. I have seen it go from crazy 'fringe' to being widely
accepted in the enterprise. But shenanigans like this can risk all of that
hard work.

This is why I raised the legal and ethical issue; because that is what the
business end should be considering and its what the technical end only
rarely considers.

I understand that Clamav is free as in 'beer' and that there is no legal
contract with the Clamav team. However, Clamav has a parent company,
Sourcefire, which is listed on Nasdaq and is a 'proper' corporation.

I have written to them to find out what they think of this, if anything at
all...

Sourcefire actually have executives and a general council and I am sure
that they employ business analysts as well. I will be interested to see if
what the Clamav team did is condoned by the parent company which clearly
has some business acumen behind it.


Don't get distracted by issues such as "Oh those bad silly sysadmins out
there who messed up, its really *their* fault not the fault of the Clamav
developers!" That is just *not* helpful. The damage is already done; damage
to peoples systems and damage to the reputation not only of Clamav but of
OSS in general.



--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.

If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
Christopher X. Candreva wrote:
> I disagree with that statement because it's incomplete.. The purpose of this
> update was to make running software break WITH A DESCRIPTIVE ERROR .
> Important difference.
>
> The alternative being breaking with an incomprehensable hex ump
I think that's sums it up... that, to me, seemed like the ONLY aim.

I even contacted ISC the day before and gave them a reminder:
http://isc.sans.org/diary.html?storyid=8635&rss

I did see an interesting idea on the devel mailing list from David "I
have a feature suggestion: Incorporate the version number in your
DNS TXT records and download URLs. Your download mirrors can use
symlinks in most cases (when versions are completely compatible) and
you can easily stop older machines from attempting to download by
stopping updates on the 0.96.whatever.clamav.net TXT record. "

Source: http://lurker.clamav.net/message/20100408.011105.c584f530.en.html

Would this idea help minimise any future issues like this?

Cheers,

Steve
Sanesecurity
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
On 21.04.2010 22:56, Eric Rostetter wrote:
>> If they want to stop supporting it with updates, that's fine and it
>> still leaves me in control of what I run and when I update it.
>
> True. And a perfectly legitimate stance to hold. But that doesn't mean
> sourcefire/clamav has to respect that stance...

Agreed. So we, as a community, should make sure that no company goes
around shutting down services left and right, claiming it is their right
to do so. Basically, public outcry and (threat of) legal action are the
only viable alternatives against that.

On a side note, I wonder if this road would have been taken if
sourcefire did not acquire clamav some time ago. It would be nice to
know how this decision was taken, its circumstances etc.

--
Eray
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
On Wed, 2010-04-21 at 21:19 +0100, Steve Basford wrote:

> I did see an interesting idea on the devel mailing list from David "I
> have a feature suggestion: Incorporate the version number in your
> DNS TXT records and download URLs. Your download mirrors can use
> symlinks in most cases (when versions are completely compatible) and
> you can easily stop older machines from attempting to download by
> stopping updates on the 0.96.whatever.clamav.net TXT record. "
>
> Source: http://lurker.clamav.net/message/20100408.011105.c584f530.en.html
>
> Would this idea help minimise any future issues like this?

It was pointed out even before that suggestion was made that 0.95 and
later have a versioning system inside the signature DB which allows clam
to selectively load only parts of the DB. New incompatible signature
types can be created and 0.95 can be told to ignore them.

--
Chris

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Thu, 22 Apr 2010 08:19:31 +1200
Steve Wray <steve.wray@cwa.co.nz> wrote:

> Don't get distracted by issues such as "Oh those bad silly sysadmins
> out there who messed up, its really *their* fault not the fault of
> the Clamav developers!" That is just *not* helpful. The damage is
> already done; damage to peoples systems and damage to the reputation
> not only of Clamav but of OSS in general.

If you were to talk about helpful, perhaps you should be proposing a
way for them to do it better next time. That would really be in the
spirit of OSS.
Re: (no subject) [ In reply to ]
On Thu, 22 Apr 2010, Steve Wray wrote:

> This is part of the attitude problem from many open source projects.
>
> They are (too often) run by technicians and programmers with no input from the
> business side.

IMHO, open source projects don't have a business side.

Opensource projects exist for the developers to get the software they need,
faster, through colaboration with others. If anyone else finds it usefull
that's an added bonus. But if no one other than the devs use it themselves,
the project has fullfilled it's purpose.

Adding business value is the job of the distros, or Apple if they include
it, or myself as an ISP. That's why I said before I think the real let-down
here are the distros that didn't do anything about it.

Extreme ? Maybe, but that's why I use open-source, for getting best of
breed, newest, breaking with history when needed.



==========================================================
Chris Candreva -- chris@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Spiro Harvey wrote:
> On Thu, 22 Apr 2010 08:19:31 +1200
> Steve Wray <steve.wray@cwa.co.nz> wrote:
>
>> Don't get distracted by issues such as "Oh those bad silly sysadmins
>> out there who messed up, its really *their* fault not the fault of
>> the Clamav developers!" That is just *not* helpful. The damage is
>> already done; damage to peoples systems and damage to the reputation
>> not only of Clamav but of OSS in general.
>
> If you were to talk about helpful, perhaps you should be proposing a
> way for them to do it better next time. That would really be in the
> spirit of OSS.

But I am; involve business people in the decision making process *at*
Clamav. I'm sure that Sourcefire have the resources to do that. I'm just
not sure what the status of this is. I'd like to know.


--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.

If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Wed, Apr 21, 2010 at 10:39 PM, Christopher X. Candreva
<chris@westnet.com> wrote:
> IMHO, open source projects don't have a business side.
>
> Opensource projects exist for the developers to get the software they need,
> faster, through colaboration with others. If anyone else finds it usefull
> that's an added bonus. But if no one other than the devs use it themselves,
> the project has fullfilled it's purpose.
>
> Adding business value is the job of the distros, or Apple if they include
> it, or myself as an ISP. That's why I said before I think the real let-down
> here are the distros that didn't do anything about it.
>
> Extreme ? Maybe, but that's why I use open-source, for getting best of
> breed, newest, breaking with history when needed.

Well put. Luckily I read your post just before having to mute yet
another endless thread on this list.

--
/peter
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
Peter Bonivart wrote:
> On Wed, Apr 21, 2010 at 10:39 PM, Christopher X. Candreva
> <chris@westnet.com> wrote:
>> IMHO, open source projects don't have a business side.
>>
>> Opensource projects exist for the developers to get the software they need,
>> faster, through colaboration with others. If anyone else finds it usefull
>> that's an added bonus. But if no one other than the devs use it themselves,
>> the project has fullfilled it's purpose.
>>
>> Adding business value is the job of the distros, or Apple if they include
>> it, or myself as an ISP. That's why I said before I think the real let-down
>> here are the distros that didn't do anything about it.
>>
>> Extreme ? Maybe, but that's why I use open-source, for getting best of
>> breed, newest, breaking with history when needed.

This would be ok if the distros maintained the servers which their
distributed version of Clamav updated from.

They don't. The responsibility in this case is that of those who maintain
Clamav, not the distros.

I would suggest that distros may want to take note of this situation; its
perhaps not unreasonable for them to maintain eg their own Clamav update
servers.



--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.

If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Apr 21, 2010, at 12:15 AM, Simon Hobson wrote:

> Steve Wray wrote:
>
>> I know that in certain jurisdictions, reaching out to someone elses
>> computer (ie not your property) and disabling functionality on it
>> could constitute a criminal act.
>
> I am also of the opinion that it was illegal under UK law.
>
>> I sincerely hope that someone somewhere under such a jurisdiction
>> goes to the police and reports the Clamav developers for such an
>> offense.
>>
>> Why?
> <snip>
>
> I don't. As already pointed out, there are enough threats to FOSS
> and we don't need to be shooting ourselves in the collective foot
> over this.
>
>
> Jason Haar wrote:
>
>> ClamAV devs: your response was appropriate. I speak on behalf of
>> the 99%
>> of sites unaffected by this. You can tell that as only 10 people
>> seem to
>> be involved in this thread.
>
> Only 10 people who thought it worth while to put their hands up and
> say something about it. There will be many who will have seen the
> threads and decided they have nothing more to add than "me too", and
> probably a fair number that are waiting for their friendly tech to
> unbreak their appliance.
>
>
> Jim Preston wrote:
>
>> Well, prosecution would be justified if ClamAV had actually done
>> something illegal. What they did was modifiy their signature
>> database to support new features with advance notice and the fact
>> that any particular installation of unsupported software failed to
>> handle it properly is the onus of the owners / sysadmins of the
>> individual systems. If you happen to fall into that category, then
>> it is time to upgrade your system.
>
> So, suppose you live on some lane where there's a problem with
> people racing up and down at night on motorcycles with no lights
> etc. You've remonstrated with them to be more responsible, but
> they've not listened. Eventually, you put a notice up in your garden
> giving them 6 months to sort themselves out as then you'll be doing
> something about it.
> Do you really think the police and courts would accept an argument
> of "it was their own fault, I warned them, they carried on so it's
> not my fault they decapitated themselves with the wire I strung
> across the lane" ? There are so many areas where just telling
> someone you are going to do something does NOT make it legal - and
> for good reason.
>
> You did not tell ME, therefore you did not have permission FROM ME
> to makes changes to the way MY server operates. Giving notice that
> you are going to trespass does not make that trespass legal, even if
> you had come directly to me door and told me in person - which of
> course no-one did even in computer terms of making any sort of
> related message appear on my system.
> Describing it as "issuing an update to signatures" is just semantics
> - the signature was known to, and described as being solely to,
> break the system (or at least the ClamAV element of it. No matter
> how the server is configured, that is going to affect operations -
> either stop mail from moving, or stop it being scanned.
> You also cannot claim that my downloading of updates constitutes an
> invite - it constitutes an invite to put AV sig updates on there for
> the purpose of detecting new threats. A poison pill update doesn't
> fit that description.
>
>
> Jim Preston wrote:
>
>> PS: They did explicitly request permission by allowing users to
>> comment on their proposed changes for 6 months. Where were your
>> objections during that time?
>
> See above, that does NOT in any way constitute requesting my
> permission. If you got up one morning and found your car gone from
> the drive, I'd guess you'd call the police and report it stolen.
> Would you accept if the manufacturer had recalled it, and in lieu of
> actually asking your personal permission, had placed an add in a few
> trade journals to say that they'd just be lifting them off owners
> drives ? Would you accept that by not responding to one of those
> ads, you'd given them permission ? Do you think the police and
> courts would ?
>
>
> Dave Warren wrote:
>
>> ClamAV developers didn't reach out to anyone.
>>
>> Rather, most minimally competent ClamAV administrators configure
>> their
>> systems to connect to ClamAV's servers on a regular basis and
>> download
>> updated definition files.
>
> That again is trying to use fine points of language to excuse
> trespass. As stated above, the relation between users and the ClamAV
> team is based on "by running Freshclam, the user is inviting the
> team to supply AV updates for the purposes of detecting new threats"
> - and I'm fairly sure that any reasonable person would consider it
> stopped there.
>
> By their own admission, the ClamAV team send an update which was not
> to detect new threats, it was specifically and solely to make
> certain installations stop working properly. No if's but's or
> maybe's, that is the stated intention of the update.
>
> It caused computer systems to stop working correctly, it was
> deliberately designed to do so, and it was delivered in a manner
> that could not be considered to be covered by the implied consent of
> running Freshclam to fetch threat signature updates.
>
> AND, it was not the only option available to them - so there isn't
> even any defence of it being absolutely necessary "for the public
> good".
>
> --
> Simon Hobson
>

Correct there were other choices, you have been wronged and should
definitely show your displeasure by uninstalling and using another
vendors product....

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
I can't believe I've been suckered into this nonsense

>
> This is part of the attitude problem from many open source projects.
>
> They are (too often) run by technicians and programmers with no input
> from the business side.
OH, lets not forget certain users
>
> What the Clamav team did, I can't believe it would have made it
> through a business analyst and I can't believe that any executive
> would have signed off on something like that after considering the
> potential impact it could have on their clients.
>
> For the last 4 years or so I have had to shift my mindset from that of
> pure sysadmin to taking business considerations into account; its very
> easy for someone who is absorbed with programming and engineering to
> forget that IT is there to support business and that business is not
> there to support IT.
>
> This is something that I personally have struggled hard with, it can
> be difficult for a 'geek' to move in that direction.

You're giving yourself too much credit. Lets look at this (yet again)
shall we?

People (and you) are upset because they (not me, not them, not the
clamav dev team) decided to ignore the notifications and warnings and
their ( and your) out of date and E-O-L'd AV stopped working. On top of
this due to MTA configuration choices made by some of these same people
when their AV died, so did their mail system. Soooooooo it must be
somebody's fault other than the person(s) in charge of the configuration
and maintenance of these boxes that fault tolerance was not taken into
consideration? Who set up the mail system to die if clam-av was not
available? Not the the Clam dev team.

> So many OSS projects do not view their users as clients or customers;
> they view them either as experimental subjects or as fellow
> experimenters. They only take the technical considerations into
> account and largely ignore potential impact on business.
Business impact was caused by the person(s) maintaining, and configuring
the systems that tears are being spilled over. Speaking of impact, what
would the impact be if certain affected customers should find out that
the reason for the service interruption they experienced was because
their service provider couldn't be bothered to take notice of EOL
warnings and properly update their Anti-Virus?
>
> This is true both of the Clamav developers and of those people who
> didn't take precautions against potential problems such as the Clamav
> developers introduced. (And make no mistake; a problem was *created*
> by the Clamav team, a problem that did not exist prior to the changes
> they made).

There is no problem. If you want to run a EOL version of ClamAV all you
have to do (I believe) is stop running freshclam. The obvious issue with
this is that you will no longer be receiving virus updates.
If you want to receive virus updates, then UPDATE your version to the
current and functional version.

But no, you expect ClamAV to do what no other company would do. Keep the
old supported and fork the new version so both can be ran.
Perhaps all the fuss is because your dist is also out of date, and not
capable of supporting or compiling the new version? This too can be
fixed by upgrading either your dist, or components.
(Hint: The later only requires sources and the knowledge to use a compiler)

Like I'm sure Microsoft would support a EOL'd OS past it's DOD (Date of
Death). It's just not going to happen. And on the business side, it
doesn't make business sense for them to do so.

This isn't a vendor problem.


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Thu, 22 Apr 2010 08:51:00 +1200
Steve Wray <steve.wray@cwa.co.nz> wrote:

> This would be ok if the distros maintained the servers which their
> distributed version of Clamav updated from.
> They don't. The responsibility in this case is that of those who
> maintain Clamav, not the distros.
> I would suggest that distros may want to take note of this situation;
> its perhaps not unreasonable for them to maintain eg their own Clamav
> update servers.

But the distro are the ones who gave you outdated unsupported software.
Had they provided you with a newer package, you wouldn't have had this
problem.

Are you suggesting that if your distribution had packaged ClamAV 0.96
and your server(s) didn't break, that you would *still* be upset? Just
on principle?

I honestly doubt it for one simple reason: You don't read the
announcement list, nor do you follow their twitter account, nor do you
read sites like LWN, (all of which, among others, had announcements 6
months ago) so you would never have known.
Re: (no subject) [ In reply to ]
Spiro Harvey wrote:
> On Thu, 22 Apr 2010 08:51:00 +1200
> Steve Wray <steve.wray@cwa.co.nz> wrote:
>
>> This would be ok if the distros maintained the servers which their
>> distributed version of Clamav updated from.
>> They don't. The responsibility in this case is that of those who
>> maintain Clamav, not the distros.
>> I would suggest that distros may want to take note of this situation;
>> its perhaps not unreasonable for them to maintain eg their own Clamav
>> update servers.
>
> But the distro are the ones who gave you outdated unsupported software.
> Had they provided you with a newer package, you wouldn't have had this
> problem.

I didn't have this problem

I am just worried that OSS is *still* having problems dealing with basic
business commonsense.


> Are you suggesting that if your distribution had packaged ClamAV 0.96
> and your server(s) didn't break, that you would *still* be upset? Just
> on principle?

I am not upset; I am concerned for OSS and for the way that this reflects
badly on it. And yes I really do think it has been bad PR


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Apr 21, 2010, at 8:45 AM, Simon Hobson wrote:

> Jerry wrote:
>
>> I had thought by now that this thread would have died a natural
>> death.
>> Obviously, I was mistaken. It has continued to pollute this forum for
>> nearly a week.
>>
>> What has become conspicuously apparent is that if those who are doing
>> the most complaining had spend even one percent of that time keeping
>> their systems up-to-date and keeping themselves abreast of current
>> development and deployment strategies with the software they employ,
>> this whole discussion would be academic.
>>
>> In the interest of eliminating any further waste of my time or
>> computer
>> resources, I am now instigating a kill filter on this thread.
>
> That's right - if I can't bully everyone round to my way of
> thinking, then I'm taking my ball home. A very grown up attitude !
>

You certainly are being the bully here, what with throwing buckets of
acid around......
> You (and I mean a small subset of people who are unconditionally
> supporting the action taken by the ClamAV team) have consistently
> used false logic, outright lies, personal insults, and arguments
> worthy of criminal defences to try and weasel out of any blame
> whatsoever for having misjudged things rather badly.
>
> Put bluntly, if people had admitted early on that perhaps it could
> have been handled better, that perhaps they didn't consider all
> classes/types of user, and that it is perhaps not unreasonable that
> users could be a trifle annoyed ... then this **WOULD** have blown
> over ages ago.

But we did on the very first day of this thread. I said that it was
ClamAV's decision to make.
>
> It's not that you had to do something that people are complaining
> about, it's not that you ended support for updates to older versions
> that people are complaining about, it's the way you did it and the
> way you refuse to accept that there can be any other valid viewpoint
> that really p***es people off. You may, if you'd read the messages,
> have noted that even people who were not affected by this thought
> you got it wrong.
>
> --
> Simon Hobson
>

Jim

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
Eray Aslan wrote:
> Does anyone have access to legal opinion for a lawsuit against clamav
> developers or its parent company? Perhaps Germany is the better place
> for it.

Yeah, I've got a legal opinion for you. You have no standing to
recover any damages and any suit you file would be subject to a
counterclaim for a frivolous lawsuit.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Thu, 2010-04-22 at 09:07 +1200, Spiro Harvey wrote:

> But the distro are the ones who gave you outdated unsupported software.
> Had they provided you with a newer package, you wouldn't have had this
> problem.
Spiro, you're missing the point of a distro completely. That is to
provide a functionally static platform for people to use and release to.
From that point on, only security patches are released. The fact that
0.94.x was current when debian lenny was released means that it should
stay that way until EOL of the distro.

Anything else is breaking at least the spirit of the distro release
philosophy.

Sure you can use a different model, like including the volatile and / or
backports packages, but that's not the point. I've heard of these, but
then I'm a career sysadmin. How many servers out there are managed by
those, rather than just relying on the testing performed by
debian/redhat/novell, etc?

Steve.


--
Steve Holdoway <steve@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: steve@greengecko.co.nz
Skype: sholdowa
Re: illegal or not, make a valid argument (was "no subject") [ In reply to ]
On Apr 21, 2010, at 11:44 AM, Simon Hobson wrote:

<snip>
>>
>
> Here we go again, you are introducing something irrelevant to try
> and justify your actions. Yes, I know what the licence says - but
> that merely says I cannot expect support from you, and I can't
> complain if it doesn't work. That still does not mean I am giving
> you permission to enter my property and make changes - it just means
> that you are under no obligation to provide support or updates.
>
> That's the whole point - I'm NOT complaining that your aren't
> providing support, and I'm not claiming damages. I'm complaining
> because you have gone well beyond "not providing support" by
> actively disabling a program that you deemed I shouldn't be running
> according to your view of how the computing world should run.
> Nothing in that licence or any implied agreement for you to update
> my server allows for that - and under UK law what you did was
> illegal (and under US law if what I understand of the Gary McKinnon
> case is right).

Well you obviously do not understand the Gary McKinnon case right. Not
a single person connected in any way or form "reached out and touched
any system". All affected systems, made a connection to a ClamAV
mirror somewhere in the world and downloaded a database of signatures.
Clamd by its very design in effect since before version 0.94 did
exactly what it was supposed to do which is shut down in the event of
a database it could not digest.
In the Gary McKinnon case, he actively sought out these computers he
is charged with allegedly hacking into, and rifled through through the
computer contents. I do not see any remote connection between this and
what ClamAV has done.
<snip>

> --
> Simon Hobson
>

Jim

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Apr 21, 2010, at 1:19 PM, Steve Wray wrote:

> Spiro Harvey wrote:
>> On Wed, 21 Apr 2010 14:36:17 +1200
>> Steve Wray <steve.wray@cwa.co.nz> wrote:
>>> I know that in certain jurisdictions, reaching out to someone
>>> elses computer (ie not your property) and disabling functionality
>>> on it
>>> could constitute a criminal act.
>>> I sincerely hope that someone somewhere under such a jurisdiction
>>> goes to the police and reports the Clamav developers for such an
>>> offense.
>> Points to consider:
>> 4. What did you pay for the software?
>> 5. Where's your contract with them?
>
> This is part of the attitude problem from many open source projects.
>
> They are (too often) run by technicians and programmers with no
> input from the business side.
>
> What the Clamav team did, I can't believe it would have made it
> through a business analyst and I can't believe that any executive
> would have signed off on something like that after considering the
> potential impact it could have on their clients.

Possibly true for a commercial company, but that would have been to
protect their revenue stream. In this case, ClamAV's revenue stream
was not affected so, needlessly spend money on alternate methods would
most likely have been prohibited by the same business analyst.
>
> For the last 4 years or so I have had to shift my mindset from that
> of pure sysadmin to taking business considerations into account; its
> very easy for someone who is absorbed with programming and
> engineering to forget that IT is there to support business and that
> business is not there to support IT.
>
> This is something that I personally have struggled hard with, it can
> be difficult for a 'geek' to move in that direction. But its very
> very important if OSS is to be taken seriously in the enterprise.
>
> So many OSS projects do not view their users as clients or
> customers; they view them either as experimental subjects or as
> fellow experimenters. They only take the technical considerations
> into account and largely ignore potential impact on business.
>
> This is true both of the Clamav developers and of those people who
> didn't take precautions against potential problems such as the
> Clamav developers introduced. (And make no mistake; a problem was
> *created* by the Clamav team, a problem that did not exist prior to
> the changes they made).
>
> I have been using Linux since 1991 and I have seen a lot of positive
> change in that time. I have seen it go from crazy 'fringe' to being
> widely accepted in the enterprise. But shenanigans like this can
> risk all of that hard work.
>
> This is why I raised the legal and ethical issue; because that is
> what the business end should be considering and its what the
> technical end only rarely considers.
>
> I understand that Clamav is free as in 'beer' and that there is no
> legal contract with the Clamav team. However, Clamav has a parent
> company, Sourcefire, which is listed on Nasdaq and is a 'proper'
> corporation.

Yes, but still the same business analysts would not want to spend
money where it was not affecting a revenue stream.
>
> I have written to them to find out what they think of this, if
> anything at all...
>
> Sourcefire actually have executives and a general council and I am
> sure that they employ business analysts as well. I will be
> interested to see if what the Clamav team did is condoned by the
> parent company which clearly has some business acumen behind it.
>
>
> Don't get distracted by issues such as "Oh those bad silly sysadmins
> out there who messed up, its really *their* fault not the fault of
> the Clamav developers!" That is just *not* helpful. The damage is
> already done; damage to peoples systems and damage to the reputation
> not only of Clamav but of OSS in general.

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Apr 21, 2010, at 1:51 PM, Steve Wray wrote:

> Peter Bonivart wrote:
>> On Wed, Apr 21, 2010 at 10:39 PM, Christopher X. Candreva
>> <chris@westnet.com> wrote:
>>> IMHO, open source projects don't have a business side.
>>>
>>> Opensource projects exist for the developers to get the software
>>> they need,
>>> faster, through colaboration with others. If anyone else finds it
>>> usefull
>>> that's an added bonus. But if no one other than the devs use it
>>> themselves,
>>> the project has fullfilled it's purpose.
>>>
>>> Adding business value is the job of the distros, or Apple if they
>>> include
>>> it, or myself as an ISP. That's why I said before I think the real
>>> let-down
>>> here are the distros that didn't do anything about it.
>>>
>>> Extreme ? Maybe, but that's why I use open-source, for getting
>>> best of
>>> breed, newest, breaking with history when needed.
>
> This would be ok if the distros maintained the servers which their
> distributed version of Clamav updated from.
>
> They don't. The responsibility in this case is that of those who
> maintain Clamav, not the distros.
>
> I would suggest that distros may want to take note of this
> situation; its perhaps not unreasonable for them to maintain eg
> their own Clamav update servers.
>

Why would you think that it is not the distro's responsibility? They
are the ONLY ones responsible for what they include and all the
software they include is OSS or they could not afford to "give it away".

There is absolutely nothing to stop them from doing so and this list
is filled with instructions on how to do so.

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: (no subject) [ In reply to ]
On Apr 21, 2010, at 2:09 PM, Steve Wray wrote:

> Spiro Harvey wrote:
>> On Thu, 22 Apr 2010 08:51:00 +1200
>> Steve Wray <steve.wray@cwa.co.nz> wrote:
>>> This would be ok if the distros maintained the servers which their
>>> distributed version of Clamav updated from.
>>> They don't. The responsibility in this case is that of those who
>>> maintain Clamav, not the distros.
>>> I would suggest that distros may want to take note of this
>>> situation;
>>> its perhaps not unreasonable for them to maintain eg their own
>>> Clamav
>>> update servers.
>> But the distro are the ones who gave you outdated unsupported
>> software.
>> Had they provided you with a newer package, you wouldn't have had
>> this
>> problem.
>
> I didn't have this problem
>
> I am just worried that OSS is *still* having problems dealing with
> basic business commonsense.
>
>
>> Are you suggesting that if your distribution had packaged ClamAV 0.96
>> and your server(s) didn't break, that you would *still* be upset?
>> Just
>> on principle?
>
> I am not upset; I am concerned for OSS and for the way that this
> reflects badly on it. And yes I really do think it has been bad PR
>

I would look again if you think that to be true. Outside of this and
other mailing lists, there is very little mention of this as compared
to the big news of McAfee's db update debacle today.

Jim

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: Clubbing a deceased equine [ In reply to ]
On Apr 21, 2010, at 2:48 PM, Robert Wyatt wrote:

> Eray Aslan wrote:
>> Does anyone have access to legal opinion for a lawsuit against clamav
>> developers or its parent company? Perhaps Germany is the better
>> place
>> for it.
>
> Yeah, I've got a legal opinion for you. You have no standing to
> recover any damages and any suit you file would be subject to a
> counterclaim for a frivolous lawsuit.
> _______________________________________________
>

And I hope you do file a frivolous lawsuit and lose your shirt in
court and lawyer fees. Lawyers will only be too happy to take your
money for your lost cause.

Jim
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

1 2 3 4 5 6 7 8  View All