Tomasz Kojm wrote: > Due to security reasons all bytecodes need to be digitally signed, > so no 3rd parties will be able to inject any code into your installations.
I believe this is the same security model used by Microsoft for Active X. (NOTE: I am in no way implying that your bytecode interpreter is as dangerous. I am implying that anyone can make an honest mistake and sign buggy code, or have his private key compromised.) > When it comes to vulnerabilities, they will not be that critical as > vulnerabilities in the regular code since all bytecodes can be remotely > fixed/removed. OK... here's another question: ClamAV is licensed under the GPL. Your bytecode programs are distributed in object-code format. Will you make the corresponding source code available? What language is the source code written in? It makes me nervous to see a GPLd project starting to rely heavily on code for which source may or may not be available. Unless you are careful, this could be the beginning of ClamAV's changeover to a non-open-source system. When a new release of Clam comes out, I download it, import it into my git tree, and carefully go through the "git diff" output. I can see what's new. When new bytecodes are released... *shrug* I have no idea what they do. Regards, David. _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
