On Apr 12, 2007, at 5:02 PM, Dennis Peterson wrote: > Tomasz Kojm <[EMAIL PROTECTED]> wrote: >> for 3rd party databases this can be managed with a simple script, >> no need for >> adding a keyring manager to ClamAV > > I swear it was just 8 weeks ago or so when we last had this discussion > and all manner of fine ideas and scripts came out of it. Me thinks > some > folks need to crawl the archives.
Would these fine scripts have prevented the problems a dozen or so people (Luigi Iotti, Shane Wise, etc) reported in the thread "Clamav suddenly died on several boxes"? Or would it be more accurate to say that somebody's fine script or cron job actually failed to work as well as one would hope it should...? [ Note that I have never encountered a problem with clamd/freshclam from 0.88.x, but 0.90.x seems to not be as reliable thus far, and I'll probably hold off updating to it until a month or two goes by without significant problems being reported to the list. YMMV. ] Secondly, my point about using some form of PKI or key management was to address this comment by Tomasz: "There's no perfect solution to this problem. The only good one I could think of is an option to clamscan/clamd that would only allow loading of digitally signed databases and ignore all the rest. Of course, external dbs (sane, msrbl, etc.) would no longer be supported in such a mode." From what I've seen, the SaneSecurity & MSRBL databases are released as .ndb files, and not as the signed cvd/inc files. The key question is why-- do these third parties not have the ability to release signed databases by using the "sigtool --server" option and the "ClamAV Signing Service address"? If so, then using some form of key management like GnuPG seems to be a reasonable solution, as the individual admins can choose which signing keys they want ClamAV to trust. -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
