David F. Skoll wrote: > Dennis Peterson wrote: > >> They didn't turn it on and they didn't install it. They provided a >> sample config that is incapable of running and which requires >> administrative attention in order to use. What finally ends up >> running on the system is your job and mine to manage. > > The sample config that requires attention is only applicable for new > installations. If you do an upgrade, you keep your old configuration > file.
No - I don't, actually. I used to do that until v. 0.87 or so, but got surprised by changes and now I replace the config files with each upgrade if a scan shows any configuration choices have been added or removed (I run diff against the example files in the current version and the previous version). And lately I've taken to adding an RCS header to them to track them regards the version they're appropriate for. > Having new behaviour with an old configuration file is > surprising, and avoiding surprises is always a good idea with security > software. Indeed. And now I understand better the problem's root cause which is re-using old config files. Yikes! > Look, in the end, you're right: System administrators > ultimately have responsibility for whatever they install. However, I > think it's legitimate for admins to ask developers politely not to > surprise them. Perhaps they should issue a warning or advisory against re-using the config files from previous versions as this has the potential to introduce surprises. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
