Spiro Harvey wrote:
On Wed, 21 Apr 2010 14:36:17 +1200
Steve Wray <steve.w...@cwa.co.nz> wrote:
I know that in certain jurisdictions, reaching out to someone elses
computer (ie not your property) and disabling functionality on it
could constitute a criminal act.
I sincerely hope that someone somewhere under such a jurisdiction
goes to the police and reports the Clamav developers for such an
offense.
Points to consider:
4. What did you pay for the software?
5. Where's your contract with them?
This is part of the attitude problem from many open source projects.
They are (too often) run by technicians and programmers with no input from
the business side.
What the Clamav team did, I can't believe it would have made it through a
business analyst and I can't believe that any executive would have signed
off on something like that after considering the potential impact it could
have on their clients.
For the last 4 years or so I have had to shift my mindset from that of pure
sysadmin to taking business considerations into account; its very easy for
someone who is absorbed with programming and engineering to forget that IT
is there to support business and that business is not there to support IT.
This is something that I personally have struggled hard with, it can be
difficult for a 'geek' to move in that direction. But its very very
important if OSS is to be taken seriously in the enterprise.
So many OSS projects do not view their users as clients or customers; they
view them either as experimental subjects or as fellow experimenters. They
only take the technical considerations into account and largely ignore
potential impact on business.
This is true both of the Clamav developers and of those people who didn't
take precautions against potential problems such as the Clamav developers
introduced. (And make no mistake; a problem was *created* by the Clamav
team, a problem that did not exist prior to the changes they made).
I have been using Linux since 1991 and I have seen a lot of positive change
in that time. I have seen it go from crazy 'fringe' to being widely
accepted in the enterprise. But shenanigans like this can risk all of that
hard work.
This is why I raised the legal and ethical issue; because that is what the
business end should be considering and its what the technical end only
rarely considers.
I understand that Clamav is free as in 'beer' and that there is no legal
contract with the Clamav team. However, Clamav has a parent company,
Sourcefire, which is listed on Nasdaq and is a 'proper' corporation.
I have written to them to find out what they think of this, if anything at
all...
Sourcefire actually have executives and a general council and I am sure
that they employ business analysts as well. I will be interested to see if
what the Clamav team did is condoned by the parent company which clearly
has some business acumen behind it.
Don't get distracted by issues such as "Oh those bad silly sysadmins out
there who messed up, its really *their* fault not the fault of the Clamav
developers!" That is just *not* helpful. The damage is already done; damage
to peoples systems and damage to the reputation not only of Clamav but of
OSS in general.
--
Please remember that an email is just like a postcard; it is not
confidential nor private nor secure and can be read by many other people
than the intended recipient. A postcard can be read by anyone at the mail
sorting office and expecting what is written on it to be private and secret
is not realistic. Please hold no higher expectation of email.
If you need to send confidential information in an email you need to use
encryption. PGP is Pretty good for this.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
