On 4/21/10 11:16 AM, Stephen Gran wrote:
Faced with an old release of software that will die if the team uses new functionality due to a known bug, and people who will not upgrade to the version that fixes this bug, and a reasonably urgent need to use the new functionality, what exactly would you have done differently? Would you have ignored the issue and just starting using the new functionality, leading to people running older releases getting clamd crashes with incomprehensible error messages? Would you have contacted everyone personally to ask their permission?
I think the people who got caught with old software have to accept 100% of the blame if they, their systems, and processes are not resilient enough to cope with change. It seems obvious in reading the warning and the bug report that was filed in Feb of 2009 that large signatures, which are now necessary, would break older versions. Even if a killer sig were not sent out, subsequent sigs would have resulted in the same thing - clamd would die.
But let's consider that perhaps there was a way to craft the signature servers in such a way that older freshclam versions would be prohibited from downloading new signatures, thus allowing clamd to run forever with the last valid signatures still in place. All well and good, no failures, but now clamd is falling behind. Now who is to blame for that? And what happens to all the people who prefer or need to use http rather than Freshclam to dl signatures? They don't benefit from this graceful change-over and their systems die. Who's to blame for that?
Part II - what happens with third-party signature providers? Their products are not downloaded with Freshclam and they have no direct connection to the clamAV users, and no way to notify anyone. One day they create some great new signatures that do a great job for everyone who has been keeping systems current, but older systems die as soon as the signatures are moved to the working directory. Who to blame? If I were Steve Basford reading this thread I'd zero-byte all signature files and shut off the process and reclaim my life. There's no way I'm going to take the hit for incompetence in the user community.
Part III - Not everyone who uses ClamAV is a ClamAV customer. Many people cannot build the software from source because they lack the skill, time, interest, tools (pick one) and so depend on builders to roll out RPMs with the most recent version. What happens when a packager decides to stop supporting a particular version of say Debian that has been EOL for half a decade. No upgrade is available and those systems die. What happens if the builder simply doesn't have time to create packages for every supported version of the OS? Who to blame? What about all those people who bought mail appliances, hardware or software, no matter, and who have no idea what is running in the system? Who do they blame when the appliance dies because of signature format?
Who to blame? This is really easy. You blame who ever has root access on the failed system and who uniquely owns the responsibility to keep it current.
dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
