On Jul 26, 2011, at 4:53 PM, Nathan Gibbs wrote: > As I stated previously. > Open source the signing methodology and / or code. > This is an open source project, Right?
ClamAV is primarily under the GPLv2 license, yes, and various components like bzip, zlib, SHA256, etc are under BSD'ish licenses. > Someone can't use this project to meet their needs because not > everything in the project has been open sourced. > > Saying that > "you can't create digitally signed CVD files, this can only be done by the > ClamAV team. " > flies in the face of what open source is all about. The ClamAV folks aren't willing to release their own private signing key for CVD format, but they aren't under any obligation to do so, either. Lots of people and businesses manage to do both open source in some aspect, and closed source in other aspects. As it stands, you've got the source for sigtool/sigtool.c's getdsig() and libclamav/dsig.c cli_versig() & cli_versig2(). There's nothing preventing you from adapting it to recognizing additional digital signatures of your own design, if you so choose. Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
