On 27/07/2011 2.17, Nathan Gibbs wrote: > On 7/26/2011 5:40 PM, Beppe Di Maio wrote: >> On Mon, Jul 25, 2011 at 9:36 PM, Nathan Gibbs <[email protected]> >> wrote: >> >>> Good QA, accountability, distribution, how convenient. >>> Now what if I want to produce and sign my own cvd's for my own use, and >>> not hand them to you first. >> >> I guess that the ClamAV team is trying to encourage their userbase to >> write signatures >> and distribute them for everyone's benefit. I see nothing wrong with it. >> At the same time they want to make sure that the cure is not worse >> than the problem itself, >> i.e. the 3rdparty signatures must not trigger too many false positives. >> >> Soon it will be possible to enable 3rd party dbs in a breeze! That's a >> great news for us :) >> Reporting false positives will be easier too. >> >> Bye, >> > > Don't misunderstand me, if you are a developer or user of 3rd party sigs > that are intended for mass distribution, this is awesome. > Go for it, definitely make use of the QA infrastructure being offered > its great. > > I'm just pointing out that there is still a problem here. Mainly > control of the sig signing process. Which boils down to the question, is > the sig signing code open source? > If it is, I haven't seen it. >
No (at least atm). With the server signing code you could create your own key, setup a server infrastructure with signing, distribute your cvd files, and finally a ship a modified clamav to have your db verified. I suspect it's just more easy to use clamav server/sign and simply add your db to the configuration of an unmodified freshclamav. Regards -- Gianluigi Tiesi <[email protected]> EDP Project Leader Netfarm S.r.l. - http://www.netfarm.it/ Free Software: http://oss.netfarm.it/ _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
