On 7/26/2011 8:31 PM, Chuck Swiger wrote: > On Jul 26, 2011, at 4:53 PM, Nathan Gibbs wrote: >> As I stated previously. Open source the signing methodology and / >> or code. This is an open source project, Right? > > ClamAV is primarily under the GPLv2 license, yes, and various > components like bzip, zlib, SHA256, etc are under BSD'ish licenses. > >> Someone can't use this project to meet their needs because not >> everything in the project has been open sourced. >> >> Saying that "you can't create digitally signed CVD files, this can >> only be done by the ClamAV team. " flies in the face of what open >> source is all about. > > The ClamAV folks aren't willing to release their own private signing > key for CVD format, but they aren't under any obligation to do so, > either.
Understood, nor would I expect them to release their private signing key. LOL, that would be really bad. :-) > Lots of people and businesses manage to do both open source > in some aspect, and closed source in other aspects. > Right, sendmail, nessus, not sure, but I think some of sourcefire's stuff is closed too. You can do both. > As it stands, you've got the source for sigtool/sigtool.c's getdsig() > and libclamav/dsig.c cli_versig() & cli_versig2(). There's nothing > preventing you from adapting it to recognizing additional digital > signatures of your own design, if you so choose. > I understand that, not sure if they do. It was a member of the Clamav Team that said on the devel list "you can't create digitally signed CVD files, this can only be done by the ClamAV team." Maybe this is a new idea for a future CCEE Release. C Coders desperately needed now. This mod is too critical for me to try myself. I'm sure that I'd really mess it up. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
