On 7/26/2011 8:59 PM, Gianluigi Tiesi wrote: > On 27/07/2011 2.17, Nathan Gibbs wrote: >> On 7/26/2011 5:40 PM, Beppe Di Maio wrote: >>> On Mon, Jul 25, 2011 at 9:36 PM, Nathan Gibbs <[email protected]> >>> wrote: >>> >>>> Good QA, accountability, distribution, how convenient. >>>> Now what if I want to produce and sign my own cvd's for my own use, and >>>> not hand them to you first. >>> >>> I guess that the ClamAV team is trying to encourage their userbase to >>> write signatures >>> and distribute them for everyone's benefit. I see nothing wrong with it. >>> At the same time they want to make sure that the cure is not worse >>> than the problem itself, >>> i.e. the 3rdparty signatures must not trigger too many false positives. >>> >>> Soon it will be possible to enable 3rd party dbs in a breeze! That's a >>> great news for us :) >>> Reporting false positives will be easier too. >>> >>> Bye, >>> >> >> Don't misunderstand me, if you are a developer or user of 3rd party sigs >> that are intended for mass distribution, this is awesome. >> Go for it, definitely make use of the QA infrastructure being offered >> its great. >> >> I'm just pointing out that there is still a problem here. Mainly >> control of the sig signing process. Which boils down to the question, is >> the sig signing code open source? >> If it is, I haven't seen it. >> > > No (at least atm). With the server signing code you could create your > own key, setup a server infrastructure with signing, distribute your cvd > files
That would be cool, I'd like to try that. > , and finally a ship a modified clamav to have your db verified. > There's the hangup. Let me guess, the public key or keys are hardcoded into freshclam somewhere. If so, this is conceptually easy to implement. Have the DB verification code work through a list of public keys, and Add a publickey or similar option to freshclam.conf, that adds keys to the list. 3rd parties could do there own signing. Then they could distribute the public key and the cvd. Of, course, then open source the cvd signing code. Sig Developers could sign their own sigs. As Luca said ClamAV users will be able to download the third party databases using freshclam, by adding a single line to freshclam.conf, what should make signature maintenance significantly easier. It could even be possible to enable freshclam to download the public key. > I suspect it's just more easy to use clamav server/sign Unless, I just want to do the whole whole cvd signing thing internally. > and simply add > your db to the configuration of an unmodified freshclamav. > ROFL :-) You're saying that to the wrong person. Clamav hacking happens over here. And I know it does over there too. :-) Clamwin is an awesome project. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
