On Thu, 12 Apr 2007 16:25:01 -0700 Chuck Swiger <[EMAIL PROTECTED]> wrote:
> It seems to me that there are two issues here, not one, and that we > don't have to achieve a perfect solution to both in order to still > improve the situation. > > By this I mean that it would be nice if clamd/freshclam could confirm > whether a DB file has been downloaded completely and correctly, it does > perhaps by encoding the filesize and checksum into the header of the > cvd/ndb/inc files. (In fact, I think that if GNU MP is available, > ClamAV already does such sanity checking-- sigtool seems to show a > MD5 and digital signature from .cvd files, at least. But there seems > to be a problem where some of the time, if freshclam's attempt to get > an update results in a failed download, it does not revert back to > using the former version of the database. This seems to be the it does revert > failure mode with the recent major update that has spawned much email > to the list recently.) > > The second issue is whether a given DB file is trusted. > > There are plenty of public-key systems available-- using X.509 certs > and having the local admin list which server keys are trusted, and > have database downloads or updates happen only if freshclam can > negotiate a TLS session with a server cert which is trusted would do; > another choice, which probably would be easier on the update servers, > would be to use GnuPG/OpenPGP/etc and have published .sig file for > the cvd/ndb/inc files-- have freshclam invoke "gpg --verify", which freshclam already supports digital signatures > tests both the integrity of the DB file, and checks whether the local > admin has added the signer of the file to their keyring to indicate > that they trust that person to publish updates. > > So if I want to utilize the Sane or MSRBL databases, and they were > published with a .sig file, it would be up to me to import the > signing key into the clamav (or vscan or whatever user account ClamAV > runs as)'s keyring. for 3rd party databases this can be managed with a simple script, no need for adding a keyring manager to ClamAV -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Apr 13 01:31:48 CEST 2007 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html