On Friday last week we opened it up to allow wget and curl to download the ClamAV release packages. I was told yesterday that Cloudflare blocked downloads after those changes were made, in order to protect against an alleged DoS event. I'll check in with our Cloudflare admins again tomorrow morning. Sorry everyone for the inconvenience. For now, I hope the user-agent trick will suffice.
I've also seen the comments here about how 0.103 LTS should be more prominently listed on our Downloads page. I 100% agree. I'm working with the Talos web team to see if we can upgrade the ClamAV.net Downloads page in a few different ways. Cheers, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Joel Esler via clamav-users <clamav-users@lists.clamav.net> Sent: Wednesday, March 16, 2022 1:50 PM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Joel Esler <joel.es...@me.com> Subject: Re: [clamav-users] ClamAV 0.105 release candidate I think you vastly overestimate the size of the audience that has that problem. — Sent from my iPad > On Mar 16, 2022, at 16:23, Bowie Bailey via clamav-users > <clamav-users@lists.clamav.net> wrote: > > On 3/16/2022 12:35 PM, G.W. Haywood via clamav-users wrote: >> Hi there, >> >>> On Wed, 16 Mar 2022, Bowie Bailey via clamav-users wrote: >>> On 3/16/2022 10:09 AM, Joel Esler via clamav-users wrote: >>>> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt <grschm...@acm.org> wrote: >>>>> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote: >>>>>> ## Joel Esler via clamav-users (clamav-users@lists.clamav.net): >>>>>>> >>>>>>> Can’t use wget. >>>>>> >>>>>> Looks like "can't use anything which doesn't look like a web browser", >>>>>> as BSD fetch hits the 403, too. >>>>>> That's a major PITA on the BSD side (just like openSuse), but it >>>>>> was working just fine at the time of the 0.104.2 release (and all >>>>>> the time prior to that). Is there any reason behind making the source >>>>>> (not talking about the database files) inaccessible like that? >>>>> >>>>> Hanlon's Razor: "Never attribute to malice what can be adequately >>>>> explained by neglect, ignorance, or incompetence." >>>>> >>>>> With the added FLOSS variant, "or trying to show just how much smarter >>>>> they are than everybody else.” >>>> >>>> It was done because there are people that download the entire ClamAV >>>> package from the same every every 1 minute and do a complete reinstall. >>> >>> Why not simply block the IP addresses that are doing excessive downloads? >>> There can't be that many people who are doing constant rebuilds. >>> >>> The system I use for building ClamAV has no GUI. I download the files by >>> grabbing the URL from my desktop and then pasting it into a wget on the >>> build machine. Am I going to have to make wget spoof its user-agent every >>> time I need to update ClamAV? ... >> >> I don't see much in the way of sympathy for a company that spends good >> money on a content delivery network in order to provide a FREE service >> to the community, only then to take flak from that same community when >> they are obliged to prevent literally hundreds of thousands of what I >> can only describe as scrotes from flagrantly abusing the service. > > That was my point. They are inconveniencing their users with a change that > is unlikely to slow down these abusers for any length of time. > >> Before grumbling about the implementation of the solutions, would it >> not at least be reasonable to find out what the problems are? > > I understand the problem. I just don't see this as a good solution. > >> How often do you update ClamAV? It must be all of a thirty-second job >> to write a user agent string, and e.g. pop it in a 'bash' alias. > > And all of the people who are doing excessive downloads will spend the same > 30 seconds and then be back in business. So what has been gained? A few > days or weeks of reduced server load until they all update their scripts and > then you are right back where you started. > > At the same time, every ClamAV user (new or existing) that wants to download > from the command line will have to spend time figuring out why they are > getting errors trying to download from the published links. Since this > software is designed to be used on a server, that will probably be a decent > percentage of the user base who are all going to have to figure out this > undocumented issue (since documenting the work-around would kind of defeat > the point). I would bet that quite a few prospective new users will simply > give up on ClamAV and assume the website is broken when they keep getting > "403 forbidden" on the downloads. > > -- > Bowie > > _______________________________________________ > > clamav-users mailing list > clamav-users@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
