Re: [Clamav-users] The EOL tweets

[Dennis Peterson]

On 4/19/10 1:17 PM, Dan wrote:

Really, a mission-critical
product such as ClamAV needs to be watched by the sysadmin, not left for
someone else to do it for you.



You've passed the IQ test.

Next.

dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dan]

At 7:08 PM +0200 4/19/2010, aCaB wrote:

Paul Reading wrote:

 I am using OSX Server 10.4.11 and it is at least five years old and the
 latest version of Snow Leopard server includes a more recent version of
 clamav. I assumed that the use of clamav was negotiated by Apple and
 Clamav and that there would have been some direct contact. The Apple
 boards of full of users with dead mail servers.


No negotiation needed, it's free software.
Apple takes it and package it as they like. They decide what version to
ship and if/when to deliver updates. No question asked.


Apple is notorious for being way behind the curve with the 3rd party 
stuff included with OS X and OS X Server.  Really, a mission-critical 
product such as ClamAV needs to be watched by the sysadmin, not left 
for someone else to do it for you.


- Dan.
--
- Psychoceramic Emeritus; South Jersey, USA, Earth.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Eric Rostetter wrote:


Let's look at this from the OS "community" point of view...


...


I thought, yeah, I
can live with that.  That won't impact me in any real way.  I don't have
a problem with that.  I didn't think about others.  I didn't try to come
up with other solutions.  I didn't try to foresee problems and try to
correct them.  I didn't think to check that the documentation was in place.
I didn't think to notify distributions, or packagers, or any one else.  I
didn't seek to publicize this in either a positive or negative light.  In
short, I failed as a community member.  And a lot of others did too.

So let's learn from this.  Let's make this a better community around
clamav.  The best way to stop this kind of stuff is to take an active
role in the community, not to bitch about it to the project leaders after
we fail to show any interest in it.

Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way 
to do it.


For six months, there was NO argument at all. That is where the system
failed...  What happened in the last week is not the problem.  It is the
fall out of the problem.  The problem is apathy.  The solution is an active
community.


Thanks. That is probably the most constructive thing said in the last few days.

Not in this particular saga as I wasn't involved, but in other areas 
I would have to say I could hold my hand up and say guilty of all 
those at some time or other - it can be hard to see things from a 
perspective outside of your own little box. And it's even easier to 
look back after the fact and say "that's not how I'd do it" - I've 
even done that about some of my own decisions from time to time.


It was a real eye opener for me when I changed jobs a few years ago - 
going from being personally responsible for all the technical stuff 
(and then some more) in the company and having an intimate knowledge 
of the networks, servers etc; and suddenly there I was on the other 
side of the fence having to deal with a multitude of different setups 
that I wasn't familiar with. I suddenly realised just what a hard 
time I'd given some of those (well paid) consultants over the 
previous years.


What we may, in hindsight, think of as being a ridiculous decision, 
probably seemed like a good idea at the time to those who had to make 
it - given their perspective of the world.


The positive thing everyone can take away from this is a better 
realisation of the diversity of ways people manage systems, and the 
diversity of views on how it should be done.



Paul Reading wrote:
Sorry to but-in.. I have just wasted a day trying to get my 
companies mail working again. We have an Apple xServe and knew 
nothing about clamav until we stopped receiving our email this 
morning. I don't know how you could have communicated with us on 
this one but perhaps it would have been better if you had somehow 
got Apple to update their customers by software update so that the 
un-initiated would not have needed to worry about this.


Here we have a prime example of the sort of user that's been really 
let down over this. I would have to hold my hand up and admit that it 
is to a certain extent my own fault for running older software, and 
that I have a route to fix it myself, but this chap is running what 
to him is "an appliance". There are a great many such appliances 
about, and many of them will be running older software for various 
reasons - in the case of OSX, there's a not inconsiderable cost in 
upgrading the server version between major releases, and (probably 
not relevant to an Xserve) an artificial restriction on age of 
hardware the newer versiosn will install on. For this class of user, 
a vendor (in this case Apple) has done all the porting and 
integration so that the user just has to administer it via a front 
end GUI - it's not reasonable to expect the user to learn about 
coding, building software etc.
It would be a good idea though for the vendor to be proactive in 
making sure the user they took money from isn't left in such a 
situation. Reading a few of the comments suggests Apple don't really 
have an official EoL policy/statement for OS X, and that they do 
sometimes do updates for older versions.


At least in Apple's case, they will have a partial list of users 
since the default is for a new install of the OS to bring up a 
registration program so you can register with Apple. it would have 
been nice if they'd used some of that information to notify those 
they could.


What version Apple provide I don't know - whilst I've run Xserves, I 
wasn't using the mail on them and it was some time ago. AFAIK, Apple 
do push updates to such third party packages with Software Update - 
as far as the user is concerned, this is an Apple supplied package 
and Apple provide the updates even if it is an open source program.



--
Simon Hobson

Re: [Clamav-users] The EOL tweets

[Paul Reading]

Thanks Chuck, I am just a guy running a light bulb wholesaling business.

 It took me all day to work out how to install 0.95.3. I am now happy  
because it works. I know the instructions said to set gcc to 4.0 (but  
that was default) but the thing is I don't know what gcc is and  
certainly do not know anything about PR bugs, bytecodes nor what O2 is  
as against O0in the instructions.


I am going to leave you all alone as I feel responsible for thread  
drift, I just wanted you to see how these changes affect non-techie  
users (who didn't know they were users).


Cheers.

Paul.


On 19 Apr 2010, at 18:48, Chuck Swiger wrote:


Hi, all--

On Apr 19, 2010, at 9:59 AM, Paul Reading wrote:
I am using OSX Server 10.4.11 and it is at least five years old and  
the latest version of Snow Leopard server includes a more recent  
version of clamav. I assumed that the use of clamav was negotiated  
by Apple and Clamav and that there would have been some direct  
contact. The Apple boards of full of users with dead mail servers.


MacOS X 10.4.11 was released in Nov 2007, so that particular  
revision is about three years old.  You're right that Tiger/10.4.0  
was released almost exactly 5 years ago and is at EOL.


If you want to rebuild a newer ClamAV using similar paths to what  
Apple provided, please consider:


 http://lurker.clamav.net/message/20080408.224341.3337fdc3.en.html

...however, the PR28045 bug in the compiler should have been fixed  
with newer releases of XCode (which should take you up to gcc-4.2.1,  
which works well with the new LLVM bytecode stuff in clamav-0.96),  
so you should be able to use -O2 directly.


Regards,
--
-Chuck

PS: You can also file bug reports about this issue with https://bugreport.apple.com 
.  I would imagine that providing an update to at least ClamAV  
v0.95.4 is on someone's radar screen, but it doesn't hurt to  
encourage 'em.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chuck Swiger]

Hi, all--

On Apr 19, 2010, at 9:59 AM, Paul Reading wrote:
> I am using OSX Server 10.4.11 and it is at least five years old and the 
> latest version of Snow Leopard server includes a more recent version of 
> clamav. I assumed that the use of clamav was negotiated by Apple and Clamav 
> and that there would have been some direct contact. The Apple boards of full 
> of users with dead mail servers.

MacOS X 10.4.11 was released in Nov 2007, so that particular revision is about 
three years old.  You're right that Tiger/10.4.0 was released almost exactly 5 
years ago and is at EOL.

If you want to rebuild a newer ClamAV using similar paths to what Apple 
provided, please consider:

  http://lurker.clamav.net/message/20080408.224341.3337fdc3.en.html

...however, the PR28045 bug in the compiler should have been fixed with newer 
releases of XCode (which should take you up to gcc-4.2.1, which works well with 
the new LLVM bytecode stuff in clamav-0.96), so you should be able to use -O2 
directly.  

Regards,
-- 
-Chuck

PS: You can also file bug reports about this issue with 
https://bugreport.apple.com.  I would imagine that providing an update to at 
least ClamAV v0.95.4 is on someone's radar screen, but it doesn't hurt to 
encourage 'em.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Robert Wyatt]

aCaB wrote:

Paul Reading wrote:

I am using OSX Server 10.4.11 and it is at least five years old and the
latest version of Snow Leopard server includes a more recent version of
clamav. I assumed that the use of clamav was negotiated by Apple and
Clamav and that there would have been some direct contact. The Apple
boards of full of users with dead mail servers.


No negotiation needed, it's free software.
Apple takes it and package it as they like. They decide what version to
ship and if/when to deliver updates. No question asked.

--acab


Not that it doesn't happen (I'm really not sure), but I don't recall 
Apple ever updating third-party apps with SoftwareUpdate. Is there a 
developer mailing list at Apple for clamav or for xServe? (I haven't 
seen one.)


Also, while you're looking at this, you might want to review moving on 
from an EOL operating system (10.4.11 is EOL).


At any rate, a solution for you might involve finkproject.org; you'll 
find that they have made 95.3 available for your operating system:

http://pdb.finkproject.org/pdb/browse.php?summary=clamav

Good luck,
Robert
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[aCaB]

Paul Reading wrote:
> I am using OSX Server 10.4.11 and it is at least five years old and the
> latest version of Snow Leopard server includes a more recent version of
> clamav. I assumed that the use of clamav was negotiated by Apple and
> Clamav and that there would have been some direct contact. The Apple
> boards of full of users with dead mail servers.

No negotiation needed, it's free software.
Apple takes it and package it as they like. They decide what version to
ship and if/when to deliver updates. No question asked.

--acab
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Paul Reading]

I am using OSX Server 10.4.11 and it is at least five years old and  
the latest version of Snow Leopard server includes a more recent  
version of clamav. I assumed that the use of clamav was negotiated by  
Apple and Clamav and that there would have been some direct contact.  
The Apple boards of full of users with dead mail servers.



On 19 Apr 2010, at 17:54, Rob MacGregor wrote:


On Mon, Apr 19, 2010 at 17:34, Paul Reading
 wrote:
Sorry to but-in.. I have just wasted a day trying to get my  
companies mail
working again. We have an Apple xServe and knew nothing about  
clamav until
we stopped receiving our email this morning. I don't know how you  
could have
communicated with us on this one but perhaps it would have been  
better if
you had somehow got Apple to update their customers by software  
update so

that the un-initiated would not have needed to worry about this.


It's entirely possible that the ClamAV team didn't know that Apple had
taken the decisions to:

1) Install ClamAV on xServe
2) Not keep people even vaguely up to date

--
Please keep list traffic on the list.

Rob MacGregor
 Whoever fights monsters should see to it that in the process he
   doesn't become a monster.  Friedrich Nietzsche
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Rob MacGregor]

On Mon, Apr 19, 2010 at 17:34, Paul Reading
 wrote:
> Sorry to but-in.. I have just wasted a day trying to get my companies mail
> working again. We have an Apple xServe and knew nothing about clamav until
> we stopped receiving our email this morning. I don't know how you could have
> communicated with us on this one but perhaps it would have been better if
> you had somehow got Apple to update their customers by software update so
> that the un-initiated would not have needed to worry about this.

It's entirely possible that the ClamAV team didn't know that Apple had
taken the decisions to:

1) Install ClamAV on xServe
2) Not keep people even vaguely up to date

-- 
 Please keep list traffic on the list.

Rob MacGregor
  Whoever fights monsters should see to it that in the process he
doesn't become a monster.  Friedrich Nietzsche
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Paul Reading]

Sorry to but-in.. I have just wasted a day trying to get my companies  
mail working again. We have an Apple xServe and knew nothing about  
clamav until we stopped receiving our email this morning. I don't know  
how you could have communicated with us on this one but perhaps it  
would have been better if you had somehow got Apple to update their  
customers by software update so that the un-initiated would not have  
needed to worry about this.



On 19 Apr 2010, at 17:09, Jim Preston wrote:


On Apr 19, 2010, at 9:00 AM, Simon Hobson wrote:


Jim Preston wrote:

Forcing an upgrade by flipping a kill switch was AN option, but  
it wasn't the only one.


No one is arguing that there weren't other options. However, it  
was their decision to make to move forward with incompatible  
signatures to support new features. Code changes were put into  
0.95.3 (and maybe earlier in the 0.95 tree) which allows clamd to  
continue running with the new signatures and just does not use  
them. That is not the issue, the issue is pre 0.95 could not  
handle the new signatures and everyone had 6 months do something  
about it.


Yes, we all know that something had to be done, but just two days  
ago, the argument most definitely was that there was **NO** other  
option - absolutely no other option and this was the **ONLY** way  
to do it.


Now you at least are coming round to the acceptance that there were  
other options. That has been part of people's objections - apart  
from choosing the option they did, at least in these threads, the  
argument has been that "there was **NO** other option", which quite  
frankly was never accepted as true or reasonable.


Lessons to be learned on both sides I think.

--
Simon Hobson



No, Simon, if you read some of my earlier posts I stated it was  
their decision to make and had taken measures to give users / admins  
6 months to do something about. They apparently also allowed users /  
admins to comment on their plan and when objections were not forth  
coming, went ahead as planned. After that this thread diverged into  
other tangents


Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 19, 2010, at 9:29 AM, Eric Rostetter wrote:


Quoting Simon Hobson :

Let's look at this from the OS "community" point of view...

We on this mailing list are part of the clamav open source  
community...

As such, it is not clamav who failed, but it is us, the clamav
open source community, who failed...

When clamav asked about doing this, we failed to:

  1) Think about how it would affect others rather than ourselves
  2) Provide alternative ideas for their consideration
  3) Urge them to reconsider, or to do more to mitigate the problems  
it might

 cause
  4) Verify that the needed info if the change does happen is widely
 available to others, such as:
 a) that the FAQ was updated for this
 b) that we notified the various packagers and distributions  
about it
 c) that we got the word out via slashdot, blogs, mailing lists,  
etc.


I could go on.  But the point is, if you believe in "an active open  
source
community" around a project, then we failed.  We were not active, we  
didn't
act like a community.  I at least was just selfish.  I thought,  
yeah, I
can live with that.  That won't impact me in any real way.  I don't  
have
a problem with that.  I didn't think about others.  I didn't try to  
come

up with other solutions.  I didn't try to foresee problems and try to
correct them.  I didn't think to check that the documentation was in  
place.
I didn't think to notify distributions, or packagers, or any one  
else.  I
didn't seek to publicize this in either a positive or negative  
light.  In

short, I failed as a community member.  And a lot of others did too.

So let's learn from this.  Let's make this a better community around
clamav.  The best way to stop this kind of stuff is to take an active
role in the community, not to bitch about it to the project leaders  
after

we fail to show any interest in it.

Yes, we all know that something had to be done, but just two days  
ago, the argument most definitely was that there was **NO** other  
option - absolutely no other option and this was the **ONLY** way  
to do it.


For six months, there was NO argument at all. That is where the system
failed...  What happened in the last week is not the problem.  It is  
the
fall out of the problem.  The problem is apathy.  The solution is an  
active

community.

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!



I agree, I too did not pay much attention except insuring I was  
running 0.95.3 and accept my blame for my apathy in participation


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Simon Hobson :

Let's look at this from the OS "community" point of view...

We on this mailing list are part of the clamav open source community...
As such, it is not clamav who failed, but it is us, the clamav
open source community, who failed...

When clamav asked about doing this, we failed to:

   1) Think about how it would affect others rather than ourselves
   2) Provide alternative ideas for their consideration
   3) Urge them to reconsider, or to do more to mitigate the problems it might
  cause
   4) Verify that the needed info if the change does happen is widely
  available to others, such as:
  a) that the FAQ was updated for this
  b) that we notified the various packagers and distributions about it
  c) that we got the word out via slashdot, blogs, mailing lists, etc.

I could go on.  But the point is, if you believe in "an active open source
community" around a project, then we failed.  We were not active, we didn't
act like a community.  I at least was just selfish.  I thought, yeah, I
can live with that.  That won't impact me in any real way.  I don't have
a problem with that.  I didn't think about others.  I didn't try to come
up with other solutions.  I didn't try to foresee problems and try to
correct them.  I didn't think to check that the documentation was in place.
I didn't think to notify distributions, or packagers, or any one else.  I
didn't seek to publicize this in either a positive or negative light.  In
short, I failed as a community member.  And a lot of others did too.

So let's learn from this.  Let's make this a better community around
clamav.  The best way to stop this kind of stuff is to take an active
role in the community, not to bitch about it to the project leaders after
we fail to show any interest in it.

Yes, we all know that something had to be done, but just two days  
ago, the argument most definitely was that there was **NO** other  
option - absolutely no other option and this was the **ONLY** way to  
do it.


For six months, there was NO argument at all. That is where the system
failed...  What happened in the last week is not the problem.  It is the
fall out of the problem.  The problem is apathy.  The solution is an active
community.

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jim Preston wrote:

Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way 
to do it.


Now you at least are coming round to the acceptance that there were 
other options. That has been part of people's objections - apart 
from choosing the option they did, at least in these threads, the 
argument has been that "there was **NO** other option", which quite 
frankly was never accepted as true or reasonable.


No, Simon, if you read some of my earlier posts I stated it was 
their decision to make and had taken measures to give users / admins 
6 months to do something about.


I can't recall who said what - but there were voices suggesting there 
was no alternative. I wasn't specifically saying you said it, though 
I can see how it probably looked that way.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 19, 2010, at 9:00 AM, Simon Hobson wrote:


Jim Preston wrote:

Forcing an upgrade by flipping a kill switch was AN option, but it  
wasn't the only one.


No one is arguing that there weren't other options. However, it was  
their decision to make to move forward with incompatible signatures  
to support new features. Code changes were put into 0.95.3 (and  
maybe earlier in the 0.95 tree) which allows clamd to continue  
running with the new signatures and just does not use them. That is  
not the issue, the issue is pre 0.95 could not handle the new  
signatures and everyone had 6 months do something about it.


Yes, we all know that something had to be done, but just two days  
ago, the argument most definitely was that there was **NO** other  
option - absolutely no other option and this was the **ONLY** way to  
do it.


Now you at least are coming round to the acceptance that there were  
other options. That has been part of people's objections - apart  
from choosing the option they did, at least in these threads, the  
argument has been that "there was **NO** other option", which quite  
frankly was never accepted as true or reasonable.


Lessons to be learned on both sides I think.

--
Simon Hobson



No, Simon, if you read some of my earlier posts I stated it was their  
decision to make and had taken measures to give users / admins 6  
months to do something about. They apparently also allowed users /  
admins to comment on their plan and when objections were not forth  
coming, went ahead as planned. After that this thread diverged into  
other tangents


Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jim Preston wrote:

Forcing an upgrade by flipping a kill switch was AN option, but it 
wasn't the only one.


No one is arguing that there weren't other options. However, it was 
their decision to make to move forward with incompatible signatures 
to support new features. Code changes were put into 0.95.3 (and 
maybe earlier in the 0.95 tree) which allows clamd to continue 
running with the new signatures and just does not use them. That is 
not the issue, the issue is pre 0.95 could not handle the new 
signatures and everyone had 6 months do something about it.


Yes, we all know that something had to be done, but just two days 
ago, the argument most definitely was that there was **NO** other 
option - absolutely no other option and this was the **ONLY** way to 
do it.


Now you at least are coming round to the acceptance that there were 
other options. That has been part of people's objections - apart from 
choosing the option they did, at least in these threads, the argument 
has been that "there was **NO** other option", which quite frankly 
was never accepted as true or reasonable.


Lessons to be learned on both sides I think.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Török Edwin]

On 2010-04-19 18:29, Tommaso Basilici wrote:
> 
> So my question is: are they aware of the EOL? are they aware of the
> killer-switch policy in act? can we help anyhow if the answer is no?

Yes, look at bugs.debian.org/clamav, the clamav-volatile list, or
debian-security list.
All of these places had some discussion of what needs to be done.

Here is a recent mail:
http://lists.debian.org/debian-security/2010/04/msg00027.html

Best regards,
--Edwin
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Tommaso Basilici]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Whelan wrote:
> On 19 Apr 2010 at 16:17, Tommaso Basilici wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> I'm probably not fitting in the right place of the thread but I just
>> signed in and could not know where to start.
>> Our only big problem with this upgrade is that the actual debian stable
>> (lenny) still uses 0.94 as shipping version and one has to get volatile
>> sources in order to upgrade.
>
> If you add the volatile repository to your sources.list then a simple command 
> is all
> that's needed to install the latest compiled version for your debian platform.

yes, as I said in my email.
I was pointing at th vanilla installation of a debian stable, which does
not contains the volatile repo in the sources list.

Again I'm not complaining, we had few minutes of downtime, took me few
seconds to understand what was going on, few seconds to fix it and few
minutes to blame myself for not upgrading during the long months clamav
suggested me to do so.

But still, maybe if the debian guys could upgrade they'r package also in
the stable branch my guess is that some pain can still be spared...

So my question is: are they aware of the EOL? are they aware of the
killer-switch policy in act? can we help anyhow if the answer is no?

- --

Tommaso Basilici
 __
   ::DICIANNOVE::
 soc. coop.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvMdvEACgkQOmqFcNxrFORBCQCgs4ozRBV3Jw8RHL5iZNb1n5aV
DeQAoIR37ZBePM8yt14kFmDWRQYePgpa
=CeAw
-END PGP SIGNATURE-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Paul Whelan]

On 19 Apr 2010 at 16:17, Tommaso Basilici wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I'm probably not fitting in the right place of the thread but I just
> signed in and could not know where to start.
> Our only big problem with this upgrade is that the actual debian stable
> (lenny) still uses 0.94 as shipping version and one has to get volatile
> sources in order to upgrade.

If you add the volatile repository to your sources.list then a simple command 
is all 
that's needed to install the latest compiled version for your debian platform.

paul

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Tommaso Basilici]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I'm probably not fitting in the right place of the thread but I just
signed in and could not know where to start.
Our only big problem with this upgrade is that the actual debian stable
(lenny) still uses 0.94 as shipping version and one has to get volatile
sources in order to upgrade.

That is: a fresh installation of a vanilla debian stable whould ship a
non-working unapdated clamav packet...
Should we somehow notify the debian guys the misery they're putting
they'r beloved sysadmin into?

- --

Tommaso Basilici
 __
   ::DICIANNOVE::
 soc. coop.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvMZgkACgkQOmqFcNxrFOSCegCfZPVLt/Ovg6ItA8TQiLuhgWA3
qpIAoJQxDMBWz4hbhYxsSHCJpSF/Ahti
=hoZP
-END PGP SIGNATURE-
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

Simon Hobson wrote:

Eric Rostetter wrote:


Signature updates, yes, but not code updates.  To make any changes,
you need code updates, not signature updates.


Apart from 0.95.3 released about the same time the kill decision was 
made - could have put a code change in there. And 0.96 which was 
released a couple of weeks before the kill switch was flipped - could 
have put a code change in there.


And it wouldn't have been a major hassle to release a 0.95.4 just for 
this - almost certainly a lot less hassle than dealing with the 
fallout generated.


Forcing an upgrade by flipping a kill switch was AN option, but it 
wasn't the only one.
No one is arguing that there weren't other options. However, it was 
their decision to make to move forward with incompatible signatures to 
support new features. Code changes were put into 0.95.3 (and maybe 
earlier in the 0.95 tree) which allows clamd to continue running with 
the new signatures and just does not use them. That is not the issue, 
the issue is pre 0.95 could not handle the new signatures and everyone 
had 6 months do something about it.


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Quoting Giampaolo Tomassoni :
> 
> > In 6 months there were many clamav updates. I would have put the
> 
> Signature updates, yes, but not code updates.  To make any changes,
> you need code updates, not signature updates.

Of course I meant code updates. How can you change the signature update code
otherwise?

In 6 months there were at least 0.95.3 (2009-10-28) and 0.96 (2010-03-21). I
meant them.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Eric Rostetter wrote:


Signature updates, yes, but not code updates.  To make any changes,
you need code updates, not signature updates.


Apart from 0.95.3 released about the same time the kill decision was 
made - could have put a code change in there. And 0.96 which was 
released a couple of weeks before the kill switch was flipped - could 
have put a code change in there.


And it wouldn't have been a major hassle to release a 0.95.4 just for 
this - almost certainly a lot less hassle than dealing with the 
fallout generated.


Forcing an upgrade by flipping a kill switch was AN option, but it 
wasn't the only one.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Stephan von Krawczynski :


And really, the whole idea of eol'ing GPL software is really violating the
moral ground. And that is what makes people upset.


Almost every GPL software does a EOL system.  Unless you mean EOL via kill-bit
then this statement doesn't make sense...  EOL is a normal part of software
life-cycle, as has been as long as I've been in the business (which has been
about 30 years now).

Anyway, this is hopefully my last post on this thread...  Been way too
much already...  I think everything which could possibly need to be said
has been said by now.


--
Regards,
Stephan



--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Giampaolo Tomassoni :


In 6 months there were many clamav updates. I would have put the


Signature updates, yes, but not code updates.  To make any changes,
you need code updates, not signature updates.

But then, we've about beat this horse to death...

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Stephan von Krawczynski]

On Sun, 18 Apr 2010 10:37:19 +0100
Stephen Gran  wrote:

> On Sun, Apr 18, 2010 at 09:50:09AM +0100, Simon Hobson said:
> > Dan wrote:
> > 
> > >Yes, some updates can be problematic.  But in this case, surely,
> > >there were updates during the year that worked just fine.  In most
> > >cases, tho, I'm thinking the people complaining slacked off
> > >completely - unlike you, they didn't even bother to test the
> > >releases.
> > 
> > And cf todays thread (LibClamAV Error: Can't load), which can be
> > summararised as  : It was working fine You broke it for me
> 
> You seem to be massively missing the point.  In a short while, there
> will be signatures in the database that will have the same effect for
> older versions of clamd, because they will trigger the same bug.  Which
> way would you prefer clamd to die - with a helpful error message, or
> with a hex string that makes no sense to you?  That was the only choice.

I am sorry to intervene your discussion at this point but this argument is
more or less saying that the clamav authors are incompetent in finding a way
to design a signature database that knows versioning, meaning different
versions of clamd can use it with differing or equal number of available
signatures. Did you really mean that?
If this was not your intention then you should just accept what it probably
really was: unnecessarily playing god in their very own playground, giving a
damn about others point of view. You may either call this fundamentalistic,
"we know the sole truth and that's why _all_ others have to obey".
You can find this kind of thinking in a lot of commercial software companies,
but really seldomly in community driven projects. The reason for this is
pretty simple, the real strength of a community is its immanent broad variety
of thoughts expressed by the participants. If you deny that it means you have
not accepted the community model as a whole.

-- 
Regards,
Stephan

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Stephen Gran wrote:


You seem to be massively missing the point.  In a short while, there
will be signatures in the database that will have the same effect for
older versions of clamd, because they will trigger the same bug.  Which
way would you prefer clamd to die - with a helpful error message, or
with a hex string that makes no sense to you?  That was the only choice.


So you haven't actually been reading these threads then. It 
absolutely was **NOT** the only choice, it was the one choice of 
several that they took. I can think of **at least two** alternatives 
- one would have required minimal effort (probably less than has been 
expended in defending the decision) and zero inconvenience for those 
who run all the latest updates.


So it IS NOT TRUE that there were no other options. It IS NOT TRUE 
that the only choice was this or have it die n a few weeks with a 
cryptic error message.


As has already been said - it's done, it's not going to get undone, 
trust has been severely damaged. But most of all, this constant "it 
was the only way, anyone affected was a complete imbecile who should 
be allowed near a computer" attitude really makes you sound like a 
bunch of people most of us wouldn't want to be associated with. It 
most certainly doesn't make you sound like the professional 
sysadmnins that you claim to be.


I think you've got to go to one of a number of churches, or an Apple 
event, to hear such "this is the one true way" message defended any 
louder !



There really doesn't seem any point in debating this any more. It's 
been proven time and time again that the most fervent religous 
believers won't be for hearing any criticism of their one true way - 
and that is exactly what these threads have sounded like for those of 
us "outside the church".


You may be nice people - but I speak as I find. The above is how I find.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Stephen Gran]

On Sun, Apr 18, 2010 at 09:50:09AM +0100, Simon Hobson said:
> Dan wrote:
> 
> >Yes, some updates can be problematic.  But in this case, surely,
> >there were updates during the year that worked just fine.  In most
> >cases, tho, I'm thinking the people complaining slacked off
> >completely - unlike you, they didn't even bother to test the
> >releases.
> 
> And cf todays thread (LibClamAV Error: Can't load), which can be
> summararised as  : It was working fine You broke it for me

You seem to be massively missing the point.  In a short while, there
will be signatures in the database that will have the same effect for
older versions of clamd, because they will trigger the same bug.  Which
way would you prefer clamd to die - with a helpful error message, or
with a hex string that makes no sense to you?  That was the only choice.

Despite the drain on their resources these older versions are, despite
the fact that older versions were hampering their ability to write new
signatures, they still chose the option to make it fail with a helpful
message after a long lead time instead of ignoring the issue and letting
it die with an incomprehensible error message.  Would you have preferred
them to just let this happen without a clear indication of the problem?
-- 
 --
|  Stephen Gran  | Your object is to save the world, while |
|  st...@lobefin.net | still leading a pleasant life.  |
|  http://www.lobefin.net/~steve | |
 --
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Dan wrote:

Yes, some updates can be problematic.  But in this case, surely, 
there were updates during the year that worked just fine.  In most 
cases, tho, I'm thinking the people complaining slacked off 
completely - unlike you, they didn't even bother to test the 
releases.


And cf todays thread (LibClamAV Error: Can't load), which can be 
summararised as  :

It was working fine
You broke it for me
I've installed an update to try and fix it and now it's even more broke

The only difference had the user done the update last week would be - 
he had a working system, he upgraded it, it's now broken and he has 
downtime as a direct result of the upgrade.


Those two lines look fairly clear to me.  Essentially they're 
telling you to get moving, get the update onto your to-be-done list.


OK, so it suggests an upgrade would be a good idea. I've yet to see 
any explanation of where in that message (or the page referenced) it 
sets a deadline, where it says anything will die, and that this will 
be a deliberate act of sabotage.


Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


Actually, I believe at least some of those complaining here would 
have done. **HAD I KNOWN** about this killer update, then I would 
have applied pressure on management to give me the resources to roll 
out the new build I have - that's all I'm waiting on in order to be 
running completely up to date versions of everything - and because 
it's more than one server, in future I'll be able to update (one at a 
time) with less risk.


OTOH, I wonder how many of these upset admins have taken even 
partial responsibility - by admitting to their bosses that they 
failed to apply any updates to a critical piece of software, for 
over a YEAR?


I have - that probably surprises you. Can't speak for anyone else.



Dan wrote:


They do not have any right to deliberately mess with a running system...


Please explain this "right" that makes thy system so sacrosanct. 
I've never heard of that.


May I suggest that you'd change your tune if your house was ransacked 
and the burglar defended his action on the basis that he'd kept a key 
from before you bought the house and he's left a note (somewhere you 
probably wouldn't see it) telling you to upgrade your locks or else ?


My servers are my property (or that of those I manage them for). No 
third party has the right (legal or moral) to interfere with that 
unless there is a contractual agreement that they can do so - and 
then only in ways allowed by that arrangement.
In this case, there's an implicit agreement between admins/operators 
and the ClamAV team that allows the ClamAV team to apply AV signature 
updates - this being implicit by the admin running Freshclam. In no 
way can pushing a poison pill designed to stop the service be 
considered a "normal AV signature" update.



The Clam team had one and only one responsible choice:  to remove 
the aged product from service before it became a road hazard, er a 
liability around their necks.


No, that is NOT their responsibility, nor their right.

Not only that, it's inconsistent with the attitude expressed here 
towards people running old software.

Contrast :
1) No-one should be running old software, they deserve all they've got.
2) We can't allow people to run old software, our only option is to 
kill it to protect people from themselves.



OK, lets suppose that a car manufacturer finds out that one of their 
old models, of which there are many still in use, has a defect that 
could potentially expose the user to a higher risk of . In 
this country, and in the US I believe, there is a system for a recall 
if it's serious enough - or the manufacturer can put adverts in 
appropriate places to warn the user.


Have you ever heard of the manufacturer deciding that the only 
responsible way is to go round with a fleet of lorries (trucks), lift 
the old vehicles off the owners drives without even ringing the 
doorbell, and take them off to the crusher ?


They have a right, and a responsibility to try and make as many 
owners/users aware of the risks - but it is still the owner/users 
decision on whether that risk is acceptable TO THEM.



They were even nice enough to give months of warnings.


The efficacy of such is subject to a certain amount of debate.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dennis Peterson]

On 4/17/10 9:03 PM, Jim Preston wrote:


I whole heartedly agree Dan. However I have been slandered today being
called arrogant and ignorant, so what do I know?


Yutz on the left, mench on the right. This EOL process has been a test. It was a 
simple test to separate yutz from mench. If you failed, step to the left. And 
all you yutz over there - keep it down!


dp .. a mench who takes this stuff seriously enough to get it right.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

Dan wrote:

At 2:30 PM -0700 4/17/2010, Ralf Quint wrote:

At 02:09 PM 4/17/2010, Dan wrote:
Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


OTOH, I wonder how many of these upset admins have taken even 
partial responsibility - by admitting to their bosses that they 
failed to apply any updates to a critical piece of software, for 
over a YEAR?


You too seem to miss one very important point. It is not the ClamAV 
project's place to judge and punish any failure by such admins. That 
is soley up to the institution they have to report to.


As far as due diligence goes, ClamAV has done their part by 
announcing the EOL of updates for ClamAV version before a certain 
version ahead of time. They do not have any right to deliberately 
mess with a running system...


Please explain this "right" that makes thy system so sacrosanct. I've 
never heard of that.



IMO, it is unconscionable to run an outdated anti-virus product. Using 
an AV provides an expectation down the line of a virus-free 
environment.  If the Clam team had borked things up so the ancient 
versions would continue to run forever but without database updates... 
then people would suddenly - without notification - be unnecessarily 
vulnerable.  Then what?  Some fools would file lawsuits, claiming the 
Clam team is legally liable for the resulting viral infections and 
their clean-up!  pah.  The Clam team had one and only one responsible 
choice:  to remove the aged product from service before it became a 
road hazard, er a liability around their necks. They were even nice 
enough to give months of warnings.


- Dan.
I whole heartedly agree Dan. However I have been slandered today being 
called arrogant and ignorant, so what do I know?


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dan]

At 2:30 PM -0700 4/17/2010, Ralf Quint wrote:

At 02:09 PM 4/17/2010, Dan wrote:
Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


OTOH, I wonder how many of these upset admins have taken even 
partial responsibility - by admitting to their bosses that they 
failed to apply any updates to a critical piece of software, for 
over a YEAR?


You too seem to miss one very important point. It is not the ClamAV 
project's place to judge and punish any failure by such admins. That 
is soley up to the institution they have to report to.


As far as due diligence goes, ClamAV has done their part by 
announcing the EOL of updates for ClamAV version before a certain 
version ahead of time. They do not have any right to deliberately 
mess with a running system...


Please explain this "right" that makes thy system so sacrosanct. 
I've never heard of that.



IMO, it is unconscionable to run an outdated anti-virus product. 
Using an AV provides an expectation down the line of a virus-free 
environment.  If the Clam team had borked things up so the ancient 
versions would continue to run forever but without database 
updates... then people would suddenly - without notification - be 
unnecessarily vulnerable.  Then what?  Some fools would file 
lawsuits, claiming the Clam team is legally liable for the resulting 
viral infections and their clean-up!  pah.  The Clam team had one and 
only one responsible choice:  to remove the aged product from service 
before it became a road hazard, er a liability around their necks. 
They were even nice enough to give months of warnings.


- Dan.
--
- Psychoceramic Emeritus; South Jersey, USA, Earth.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

Ralf Quint wrote:

At 02:09 PM 4/17/2010, Dan wrote:

Those two lines look fairly clear to me.  Essentially they're telling 
you to get moving, get the update onto your to-be-done list.  This 
is, of course, re-enforced by the repeated EOL announcements on 
Clam-announce.


I can think of two other ways this could have been done, with very 
little effort, and with little or no inconvenience to what you would 
consider superior admins. That's irrelevant now, you've done what 
you've done and it's not going to be undone.


Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


OTOH, I wonder how many of these upset admins have taken even partial 
responsibility - by admitting to their bosses that they failed to 
apply any updates to a critical piece of software, for over a YEAR?


You too seem to miss one very important point. It is not the ClamAV 
project's place to judge and punish any failure by such admins. That 
is soley up to the institution they have to report to.


As far as due diligence goes, ClamAV has done their part by announcing 
the EOL of updates for ClamAV version before a certain version ahead 
of time. They do not have any right to deliberately mess with a 
running system...
No, they clearly stated that changes to the update definitions was going 
to cause ClamAV to fail. And those that did not heed the warning were 
the only ones affected...


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Ralf Quint]

At 02:09 PM 4/17/2010, Dan wrote:

Those two lines look fairly clear to me.  Essentially they're 
telling you to get moving, get the update onto your to-be-done 
list.  This is, of course, re-enforced by the repeated EOL 
announcements on Clam-announce.


I can think of two other ways this could have been done, with very 
little effort, and with little or no inconvenience to what you 
would consider superior admins. That's irrelevant now, you've done 
what you've done and it's not going to be undone.


Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


OTOH, I wonder how many of these upset admins have taken even 
partial responsibility - by admitting to their bosses that they 
failed to apply any updates to a critical piece of software, for over a YEAR?


You too seem to miss one very important point. It is not the ClamAV 
project's place to judge and punish any failure by such admins. That 
is soley up to the institution they have to report to.


As far as due diligence goes, ClamAV has done their part by 
announcing the EOL of updates for ClamAV version before a certain 
version ahead of time. They do not have any right to deliberately 
mess with a running system...


Ralf Quint 


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dan]

At 9:39 PM +0100 4/17/2010, Simon Hobson wrote:

Dan wrote:
So keeping up to date has it's own risks - hence why many people 
take the attitude of "if it aint broke, don't fix it".


But being a YEAR out of date?


Time is an illusion, lunchtime doubly so.

Like I said, there ARE legitimate reasons for not always updating 
every bit of software every time an update comes out. Looking back, 
I've had more problems caused by updates


Yes, some updates can be problematic.  But in this case, surely, 
there were updates during the year that worked just fine.  In most 
cases, tho, I'm thinking the people complaining slacked off 
completely - unlike you, they didn't even bother to test the releases.


Wow.  Freshclam has told you every day for  a year+, that your 
installation was out of date.  Plus the 6 months of messages about 
the EOL that have been posted.  How much more notice do you need?


**Any** notice would be nice.
As I've already asked before, please tell me where in the message 
below (or the URL it includes) it says anything whatsoever about 
"your software will die" ?



Received signal: wake up
ClamAV update process started at Fri Apr 16 10:26:14 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.3 Recommended version: 0.96


Those two lines look fairly clear to me.  Essentially they're telling 
you to get moving, get the update onto your to-be-done list.  This 
is, of course, re-enforced by the repeated EOL announcements on 
Clam-announce.


I can think of two other ways this could have been done, with very 
little effort, and with little or no inconvenience to what you would 
consider superior admins. That's irrelevant now, you've done what 
you've done and it's not going to be undone.


Yea, I agree, the Clam team probably could have done things better. 
But would more announcements or warnings have really made a 
difference?  Why would the people, that regularly ignore the 
Freshclam warnings, pay attention?


OTOH, I wonder how many of these upset admins have taken even partial 
responsibility - by admitting to their bosses that they failed to 
apply any updates to a critical piece of software, for over a YEAR?


FWIW,
- Dan.
--
- Psychoceramic Emeritus; South Jersey, USA, Earth.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Dan wrote:

So keeping up to date has it's own risks - hence why many people 
take the attitude of "if it aint broke, don't fix it".


But being a YEAR out of date?


Time is an illusion, lunchtime doubly so.

Like I said, there ARE legitimate reasons for not always updating 
every bit of software every time an update comes out. Looking back, 
I've had more problems caused by updates (as in it worked, I fixed it 
with updates, it stopped working) than I have from lack of them. 
Clearly up in the skies as some of you guys seem to be given the 
height of your horses, things are different - perhaps your software 
works differently at altitude !



Wow.  Freshclam has told you every day for  a year+, that your 
installation was out of date.  Plus the 6 months of messages about 
the EOL that have been posted.  How much more notice do you need?


**Any** notice would be nice.
As I've already asked before, please tell me where in the message 
below (or the URL it includes) it says anything whatsoever about 
"your software will die" ?

Received signal: wake up
ClamAV update process started at Fri Apr 16 10:26:14 2010
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.95.3 Recommended version: 0.96
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd is up to date (version: 52, sigs: 704727, f-level: 44, builder: sven)
daily.cvd is up to date (version: 10751, sigs: 52057, f-level: 51, 
builder: guitar)
It doesn't. So please cut the dung about freshclam having been 
warning me for a long time about this. It did no such thing - there 
is a difference between noting that there may be some of the newest 
features not supported and it turning it's toes up and going to meet 
it's maker.
As to the policy having been published, well it would appear many of 
us have the same problem as Arthur Dent.


Of course, if you insist on keeping your system out-of-date, you 
could just restore the database from your backup, and disable 
freshclam.  You do have backups, don't you?


As I've already said several times, YES I HAVE AND YES THAT IS WHAT 
I'VE DONE until I can fix it.



I can think of two other ways this could have been done, with very 
little effort, and with little or no inconvenience to what you would 
consider superior admins. That's irrelevant now, you've done what 
you've done and it's not going to be undone.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

Giampaolo Tomassoni wrote:

You say you have mailinglists and customers called you?



No. I was speaking about a couple of fellows who consulted me because the
systems they assemble and sell (which are some kind of SuSE-based mailing
and faxing systems) broke and they weren't immediately able to get them back
working: some of these SuSE stuff run 10.1 which have gcc 4.1.0 at best, and
clamav 0.96 doesn't ./configure there.
  

Well then there are two remarks I shall make regard the above.

First, if this is what they do for a living and could not figure it out 
then.. either they are very junior people in the company and did not 
ask their supervisor or self-employed (no nothing wrong with being 
self-employed, I run my own company also). In either case, they may want 
to seek a new career or take some classes on computer management.


Second, upgrading or installing a new version of gcc is not that big of 
a deal.


Have a great day, Jim

PS: No response to my earlier reply to you?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> On Fri, Apr 16, 2010 at 01:15:45PM +0200, Giampaolo Tomassoni said:
> ... omissis ...
> On Sat, Apr 17, 2010 at 03:56:38PM +0200, Giampaolo Tomassoni said:

Fine. You filed your request. Now the maillist admins will decide if I was
runting, there. And will take action if needed.

Ok?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Stephen Gran]

On Sat, Apr 17, 2010 at 07:53:49PM +0200, Giampaolo Tomassoni said:
> Would you please show me the 50 messages you speak about?
> 
> Thanks.

I see off hand:

On Fri, Apr 16, 2010 at 01:15:45PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 02:12:15PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 02:17:43PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 02:24:25PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 03:42:43PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 03:57:34PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 04:03:29PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 04:11:30PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 04:31:25PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 05:05:42PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 05:55:16PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 06:25:28PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 06:32:27PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 07:13:07PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 07:18:42PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 08:16:59PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 08:25:55PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 08:29:12PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 08:51:23PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 09:01:47PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 09:24:40PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 09:33:40PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 09:56:39PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 09:57:55PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 10:30:25PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 10:42:06PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 10:44:39PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 11:17:48PM +0200, Giampaolo Tomassoni said:
On Fri, Apr 16, 2010 at 11:50:09PM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:10:09AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:15:21AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:18:49AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:20:54AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:22:49AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:36:12AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 12:46:21AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:06:02AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:08:02AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:14:33AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:24:07AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:29:29AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 01:54:29AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 02:19:18AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 02:39:36AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 02:52:08AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:00:05AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:09:01AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:12:24AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:27:46AM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:48:38PM +0200, Giampaolo Tomassoni said:
On Sat, Apr 17, 2010 at 03:56:38PM +0200, Giampaolo Tomassoni said:

Although I may have missed a few.  Now can you stop?
-- 
 --
|  Stephen Gran  | The shifts of Fortune test the  |
|  st...@lobefin.net | reliability of friends.   -- Marcus |
|  http://www.lobefin.net/~steve | Tullius Cicero  |
 --


signature.asc
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Can the listmoms please throttle or remove this guy?  This is roughly
> 50
> messages containing the same rant over the last several days.  There is
> no argument that needs to be spread over that much email and waste that
> much of everyone's time.

Would you please show me the 50 messages you speak about?

Thanks.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Stephen Gran]

On Sat, Apr 17, 2010 at 03:48:38PM +0200, Giampaolo Tomassoni said:
> I'm still waiting for you to show something, moron.

Can the listmoms please throttle or remove this guy?  This is roughly 50
messages containing the same rant over the last several days.  There is
no argument that needs to be spread over that much email and waste that
much of everyone's time.
-- 
 --
|  Stephen Gran  | You may worry about your hair-do today, |
|  st...@lobefin.net | but tomorrow much peanut butter will be |
|  http://www.lobefin.net/~steve | sold.   |
 --


signature.asc
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

Giampaolo Tomassoni wrote:

I do not want to be you customer after reading  your  messages  here
in this Mailinglsts, because I show, you  have  not  a  singel  clue
about importance of software parts...



I'm still waiting for you to show something, moron.

Giampaolo


  

Good Morning Giampaolo,

I thought I was going to refrain from continuing this useless thread 
that you have chosen as forum to make people believe you. And yes, I did 
read your post that you do not like me and people like me, and the 
feeling is mutual, at least in my case.


Although there were no ongoing posts through the night, I do wonder if 
you have stayed up all night because you have not degraded to calling 
people names.


As this is a the users mailing list, maybe you want to take your issues 
up directly with the ClamAV team. You are unlikely to change the opinion 
of anyone here by name calling. It my opinion that people turn to name 
calling and such when they have run out of useful arguments and yet 
refuse to move on.


Hope you have a great day,
Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dan]

At 2:14 PM +0100 4/16/2010, Simon Hobson wrote:
I hope that by now you may be realising that many people quite 
legitimately did not know anything until things broke this morning. 
We did not have 6 months notice - our servers "just broke".


I'm sorry, did I miss something?  This should be a non-event.   A 
viral scanner is a rather critical product therefore it should be 
kept reasonably UP TO DATE.  Version 0.95 was released in  March 
2009.  Over a year ago!  What have you been doing with your time over 
the past year?  Apparently you didn't bother to keep critical stuff 
updated!?  What else have you dropped the ball on?


At 3:28 PM +0100 4/16/2010, Simon Hobson wrote:

Bowie Bailey wrote:

Personally, I keep my servers updated, so the EOL issue didn't affect me,


And on another server (that's newer and is updated), I got bitten by 
that as well when an update broke something and I had to manually 
figure out which update was responsible and find versions of which 
packages to roll back to (which had been deleted from the repos - 
now I keep backup copies !)


So keeping up to date has it's own risks - hence why many people 
take the attitude of "if it aint broke, don't fix it".


But being a YEAR out of date?

At 5:33 PM +0100 4/16/2010, Simon Hobson wrote:

please go fix it.


I will, now I know about it. But it would have been nice to do it at 
a more convenient time, and with advance notice so I could use it to 
get some resource allocated by management.


Wow.  Freshclam has told you every day for  a year+, that your 
installation was out of date.  Plus the 6 months of messages about 
the EOL that have been posted.  How much more notice do you need?


Of course, if you insist on keeping your system out-of-date, you 
could just restore the database from your backup, and disable 
freshclam.  You do have backups, don't you?


- Dan.
--
- Psychoceramic Emeritus; South Jersey, USA, Earth.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Michelle Konzack]

Hello Giampaolo Tomassoni,

Am 2010-04-16 20:25:55, hacktest Du folgendes herunter:
> The way the clamav team managed this case hits the open software community
> as a whole, being the ClamAV project a well-known member of that community.

No,  --  it hit a minority of ignorants!

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France   itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack  Gesch. Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz   Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil   Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Obviously neither side of the discussion can be convinced. It would
> possibly be a good idea to through in some more general thoughts about
> GPL'ed software.
> If I understood RMS' basic intention right he is all for the freedom of
> the _user_. This basically means no software vendor or supplier should
> have the power to dismiss a running system only because he thinks it is
> the right thing to do. This can only be a users' choice. And it is his
> choice _not_ to listen to the supplier and do updates or whatever.

Right. I agree with you.


> Following this thought it was no good idea to bring the ancient
> services down only to make people update. That is exactly what GPL is
> _not_ about.
> Nobody can and should drive a supplier of GPL'ed software to deliver
> ultimate support. It is his choice to stop supporting certain versions.
> But that can be handled in a user-friendly way, too.
> And really, the whole idea of eol'ing GPL software is really violating
> the moral ground. And that is what makes people upset.

Right, right. Absolutely right.

Also, in this specific case some work-arounds to the problems were both
feasible and inexpensive. I can understand that the team of an open-source
product would even decide to break things when at a corner. But this wasn't
really the case.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Hello Giampaolo Tomassoni,

Hello Michelle,


> It depends on what youmean with "five small companies".
> 
> Here I have a bunch of such small companies with 3-5 employees...
> where
> I maintain the Intranet-Server.  And since they are  All-In-One-
> Systems, one failure could take down  the  whole  system  and
> because  they are expensive, those small enterprises have not
> even reserve systems laying around.
> 
> I have to take care about it.
> 
> also there are some customers which install there onw Debian Systems
> and use me only a "Debian GNU/Linux Consultant" and the know, they
> hat to be carefuly because there income depends on it...

This is the situation I was spotting out.


> You say you have mailinglists and customers called you?

No. I was speaking about a couple of fellows who consulted me because the
systems they assemble and sell (which are some kind of SuSE-based mailing
and faxing systems) broke and they weren't immediately able to get them back
working: some of these SuSE stuff run 10.1 which have gcc 4.1.0 at best, and
clamav 0.96 doesn't ./configure there.


> I do not want to be you customer after reading  your  messages  here
> in this Mailinglsts, because I show, you  have  not  a  singel  clue
> about importance of software parts...

I'm still waiting for you to show something, moron.

Giampaolo


> 
> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> Systemadministrator
> 
> --
> # Debian GNU/Linux Consultant
> ##
>Development of Intranet and Embedded Systems with Debian GNU/Linux
> 
> itsyst...@tdnet France   itsyst...@tdnet UG
> (haftungsbeschränkt)
> Gesch. Michelle Konzack  Gesch. Michelle Konzack
> 
> Apt. 917 (homeoffice)
> 50, rue de Soultz   Kinzigstraße 17
> 67100 Strasbourg/France 77694 Kehl/Germany
> Tel: +33-6-61925193 mobil   Tel: +49-177-9351947 mobil
> Tel: +33-9-52705884 fix
> 
> 
> 
> 
> 
> 
> Jabber linux4miche...@jabber.ccc.de
> ICQ#328449886
> 
> Linux-User #280138 with the Linux Counter, http://counter.li.org/

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Stephan von Krawczynski]

On Fri, 16 Apr 2010 10:25:24 -0500
Eric Rostetter  wrote:

> Quoting Leonardo Rodrigues :
> 
> > it's VERY common in the software industry to stop supporting old  
> > versions, but they simply stay working.
> 
> For six months, you've been told to either upgrade or disable signature
> updates.  If you'd done either, you would still be running fine.
> 
> >  clamav took a VERY bad move, there's absolutely no doubt on that.
> 
> Perhaps, but had they let you continue running it, letting you think
> it was working perfectly, but it no longer protected you -- that is it
> could no longer do the job it is supposed to do -- would they be doing
> you a service or a dis-service?
> 
> In this case, they are dammed if they do (anti-virus that doesn't catch
> viruses is sure to be criticized), dammed if they don't (people who don't
> do due diligence are sure to criticize them for "breaking" their system).

Obviously neither side of the discussion can be convinced. It would possibly
be a good idea to through in some more general thoughts about GPL'ed software.
If I understood RMS' basic intention right he is all for the freedom of the
_user_. This basically means no software vendor or supplier should have the
power to dismiss a running system only because he thinks it is the right thing
to do. This can only be a users' choice. And it is his choice _not_ to listen
to the supplier and do updates or whatever.
Following this thought it was no good idea to bring the ancient services down
only to make people update. That is exactly what GPL is _not_ about.
Nobody can and should drive a supplier of GPL'ed software to deliver ultimate
support. It is his choice to stop supporting certain versions. But that can be
handled in a user-friendly way, too. 
And really, the whole idea of eol'ing GPL software is really violating the
moral ground. And that is what makes people upset.

-- 
Regards,
Stephan

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Michelle Konzack]

Hello Giampaolo Tomassoni,

Am 2010-04-16 17:55:16, hacktest Du folgendes herunter:
> Maybe this happened, but I had two calls in the morning about this, for
> maybe five mailing systems which stopped working. Most of them are not
> easily upgradeable. After all, I can't care it the less. But what about the
> five small companies running these systems? 

It depends on what youmean with "five small companies".

Here I have a bunch of such small companies with 3-5 employees...  where
I maintain the Intranet-Server.  And since they are  All-In-One-Systems,
one failure could take down  the  whole  system  and  because  they  are
expensive, those small enterprises have not even reserve systems  laying
around.

I have to take care about it.

also there are some customers which install there onw Debian Systems and
use me only a "Debian GNU/Linux Consultant" and the know, they hat to be
carefuly because there income depends on it...

You say you have mailinglists and customers called you?

I do not want to be you customer after reading  your  messages  here  in
this Mailinglsts, because I show, you  have  not  a  singel  clue  about
importance of software parts...

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France   itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack  Gesch. Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz   Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil   Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Michelle Konzack]

Hello Christopher X. Candreva,

Am 2010-04-16 11:08:47, hacktest Du folgendes herunter:
> What you SHOULD take from this is that you may want to change how your 
> milter is set up, so that if clamd dies, unscanned mail is passed rather 
> than rejected or temp-failed.

When I read, that entires servers stoped working, I was realy  wondering
about it because I run courier, exim and postfix for different  purposes
on more then 160 dedicated servers  and  it  one  part  break  (specialy
SpamAssassin and ClamAV) the rest is suposed to continue...

And if ClamAv stops working AND a message has a binary  attachment,  the
messages becomes TAGED as NON-AV-SCANED.

In my opinion it s entirely in the responsability of a Sysadmin to stay
informed keep her/his servers runing.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France   itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack  Gesch. Michelle Konzack

Apt. 917 (homeoffice)
50, rue de SoultzKinzigstraße 17
67100 Strasbourg/France  77694 Kehl/Germany
Tel: +33-6-61925193 mobilTel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Michelle Konzack]

Hello Maurice Lucas - TAOS-IT,

Am 2010-04-16 15:56:55, hacktest Du folgendes herunter:
> I'm on multiple mailinglists I don't read every day but are on a ones
> a week a quick scan.
> And a lot of them are announce lists for all production critical
> software I use.
> 
> If I run a ssh service on my machine, and yes I do, I keep track of
> the ssh announce list.
> Why because I hate it to find my root password changed because there
> was a security update I didn't updated 6 months ago because an apt-get
> update/upgrade didn't work anymore.

Full ACK!

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France   itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack  Gesch. Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz   Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil   Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Dennis Peterson]

On 4/16/10 8:05 AM, Giampaolo Tomassoni wrote:


Was the 'stop gap' really useful? To which purpose? Did the ClamAV team
meant to stop old installations to work, in order to silence competitors?
Perhaps to teach to clamav users about the very complex nature of today
systems and services?

Unfortunately, the net result will be that the management of the small
companies running their crappy and old mailing systems will have to hardly
face the fact their mailing box doesn't work anymore because a free
component in it unreasonably stopped working. This will decrease their trust
about free software: they are going to buy a new computer running Microsoft
Exchange Server backed by something else then ClamAV...

Giampaolo


I've only been doing this for about 30 years, but I do recall that several years 
ago the folks at Trend Micro did something similar. The only reason it was 
discovered is because the sig file quit updating and one of the admins got 
curious about why. The reason was the sig file format changed. The product 
continued to run with the old sig file, though, for nearly a year before it was 
discovered.


dp
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> But you have not been forced to go to bleeding edge. 0.95 is outdated
> but still receives the updates OK.  In all development there comes a
> time when you have to break with compatibility in order to achieve the
> results you desire. The ClamAV team felt that this was the time.

Incompatibility doesn't mean to break things. To me, it means that db
updates would be unavailable for old systems.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> None, and what you be doing next month when the new signatures came
> out and those same unpatched systems 'failed'?

According to the way I see it had to be, those unpatched systems would
simply don't get any update.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >>> What if your PS3 stops working because the maker thinks it is a
> too-old model to still go?
> >>
> >> A fine question.  Let's suppose a certain old PS3 model has a
> serious
> >> manufacturing defect, such that it can overheat and catch fire.
> >
> > Which is not our case...
> 
> You suggested the analogy.

I meant you're entering in the field of safety against personal injuries. It
is not the case. You can't match a non-working PS3 model with a flaming one.


> >> Six months later, Sony releases a new game which happens to really
> beat
> >> on the PS3 and is pretty likely (or even dead-certain) to cause
> >> machines which have this problem to catch fire.  Should Sony release
> >> firmware which causes the PS3 to refuse to run this game?
> >
> > No, they should not. Period. One runs its own life the way he/she
> likes.
> 
> Evidently, both the ClamAV folks and Sony disagree with your position.
> However, since you've also clearly made up your mind on this matter, I
> won't argue further.

Again, you are trying to cast a matter in a very different one. I can
understand that putting the user's life in danger can make a difference (but
personally still think I would not ship the new firmware). But this is
simply not the case.


> Please fork ClamAV into your own project, perhaps called OstrichAV--
> for those who wish to hide from what they consider to be unreasonable
> software updating policies-- and you may provide the world with virus
> definition updates in a fashion that will support all versions of your
> fork of the software, as best you can, indefinitely.
> 
> [ If this doesn't seem fair to expect of you, then it's time to re-
> evaluate your own expectations vis-a-vis ClamAV ]

Well, Chuck. I'm going to take the simple way and re-evaluate the ClamAV
project, instead.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >
> > Wasn't it better to simply let these system go the way they were used
> to?
> >
> > What's the difference from the clamav standpoint?
> 
> The ClamAV developers want to continue on with things they way they are
> used to.  They don't want to overhaul their update system just so they
> can continue to support a version of the software which is rapidly
> becoming less usable.
> 
> You proposed that the change the way that 0.96 updates.  Fine, that
> could have been done.  But what about 0.95? Which is arguably the most
> deployed version at this moment.  It was first released on 2009-03-23,
> and the last update was made 2009-10-28.  It properly handles
> incremental updates of large signatures, and will continue to need new
> signatures for a while longer.  0.96 was just released on 2010-03-31.
> 
> There's no way to stop updates for 0.94 and below, while still
> providing
> updates for the heavily used 0.95, even if changes were made for 0.96.

In 6 months there were many clamav updates. I would have put the
current.cvd1 trick early in one of them, then I would have waited enough
time to allow distributions and users to deploy it, then I would have
stopped dns responses to the current.cvd branch, and finally I would have
started distributing new signatures.

I don't know exactly how large is the problem, but if it is, this is
something that can still be done, supposed freshclam is still working. But
this would now imply a huge amount of traffic in order to distribute a new
database with old signatures, if at all possible.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > I see you're quite far from it at the moment, since you are trying to
> > drive people to think that complains are only from bad sysadms. I
> > can't of course speak for others, but I'm complaining because of the
> > bad light in which the ClamAV team put open-software with the 0.96
> > case.
> 
> To paraphrase your statement that you are only complaining because of
> this unproven accusation that ClamAV is somehow putting FOSS in peril,
> "When someone says its not the money but the principal, you can bet
> your bottom dollar it is the money." In other words, you are trying to
> move off center and refocus on alleged damage that the ClamAV
> action(s) have caused.

In other words, you've fear. You're are in the management, right? Typical.


> Actually, I take the opposite stance. Team
> ClamAV has taken a bold move forward.

Right toward the trashcan.


> By refusing to back port every
> conceivable enhancement to their product, they will be able to focus on
> producing a more robust product.

They didn't do this. I mean, your staff didn't do this. Your staff had 6
months to implement a very simple and inexpensive solution to workaround all
the troubles your "bold move" could do to their users.


> Microsoft spent billions of dollars
> back porting every conceivable improvement to their system just to
> placate the winny-weaners (you know the type) that expect everyone to
> cater to their demands. This lead to a less than robust Internet
> Explorer offering. Now that they have openly stated that the unreleased
> IE9 will not work on WinXP, a ten year old OS, those same cry-babies
> are at it again.

IE isn't less robust because it runs on XP instead of in some other
environment. It is less robust because it have to deal with all that silly
ways Microsoft followed in badly implementing W3C standards. The OS is less
than an issue in robustness. It may be in security, but a robust IE
implementation would be safe even on a W2k.

So, what are you saying. That you're a good sysadm because you run W7? Or
because you own a Mac?

It is a silly reasoning.


> Maybe you and them should get together and form a fan club.

That is what makes me think you're in the management: you keep mudding.


> > My systems, Jerry, work fine, thank you. But I had a couple of phone
> > calls from some friend sysadmins (yes, I have friends colleagues. Do
> > you?) who were in trouble due to ClamAV.
> 
> My systems are functioning perfectly. Then again, I don't
> procrastinate, although I have spend way to much time today on this
> chat line. Of course, since none of my systems are down due to a
> catastrophic AV failure, I really don't have a whole lot to do at
> present.

See? So is me.


> > Open software shouldn't behave this way. The ClamAV team should have
> > implemented ways to not screw old installation while going for its
> > own way. There were feasible ways to do this, but they chose not to
> > follow them. Period.
> 
> They choose to do it in a manner that was most efficient for them. By
> the way, how much did you pay for your ClamAV license? Better yet, when
> ClamAV asked for public input months ago on the planned change, what
> did
> you contribute to the party?

Right, it is a good tactic to take some other observation and use it to keep
mudding.



> I am willing to be nothing. You are like a
> moron who doesn't vote and then bitches because the candidate they
> wanted did not get elected.

Which is still allowed, isn't it?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

I agree with you entirely.  You're welcome to roll back to the  
2010-4-

14 virus signatures before the less-than-0.95 kill switch was turned
on, and your outdated ClamAV will continue to run just fine with  
these

old signatures.


This is feasible, but know needs some kind of human intervention.  
Which
generally means money. Which generally means, "since you're here,  
replace

this stuff with an Exchange Server. My friend says it is wonderful and
doesn't stop. Ever!".

Hmm, lets see it is getting updates... must have Internet  
connection


I know, maybe I should remote into it and reconfigue. what a  
concept!

Gee, I did not even have to leave my desk..


PS: I wonder just how strong the correlation is between people who  
are

complaining about this issue and ones who also don't have adequate
backups such that they actually could revert to yesterday's signature
files?


-1 for me: I'm not debating for necessity. I'm doing it for a right  
cause!





___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 4:10 PM, Simon Hobson wrote:


Jerry wrote:


> Err, it does have something to do with it. You made the assertion

that no-one would spend money replacing a system rather than upgrade
it. Two of us now have pointed out that real world PHB do exactly
that sort of thing - and this issue with clamav getting the kill
switch can be just the sort of excuse they need. It may not be a
valid reason, but then so many business decisions are based on  
having

> enough excuses to do what you want rather than doing what would

logically be right. As Giampaolo comments, some people (especially
PHBs) simply see it as "that Linux stuff blew up, best go with
Microsoft like everyone else".


The two who have "pointed out that real world PHB do exactly that  
sort

of thing" now are operating broken systems. So much for credibility.


There you are again - that attitude is rubbing people up the wrong  
way and not helping. May I point out that my system was working fine  
until fed sour data ? Your analogy would be like saying that a car  
is broken if someone put sugar in the tank, and it would be all the  
owners fault as long as the vandal (it's claimed) told them in  
advance to fit a sugar filter.


No, to use your car analogy, that would be like stating for 6 months  
that the fuel was changing and you need to do something about any you  
deciding they didn't really mean when you put the incompatible fuel in  
your car



> Fortunately that's not the case where I am - this box replaced an

iMail server running on NT4 which was forever crashing and getting
used for spamming. No-one on the engineering or support teams  
mourned

it's loss ! But equally, if it wasn't for the licence costs,
management would still be happier with a Microsoft 'solution'.


NT is ancient history. Why you would even mention it is beyond me,
although it might be interesting to know when they actually did get
around to swapping it out. Then again, maybe I don't want to know.


Yet guess what, NT is still in use in many places (and it's why MS  
bought Connectix so they could rebrand their virtualisation software  
and sell it to customers so they could run their NT systems on newer  
systems). There are many reasons for using old software - in fact I  
have a PC down in the garage that still runs DOS/Windows3. In that  
case, it's an embedded system and it really, really wouldn't be  
worth trying to touch it - only to scrap it and buy another machine.  
We've got customers running similarly old software because that's  
what the package works with - and it would be horrendously expensive  
to upgrade (in many cases meaning scrapping the machine it runs).


Another server I run is also not updated. In this case, not only  
would I have to fix any issues related to the server itself - but  
I'd also risk breaking any of the customer sites it runs. Just  
before it was handed to me, the guy that built it did some updates -  
and then handed it over with an "oops, can you fix it" yes I've had  
a security issue with it, but that was a config issue. If customers  
want to upgrade - I move them to a newer server.


What I'm trying to get through is that there are valid reasons for  
not running the very latest bleeding edge stuff. I agree that with  
something like Clamav there aren't that many show stoppers, but you  
come across as having the attitude that old versions should simply  
cease to exist and anyone running then is automatically an idiot.
It would be nice to have a job where all I have to do is run a few  
servers - and I have all the time I need to update them (and fix  
them when the update breaks it*), but I have a real world job where  
that isn't the case.


* BTW - thinking back, I've had more things break from updates, than  
I have had problems from not updating. In that respect, even with  
this issue, it's not been too bad a return from the policy decisions  
I've taken.


--
Simon Hobson



But you have not been forced to go to bleeding edge. 0.95 is outdated  
but still receives the updates OK.  In all development there comes a  
time when you have to break with compatibility in order to achieve the  
results you desire. The ClamAV team felt that this was the time.

Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 4:08 PM, Giampaolo Tomassoni wrote:


This is not a matter of missing upgrades. This is a matter of

proactively

breaking running systems.


Exactly.  They proactively broke the scanner so people would know why
it
broke, rather than letting it die with nothing more than an obscure
malformatted hexstring error.


Wasn't it better to simply let these system go the way they were  
used to?


What's the difference from the clamav standpoint?

None, and what you be doing next month when the new signatures came  
out and those same unpatched systems 'failed'?


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 4:06 PM, Giampaolo Tomassoni wrote:


And you are free to do so, just as the developers are free to release
signatures that do not work with older versions. That is ALL that
happened. In doing so, clamd fails to be able to properly read the
database and fails.


Things are a bit more complex, because I see the problem of long  
signatures
was known to the team well before the 15. There were both time and  
capacity
to avoid any unwanted side effect. But the team choose to disregard  
them.




Which was their decision to make as was yours or your friends to not  
be bothered to keep their critical systems up to date.



There have been numerous pieces of software that I have used over

the

years that have died on the vine and no longer suitable for new
systems. Do I rant at them that they MUST provide me with a new
version, no, I deal with it. Either building my own from sources or
moving on to a new piece of software.


This is not a matter of missing upgrades. This is a matter of
proactively
breaking running systems.


They didn't, YOU did.  You failed to properly configure your email to
handle a failure in clamd.
Were there many others like you who also failed to configure their
systems to handle a failure in clamd? Yes, but that again was their
decision as it was yours.


Jim, you're still trying mudding me to stop what I'm saying. The  
fact that
the team was aware of the implication of long signatures and the  
fact that

they let things happen, doesn't mean anything to you?

Yes, it means that they were not going go on supporting the pre 0.95  
software and made this fact known to the best of their ability.



Jim, you keep adding apples and pears together. Aren't you starting
feeling
the importance of what the ClamAV team wanted and let happen?



Yes, they were concerned that new signatures coming out are not
compatible with older versions, stated so, and sent one of them out.
You would be in exactly the same situation next month.


No, the problem is that I'm not in this situation now (I would not be
debating otherwise), but I don't want to be in troubles like these  
in the
future, just because someone decides I'm not knowledgeable and  
responsible
enough to run a mail server. Do you understand the implications of  
what

you're saying?



Yes, I do, that if I choose not to pay attention to what the software  
development happen to software I CHOSE to install, then my systems may  
fail. Am I willing to stand by this yes and not whine just because I  
waited until too late to do anything about the situation.





The fact that they made a conscious decision to not have separate
signatures was THEIR decision to make and YOURS to ignore.









The way the clamav team managed this case hits the open software
community
as a whole, being the ClamAV project a well-known member of that
community.


Yes, but not necessarily in a negative way.. One of the MAJOR
problems with Microsoft software is their insane insistence on
backwards compatibility. Sometimes it does not make sense to do so
and
you just have to bite the bullet and let people know it will not
work.
In Microsoft's case they simply fail to let people know.. in
addition to breaking it.


This is a good point of view which I can easily endorse. But we are
still
speaking of stopping working systems. We are not speaking about
introducing
a backward incompatibility.


Yes we are, we are speaking of signatures that can not be handled by
versions older than 0.95. They decided to forego compatibility just  
as

YOU chose to ignore their warnings.


They decided to forego empathy by people who like open-source stuff.  
This is
what they did. And keeping saying the error is only by the sysadmins  
you

aren't you to help them.

Again, this is a place we disagree, I do not think it was an error on  
their part.
And I am helping them by allowing them to move forward and concentrate  
on new offerings.



And before we get back to "I didn't know", as judges are quick to
point out, ignorance of the law (or in this case changes coming down
the pike) is no excuse.


Ahahaha! This is the most silly thing I've ever heard from you!  
Hahahah!



Thank you, it was meant to throw some levity into the fray!



We are not trying to say you shouldn't feel bad about it sneaking up
on you, but that does not change the fact that the ClamAV team put  
out

notices 6 months ago that this would happen.


So what? This proves they were aware of the problem and that they  
let pass 6

months not moving a finger.


Incorrect, they were aware of the problem and STATED they were not  
going to do anything about it.

I think it has taken courage on their part to stick to beliefs.


According to your rules, if people ignoring door signs are bad  
admins, what
are developers that in 6 months doesn't find a better solution among  
the

many blatant ones?

I believe they felt this was the right decision. The only argument  
here is that you

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > An open-source project is not supposed to change rules at will. The
> license
> > itself of open source software is often oriented toward this view,
> such
> > that
> > it guarantees people to keep using software they already got, even
> when the
> > project becomes a completely commercial one.
> >
> 
> Wow, not even close.  OSS licenses cover what you can do with the
> source
> code.  Nothing more.  Nothing less.

Exactly what I meant. Many OSS licenses says you get the permanent right to
run the software. If a project becomes commercial and stops free
distribution, the user still have the right to use (and modify) its old copy
of the software. The company now owning the project can't stop you from
doing so. The company doesn't have the right to change the rules at will...

Some OSS licenses impede "de facto" a migration from OSS to barely
commercial, since no line of the OSS product could be used in the commercial
one. But not all the OSS licenses do this.

All this OSS licensing game stems from a wider philosophy, which can hardly
be coded in laws or legal agreements. It is regarding the freedom of access
and use of software. It was meant to contrast emerging (Microsoft) as well
as consolidated (IBM, Sun) software monsters, who were willing to gain total
control on the software market.

I don't believe that the people who made the OSS world so interesting and
important would agree on the fact that a database upgrade known to cause a
functional kill would be OSS-compliant. Maybe in a court it is. Are we in a
court?


> And there's nothing stopping you
> from
> grabbing the clamav source code, rewriting freshclam to ignore updates
> past
> the 14th of April, and making that available to the world.  *THAT* is
> the
> point of OSS ... you have the freedom to do whatever you want with the
> source code.

Right. But not because of the source code itself (that is the legal facade).
That is because of the functionality it carries. Who care of some megabytes
of text?


> There's nothing in any OSS license that says the software will always
> work,
> that the software will be bug free, that all future updates will work
> with
> any previous version, etc.

Infact there isn't. This doesn't mean that the idea of a killer update - a
db update, by the way. Not a software one - would be in line with the OSS
philosophy. Sure it is with licenses. Sure who put it out will rest with no
worries tonight. But to me, its effects clash a bit with OSS philosophy.


> > Because the open-source idea is
> > all based on freedom.
> >
> 
> Not in the way you think it is.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 3:36 PM, Giampaolo Tomassoni wrote:


Obviously, you are choosing to be dense. The bottom line is that the
particulars regarding this event were published. Whether or not you
availed yourself of that notification is immaterial. There was not
anything nefarious in the ClamAV team's actions. You have obviously
bought into the shibboleth that software authors, distributors, etc
must
adhere to your specifications. Your rantings against them have turned
puerile.


I'm not ranting against anybody. I'm asking if you pondered any  
other way to

obtain the very same result, without putting your finger into somebody
else's systems. That's it.

I think you're ranting, not me.



Your server(s) are your responsibility. That responsibility includes
keeping abreast of events that might adversely affect them.  
Obviously,

at least to me, that would include the software installed on said
machines. I subscribe to every major software forum for the software
installed on my machines. It is part of my job description. If you  
are

too busy to keep abreast of the latest developments regarding your
system, or unwilling to do what is required to keep your system
fully functional and assuming others are dependent upon you doing so,
then perhaps it is time to start looking for a new line of work.


This has nothing to do with the correct way a team of supposedly
knowledgeable and professional people should follow to solve a  
problem.


I don't believe the way the team choose was the best one, since I  
have the
strong believe that other, equal-cost and less-damaging solution  
were simply

available.


Yes, and you have made your point, you are not happy with the way the  
team decided to handle the situation. However, that does not mean it  
is your decision to make.


I don't understand why you or other keep teaching (the art of) system
administration to anybody. Everybody like to manage its own systems  
the way
they like. Even SpamAssassin comes with its own update tool, but  
this tool
doesn't commit the update if something smells wrong and SpamAssasin  
keeps
running with old rules. There is people in the world to whom this is  
less
than an issue. As long as nobody from outside stops their  
spamassassin, the

fact the rules are old is unimportant.

Yes, you are correct here and I am not an authority on the history of  
spamassasin, they added in (not necessarily in the beginning) a  
mechanism to handle this. ClamAV did to, but is not an available  
mechanism till version 0.95



___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 3:20 PM, Giampaolo Tomassoni wrote:


The ClamAV team have commanded old versions of its product to stop

working.

Not even Microsoft do this.


I can't tell you how many support calls I've received over the years
with people saying "my Internet stopped working" and it was due to
their
Norton or McAfee license expiring.

As someone so eloquently stated earlier, your clamav<0.95 license has
expired.  It's as simple as that.

If you felt other consequences, like mail stopped flowing, change  
your
mail config to fail-open rather than fail-closed.  Your mail config  
is

simply not anyone else's responsibility.


Most of us choose an open-source project exactly because it wouldn't  
work

the way Norton or McAfee work.

Or do you really think ClamAV is a big and smart monster against  
malware?


Giampaolo


Again, you miss the point, the point was not that they were acting as  
Norton or McAfee, but that those whose systems stopped sending mail  
AND are upset by it,  did not properly configure their system.


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 3:18 PM, Giampaolo Tomassoni wrote:


The ClamAV team have commanded old versions of its product to stop

working.

I would not describe what they did that way.

Older versions of clamd were going to crash on signatures that newer
versions would accept, and the devs have been prevented for at  
least 6

months from using that type of signature. They have posted since then
for
people to upgrade.

When they did was publish this type of signature (has to do with
length,
greater than about 900bytes), where the signature itself is an error
message, so when the program dumped the signature the error would be
displayed.

That's all, not a kill switch as such, but using a known bug to  
deliver

a
message, rather than have it just bomb out with a hex dump when they
tried
to use a larger signature.


They could prevent these old systems from being updated at all. It was
really simple and nobody would get hurt.

Giampaolo


You miss the point. It was not up to them to protect you from  
yourself. It was THEIR decision, and one they have a right to  
exercise, that they can NOT AFFORD to support old versions and  
accomplish what they want with current and future development. Could  
they have done it differently, yes, should they have? That is up to  
them. Since this was 6 months in coming it was not a rash and  
impulsive decision.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > An open-source project is not supposed to change rules at will. The
> > license
> > itself of open source software is often oriented toward this view,
> > such that
> > it guarantees people to keep using software they already got, even
> > when the
> > project becomes a completely commercial one.
> 
> Exactly but the ONLY thing open-source guarantees is that you will not
> be charged for the source code. The fact that the community provides
> binaries is a convenience for you (and the rest of us). If you chose
> to build your own, you could have prevented this by modifying the
> source code.

Right, but it isn't that simple to me. The OS stems from the idea of wide
usability and free exchange which is (was?) common in research. The basic
idea was to prevent anybody to limit your option in using an OS product.

The various OS licenses available nowadays are effectively only based on a
matter of free access to the software, but this is because it was basically
the only reasonable thing needed in a unconnected world, when you had to
physically "put in the disk" to install or update something.

To me, today the freedom of use of an OS package also means that any risk of
impairing the usefulness of an existing installation should be reduced to a
minimum. Please note this isn't stated in licenses, of course. Probably
because it is unfeasible to be stated there, or because in a connected world
there are many things which may go the wrong way and impair existing
software. But nevertheless one of the target to which a team developing a
(successful) OS product should attain, should be to keep old installations
working the way they already do. It doesn't mean backward compatibility, of
course. It simply means "live and let live".


> > A remote kill is very dangerous to a commercially-oriented product,
> > but may
> > be a real disaster to an open-source one. Because the open-source
> > idea is
> > all based on freedom.
> 
> They did not do a "Remote kill" They sent out one of the new style
> signatures which your installed version could not handle. It is still
> your responsibility as it is the responsibility of everyone who sets
> up a server to ensure it DOES what they want in case of a failure. You
> chose to keep the default behavior which is to block mail when it
> can't be scanned and want to blame ClamAV for that. All they are
> responsible for is sending out the new signatures as they had promised.

But they were aware of the consequences. And they were probably aware of the
fact that there were workaround which could let the new functionalities
live, while letting the old installations live too.


> > The ClamAV team can't act the way it did and not risk to be censured
> > by the
> > open-source community.
> >
> > If people blames you and feels betrayed by you, it is not a "sysadm
> > matter"...
> >
> > Giampaolo
> >
> Yes it is, as my systems did not fail nor did anyone who bothered to
> heed the warnings that clamd would STOP working and took steps to
> mitigate the situation. That could be by upgrading or not accepting
> new signatures or ANY other method including modifying the source code.

The people who preferred clamav because it was a solution much less prone to
stop due to licensing matters, may feel betrayed.

Honestly, I feel more worried than betrayed. But it isn't a good feeling
anyway.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chuck Swiger]

On Apr 16, 2010, at 4:24 PM, Giampaolo Tomassoni wrote:
>>> What if your PS3 stops working because the maker thinks it is a too-old 
>>> model to still go?
>> 
>> A fine question.  Let's suppose a certain old PS3 model has a serious
>> manufacturing defect, such that it can overheat and catch fire.
> 
> Which is not our case...

You suggested the analogy.

[ ... ]
>> Six months later, Sony releases a new game which happens to really beat
>> on the PS3 and is pretty likely (or even dead-certain) to cause
>> machines which have this problem to catch fire.  Should Sony release
>> firmware which causes the PS3 to refuse to run this game?
> 
> No, they should not. Period. One runs its own life the way he/she likes.

Evidently, both the ClamAV folks and Sony disagree with your position.  
However, since you've also clearly made up your mind on this matter, I won't 
argue further.

Please fork ClamAV into your own project, perhaps called OstrichAV-- for those 
who wish to hide from what they consider to be unreasonable software updating 
policies-- and you may provide the world with virus definition updates in a 
fashion that will support all versions of your fork of the software, as best 
you can, indefinitely.

[ If this doesn't seem fair to expect of you, then it's time to re-evaluate 
your own expectations vis-a-vis ClamAV ]

Regards,
-- 
-Chuck

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 3:15 PM, Giampaolo Tomassoni wrote:


Pointing out that they are wrong, why they are wrong, and how they
should
do things instead _IS_ helping them.  That is the way people work,  
that

is the way people learn, that is how wrong situations get corrected.


The only "wrong situation" I see is the fact that bunch of people,  
urged by

dangerous teaching needs, can cause trouble to thousands.



Now, should they do that in a nice, polite way.  Yes.  Do they often
do it in a rude or condescending way instead.  Unfortunately yes.   
That

is perhaps the part that needs fixing.


The problem is when they do wrong things in a nice, polite way. Not  
the

contrary. We are not from the same planet...



Check the mailing list archives...


Let me see: I subscribed to this list in Nov 2009. I need more time

to fetch

it.


If you subscribed to it in Nov. 2009 and have been reading it, then  
you

should have known about this issue, and how to avoid any problems. So
there
should be no problem.


Infact I don't have any, apart the fact that I don't like a bunch of  
people

to decide when my server should fail...

Giampaolo



Nobody but you (and others that chose not to update) decided that your  
server should fail. All that was done was a signature that your  
version can not read was sent out. You have configured your system to  
automatically update the signatures and this signature can not be used  
by your system...


Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Just one remark: Anyone Ran Linux on their PlayStation lately?
> 
> http://en.wikipedia.org/wiki/PlayStation_3#Removal_of_.22Other_OS.22_su
> pport_with_firmware_v3.21

Aaah, see? This is how things go with commercial products. This to the
various iPad/iPhone etc. It is the same or even worse.

Producers are trying to tighten customers to their own distribution
channels.

This is definitely not something I would like to see on open-source
projects. 

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chris Meadors]

On 4/16/2010 7:08 PM, Giampaolo Tomassoni wrote:

This is not a matter of missing upgrades. This is a matter of

proactively

breaking running systems.


Exactly.  They proactively broke the scanner so people would know why
it
broke, rather than letting it die with nothing more than an obscure
malformatted hexstring error.


Wasn't it better to simply let these system go the way they were used to?

What's the difference from the clamav standpoint?


The ClamAV developers want to continue on with things they way they are 
used to.  They don't want to overhaul their update system just so they 
can continue to support a version of the software which is rapidly 
becoming less usable.


You proposed that the change the way that 0.96 updates.  Fine, that 
could have been done.  But what about 0.95? Which is arguably the most 
deployed version at this moment.  It was first released on 2009-03-23, 
and the last update was made 2009-10-28.  It properly handles 
incremental updates of large signatures, and will continue to need new 
signatures for a while longer.  0.96 was just released on 2010-03-31.


There's no way to stop updates for 0.94 and below, while still providing 
updates for the heavily used 0.95, even if changes were made for 0.96.


--
Chris
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> On Apr 16, 2010, at 1:42 PM, Giampaolo Tomassoni wrote:
> >> The owner of the box.  They may not be qualified to manage the
> machine,
> >> but computers don't plug themselves into the network-- every machine
> >> belongs to someone who pays for electrical power and network
> >> connectivity.
> >
> > What if your PS3 stops working because the maker thinks it is a too-
> old
> > model to still go?
> 
> A fine question.  Let's suppose a certain old PS3 model has a serious
> manufacturing defect, such that it can overheat and catch fire.

Which is not our case...


> Let's suppose Sony starts releasing firmware updates on new games, or
> via network updates, etc, which check for the presence of the defect
> and produce a big red warning on the screen saying, "This machine has a
> problem and it needs a human to check and fix it."  They don't stop you
> from playing your game, but they have been trying hard to catch your
> attention.

Which is probably the correct approach.


> Six months later, Sony releases a new game which happens to really beat
> on the PS3 and is pretty likely (or even dead-certain) to cause
> machines which have this problem to catch fire.  Should Sony release
> firmware which causes the PS3 to refuse to run this game?

No, they should not. Period. One runs its own life the way he/she likes.


> >>> If nobody had to turn off freshclam, why clamscan had to stop
> working?
> >>
> >> Sufficiently old versions of ClamAV don't work with all of the
> current
> >> signatures, and bugs in these old versions prevent the ClamAV team
> from
> >> writing more complex signatures that they would like to use.
> >
> > Just prevent old versions from upgrading. It is not that difficult.
> 
> I agree with you entirely.  You're welcome to roll back to the 2010-4-
> 14 virus signatures before the less-than-0.95 kill switch was turned
> on, and your outdated ClamAV will continue to run just fine with these
> old signatures.

This is feasible, but know needs some kind of human intervention. Which
generally means money. Which generally means, "since you're here, replace
this stuff with an Exchange Server. My friend says it is wonderful and
doesn't stop. Ever!".


> PS: I wonder just how strong the correlation is between people who are
> complaining about this issue and ones who also don't have adequate
> backups such that they actually could revert to yesterday's signature
> files?

-1 for me: I'm not debating for necessity. I'm doing it for a right cause!

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > I'm know a bit uncomfortable with the idea that the ClamAV team can
> so
> > easily "unplug the wire". When there are other ways to do the same
> with few
> > more effort, if at all, too.
> 
> So am I.  And I'm a little uncomfortable that I didn't suggest other
> ways to accomplish this when they first announced this and asked
> for feedback.  And I'm a lot uncomfortable about all the other people
> who are so upset now who also never spoke up when asked to.  It is
> our fault for not speaking up when asked to, for not complaining when
> this was announced, for keeping quiet each time they told us repeatedly
> this was coming.  It is not their fault for doing something they told
> us they were going to do and we didn't have the smarts to reply to or
> suggest alternative to.  It is our fault, so lets own up and take the
> responsibility, and not blame them for our failings.

Maybe you're right. I too had to pay more attention to that messages. But I
didn't. Is it only our fail, then? Isn't that there is also something wrong
in the reasoning behind all this?

We could at least hope that our late complains may help avoiding further
cases like this.


> It reminds me of the people who don't vote, then complain about who
> was elected...

Which, by the way, is allowed anyway (at least in my country).

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Simon Hobson]

Jerry wrote:


 > Err, it does have something to do with it. You made the assertion

 that no-one would spend money replacing a system rather than upgrade
 it. Two of us now have pointed out that real world PHB do exactly
 that sort of thing - and this issue with clamav getting the kill
 switch can be just the sort of excuse they need. It may not be a
 valid reason, but then so many business decisions are based on having

 > enough excuses to do what you want rather than doing what would

 logically be right. As Giampaolo comments, some people (especially
 PHBs) simply see it as "that Linux stuff blew up, best go with
 Microsoft like everyone else".


The two who have "pointed out that real world PHB do exactly that sort
of thing" now are operating broken systems. So much for credibility.


There you are again - that attitude is rubbing people up the wrong 
way and not helping. May I point out that my system was working fine 
until fed sour data ? Your analogy would be like saying that a car is 
broken if someone put sugar in the tank, and it would be all the 
owners fault as long as the vandal (it's claimed) told them in 
advance to fit a sugar filter.



 > Fortunately that's not the case where I am - this box replaced an

 iMail server running on NT4 which was forever crashing and getting
 used for spamming. No-one on the engineering or support teams mourned
 it's loss ! But equally, if it wasn't for the licence costs,
 management would still be happier with a Microsoft 'solution'.


NT is ancient history. Why you would even mention it is beyond me,
although it might be interesting to know when they actually did get
around to swapping it out. Then again, maybe I don't want to know.


Yet guess what, NT is still in use in many places (and it's why MS 
bought Connectix so they could rebrand their virtualisation software 
and sell it to customers so they could run their NT systems on newer 
systems). There are many reasons for using old software - in fact I 
have a PC down in the garage that still runs DOS/Windows3. In that 
case, it's an embedded system and it really, really wouldn't be worth 
trying to touch it - only to scrap it and buy another machine. We've 
got customers running similarly old software because that's what the 
package works with - and it would be horrendously expensive to 
upgrade (in many cases meaning scrapping the machine it runs).


Another server I run is also not updated. In this case, not only 
would I have to fix any issues related to the server itself - but I'd 
also risk breaking any of the customer sites it runs. Just before it 
was handed to me, the guy that built it did some updates - and then 
handed it over with an "oops, can you fix it" yes I've had a security 
issue with it, but that was a config issue. If customers want to 
upgrade - I move them to a newer server.


What I'm trying to get through is that there are valid reasons for 
not running the very latest bleeding edge stuff. I agree that with 
something like Clamav there aren't that many show stoppers, but you 
come across as having the attitude that old versions should simply 
cease to exist and anyone running then is automatically an idiot.
It would be nice to have a job where all I have to do is run a few 
servers - and I have all the time I need to update them (and fix them 
when the update breaks it*), but I have a real world job where that 
isn't the case.


* BTW - thinking back, I've had more things break from updates, than 
I have had problems from not updating. In that respect, even with 
this issue, it's not been too bad a return from the policy decisions 
I've taken.


--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > This is not a matter of missing upgrades. This is a matter of
> proactively
> > breaking running systems.
> 
> Exactly.  They proactively broke the scanner so people would know why
> it
> broke, rather than letting it die with nothing more than an obscure
> malformatted hexstring error.

Wasn't it better to simply let these system go the way they were used to?

What's the difference from the clamav standpoint?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> And you are free to do so, just as the developers are free to release
> signatures that do not work with older versions. That is ALL that
> happened. In doing so, clamd fails to be able to properly read the
> database and fails.

Things are a bit more complex, because I see the problem of long signatures
was known to the team well before the 15. There were both time and capacity
to avoid any unwanted side effect. But the team choose to disregard them.


> >> There have been numerous pieces of software that I have used over
> the
> >> years that have died on the vine and no longer suitable for new
> >> systems. Do I rant at them that they MUST provide me with a new
> >> version, no, I deal with it. Either building my own from sources or
> >> moving on to a new piece of software.
> >
> > This is not a matter of missing upgrades. This is a matter of
> > proactively
> > breaking running systems.
> 
> They didn't, YOU did.  You failed to properly configure your email to
> handle a failure in clamd.
> Were there many others like you who also failed to configure their
> systems to handle a failure in clamd? Yes, but that again was their
> decision as it was yours.

Jim, you're still trying mudding me to stop what I'm saying. The fact that
the team was aware of the implication of long signatures and the fact that
they let things happen, doesn't mean anything to you?


> > Jim, you keep adding apples and pears together. Aren't you starting
> > feeling
> > the importance of what the ClamAV team wanted and let happen?
> >
> 
> Yes, they were concerned that new signatures coming out are not
> compatible with older versions, stated so, and sent one of them out.
> You would be in exactly the same situation next month.

No, the problem is that I'm not in this situation now (I would not be
debating otherwise), but I don't want to be in troubles like these in the
future, just because someone decides I'm not knowledgeable and responsible
enough to run a mail server. Do you understand the implications of what
you're saying? 


> The fact that they made a conscious decision to not have separate
> signatures was THEIR decision to make and YOURS to ignore.



> 
> >
> >>> The way the clamav team managed this case hits the open software
> >>> community
> >>> as a whole, being the ClamAV project a well-known member of that
> >>> community.
> >>
> >> Yes, but not necessarily in a negative way.. One of the MAJOR
> >> problems with Microsoft software is their insane insistence on
> >> backwards compatibility. Sometimes it does not make sense to do so
> >> and
> >> you just have to bite the bullet and let people know it will not
> >> work.
> >> In Microsoft's case they simply fail to let people know.. in
> >> addition to breaking it.
> >
> > This is a good point of view which I can easily endorse. But we are
> > still
> > speaking of stopping working systems. We are not speaking about
> > introducing
> > a backward incompatibility.
> 
> Yes we are, we are speaking of signatures that can not be handled by
> versions older than 0.95. They decided to forego compatibility just as
> YOU chose to ignore their warnings.

They decided to forego empathy by people who like open-source stuff. This is
what they did. And keeping saying the error is only by the sysadmins you
aren't you to help them.


> And before we get back to "I didn't know", as judges are quick to
> point out, ignorance of the law (or in this case changes coming down
> the pike) is no excuse.

Ahahaha! This is the most silly thing I've ever heard from you! Hahahah!


> We are not trying to say you shouldn't feel bad about it sneaking up
> on you, but that does not change the fact that the ClamAV team put out
> notices 6 months ago that this would happen.

So what? This proves they were aware of the problem and that they let pass 6
months not moving a finger.

According to your rules, if people ignoring door signs are bad admins, what
are developers that in 6 months doesn't find a better solution among the
many blatant ones?

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jerry]

On Fri, 16 Apr 2010 23:50:09 +0200, Giampaolo Tomassoni
 articulated:

> > > Err, it does have something to do with it. You made the assertion
> > > that no-one would spend money replacing a system rather than
> > > upgrade it. Two of us now have pointed out that real world PHB do
> > > exactly that sort of thing - and this issue with clamav getting
> > > the kill switch can be just the sort of excuse they need. It may
> > > not be a valid reason, but then so many business decisions are
> > > based on having enough excuses to do what you want rather than
> > > doing what would logically be right. As Giampaolo comments, some
> > > people (especially PHBs) simply see it as "that Linux stuff blew
> > > up, best go with Microsoft like everyone else".
> > 
> > The two who have "pointed out that real world PHB do exactly that
> > sort of thing" now are operating broken systems. So much for
> > credibility.
> 
> See, Jerry. Credibility is something one have to gain. In my small
> domain, I already did it. What about you?

Well, lets think about this. Since I do not know you personally and
have no direct or indirect knowledge of your domain, I feel safe in
saying that my credibility within it might at best be considered
debatable.

> I see you're quite far from it at the moment, since you are trying to
> drive people to think that complains are only from bad sysadms. I
> can't of course speak for others, but I'm complaining because of the
> bad light in which the ClamAV team put open-software with the 0.96
> case.

To paraphrase your statement that you are only complaining because of
this unproven accusation that ClamAV is somehow putting FOSS in peril,
"When someone says its not the money but the principal, you can bet
your bottom dollar it is the money." In other words, you are trying to
move off center and refocus on alleged damage that the ClamAV
action(s) have caused. Actually, I take the opposite stance. Team
ClamAV has taken a bold move forward. By refusing to back port every
conceivable enhancement to their product, they will be able to focus on
producing a more robust product. Microsoft spent billions of dollars
back porting every conceivable improvement to their system just to
placate the winny-weaners (you know the type) that expect everyone to
cater to their demands. This lead to a less than robust Internet
Explorer offering. Now that they have openly stated that the unreleased
IE9 will not work on WinXP, a ten year old OS, those same cry-babies
are at it again. Maybe you and them should get together and form a fan
club.

> My systems, Jerry, work fine, thank you. But I had a couple of phone
> calls from some friend sysadmins (yes, I have friends colleagues. Do
> you?) who were in trouble due to ClamAV.

My systems are functioning perfectly. Then again, I don't
procrastinate, although I have spend way to much time today on this
chat line. Of course, since none of my systems are down due to a
catastrophic AV failure, I really don't have a whole lot to do at
present.

> Open software shouldn't behave this way. The ClamAV team should have
> implemented ways to not screw old installation while going for its
> own way. There were feasible ways to do this, but they chose not to
> follow them. Period.

They choose to do it in a manner that was most efficient for them. By
the way, how much did you pay for your ClamAV license? Better yet, when
ClamAV asked for public input months ago on the planned change, what did
you contribute to the party? I am willing to be nothing. You are like a
moron who doesn't vote and then bitches because the candidate they
wanted did not get elected.

-- 
Jerry
clamav.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__

To say you got a vote of confidence
would be to say you needed a vote of confidence.

Andrew Young
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> It isn't the software per se that is the problem, it is the virus
> database subscription...  If you want to maintain your own virus
> database, you can run as old a version of clamav software as you want.
> 
> Asking clamav to support definitions for old versions is like asking
> other vendors to keep supplying updates for old versions.  At some
> point]
> they stop providing updates.  At some point, clamav stops providing
> updates.
> If you don't want the updates, you can keep using the software, in both
> cases.

ClamAV didn't have to provide any update for old systems. They could code in
the 0.96 version a new DNS entry to check for updates (say, current.cvd1),
and remove the old ones (current.cvd) from the zones. The crappy clamav
wouldn't get updated anymore and wouldn't load the server (apart for the dns
request). But they would be still running and nobody would be complaining
(at least, not at same time...).


> > This is not a matter of missing upgrades. This is a matter of
> proactively
> > breaking running systems.
> 
> By using their database updates, you agree to their terms...  This is
> nothing
> to do with the software.  If it broke anything but the clamav software,
> that is really your fault, not theirs.

We are not in a court. It is not a matter of repaying damages. It is a
matter of betrayed trust.


> > This is a good point of view which I can easily endorse. But we are
> still
> > speaking of stopping working systems. We are not speaking about
> introducing
> > a backward incompatibility.
> 
> Actually, we are talking about both (breaking working clamav services
> because of a backward incompatibility with new signatures).  You can
> avoid
> it by not using their new signatures, or by upgrading your clamav
> software.
> Your choice.

Which isn't that bad. To have a choice, I mean...

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Obviously, you are choosing to be dense. The bottom line is that the
> particulars regarding this event were published. Whether or not you
> availed yourself of that notification is immaterial. There was not
> anything nefarious in the ClamAV team's actions. You have obviously
> bought into the shibboleth that software authors, distributors, etc
> must
> adhere to your specifications. Your rantings against them have turned
> puerile.

I'm not ranting against anybody. I'm asking if you pondered any other way to
obtain the very same result, without putting your finger into somebody
else's systems. That's it.

I think you're ranting, not me.


> Your server(s) are your responsibility. That responsibility includes
> keeping abreast of events that might adversely affect them. Obviously,
> at least to me, that would include the software installed on said
> machines. I subscribe to every major software forum for the software
> installed on my machines. It is part of my job description. If you are
> too busy to keep abreast of the latest developments regarding your
> system, or unwilling to do what is required to keep your system
> fully functional and assuming others are dependent upon you doing so,
> then perhaps it is time to start looking for a new line of work.

This has nothing to do with the correct way a team of supposedly
knowledgeable and professional people should follow to solve a problem.

I don't believe the way the team choose was the best one, since I have the
strong believe that other, equal-cost and less-damaging solution were simply
available.

I don't understand why you or other keep teaching (the art of) system
administration to anybody. Everybody like to manage its own systems the way
they like. Even SpamAssassin comes with its own update tool, but this tool
doesn't commit the update if something smells wrong and SpamAssasin keeps
running with old rules. There is people in the world to whom this is less
than an issue. As long as nobody from outside stops their spamassassin, the
fact the rules are old is unimportant.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > The ClamAV team have commanded old versions of its product to stop
> working.
> > Not even Microsoft do this.
> 
> I can't tell you how many support calls I've received over the years
> with people saying "my Internet stopped working" and it was due to
> their
> Norton or McAfee license expiring.
> 
> As someone so eloquently stated earlier, your clamav<0.95 license has
> expired.  It's as simple as that.
> 
> If you felt other consequences, like mail stopped flowing, change your
> mail config to fail-open rather than fail-closed.  Your mail config is
> simply not anyone else's responsibility.

Most of us choose an open-source project exactly because it wouldn't work
the way Norton or McAfee work.

Or do you really think ClamAV is a big and smart monster against malware?

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > The ClamAV team have commanded old versions of its product to stop
> working.
> 
> I would not describe what they did that way.
> 
> Older versions of clamd were going to crash on signatures that newer
> versions would accept, and the devs have been prevented for at least 6
> months from using that type of signature. They have posted since then
> for
> people to upgrade.
> 
> When they did was publish this type of signature (has to do with
> length,
> greater than about 900bytes), where the signature itself is an error
> message, so when the program dumped the signature the error would be
> displayed.
> 
> That's all, not a kill switch as such, but using a known bug to deliver
> a
> message, rather than have it just bomb out with a hex dump when they
> tried
> to use a larger signature.

They could prevent these old systems from being updated at all. It was
really simple and nobody would get hurt.

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> Pointing out that they are wrong, why they are wrong, and how they
> should
> do things instead _IS_ helping them.  That is the way people work, that
> is the way people learn, that is how wrong situations get corrected.

The only "wrong situation" I see is the fact that bunch of people, urged by
dangerous teaching needs, can cause trouble to thousands. 


> Now, should they do that in a nice, polite way.  Yes.  Do they often
> do it in a rude or condescending way instead.  Unfortunately yes.  That
> is perhaps the part that needs fixing.

The problem is when they do wrong things in a nice, polite way. Not the
contrary. We are not from the same planet...


> >> Check the mailing list archives...
> >
> > Let me see: I subscribed to this list in Nov 2009. I need more time
> to fetch
> > it.
> 
> If you subscribed to it in Nov. 2009 and have been reading it, then you
> should have known about this issue, and how to avoid any problems. So
> there
> should be no problem.

Infact I don't have any, apart the fact that I don't like a bunch of people
to decide when my server should fail...

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >>
> >> Check the mailing list archives...
> >
> > Let me see: I subscribed to this list in Nov 2009. I need more time
> > to fetch
> > it.
> >
> >
> > Giampaolo
> >
> >
> 
> Then how could you possibly have missed the announcement that clamd
> installations will be disabled?

Probably I didn't even pay attention to it. I'm used to keep software up to
date, so I didn't care too much.

Anyway, you keep thinking the wrong way.

How would you feel if you two days ago had an old clamav which caused one of
your mail servers to stop working?

Why did you choose ClamAV? Only because of price? Or even because it is an
open-source project?


> Starting from 15 April 2010 our CVD will contain a special signature
> which disables all clamd installations older than 0.95 - that is to say
> older than 1 year.
> This move is needed to push more people to upgrade to 0.95 .
> We would like to keep on supporting all old versions of our engine, but
> unfortunately this is no longer possible without causing a disservice
> to
> people running a recent release of ClamAV.
> The traffic generated by a full CVD download, as opposed to an
> incremental update, cannot be sustained by our mirrors.

Well, the more I read it, the more I don't understand the need for shutting
old clamd down.

And the more I feel there was some management "dictact" behind it.

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 2:53 PM, Freddie Cash wrote:


On Fri, Apr 16, 2010 at 2:17 PM, Giampaolo Tomassoni <
giampa...@tomassoni.biz> wrote:

Because I'm a bit old. And I like freedom. And I prefer to have to  
bother
with mailing lists and bulletin reports and have the control of  
systems,
instead of put my work in the hand of people who could change the  
rules at

will.

An open-source project is not supposed to change rules at will. The  
license
itself of open source software is often oriented toward this view,  
such

that
it guarantees people to keep using software they already got, even  
when the

project becomes a completely commercial one.



Wow, not even close.  OSS licenses cover what you can do with the  
source
code.  Nothing more.  Nothing less.  And there's nothing stopping  
you from
grabbing the clamav source code, rewriting freshclam to ignore  
updates past
the 14th of April, and making that available to the world.  *THAT*  
is the

point of OSS ... you have the freedom to do whatever you want with the
source code.

There's nothing in any OSS license that says the software will  
always work,
that the software will be bug free, that all future updates will  
work with

any previous version, etc.



Because the open-source idea is
all based on freedom.



Not in the way you think it is.

--
Freddie Cash


Well said!

Jim
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Freddie Cash]

On Fri, Apr 16, 2010 at 2:17 PM, Giampaolo Tomassoni <
giampa...@tomassoni.biz> wrote:

> Because I'm a bit old. And I like freedom. And I prefer to have to bother
> with mailing lists and bulletin reports and have the control of systems,
> instead of put my work in the hand of people who could change the rules at
> will.
>
> An open-source project is not supposed to change rules at will. The license
> itself of open source software is often oriented toward this view, such
> that
> it guarantees people to keep using software they already got, even when the
> project becomes a completely commercial one.
>

Wow, not even close.  OSS licenses cover what you can do with the source
code.  Nothing more.  Nothing less.  And there's nothing stopping you from
grabbing the clamav source code, rewriting freshclam to ignore updates past
the 14th of April, and making that available to the world.  *THAT* is the
point of OSS ... you have the freedom to do whatever you want with the
source code.

There's nothing in any OSS license that says the software will always work,
that the software will be bug free, that all future updates will work with
any previous version, etc.


> Because the open-source idea is
> all based on freedom.
>

Not in the way you think it is.

-- 
Freddie Cash
fjwc...@gmail.com
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > Err, it does have something to do with it. You made the assertion
> > that no-one would spend money replacing a system rather than upgrade
> > it. Two of us now have pointed out that real world PHB do exactly
> > that sort of thing - and this issue with clamav getting the kill
> > switch can be just the sort of excuse they need. It may not be a
> > valid reason, but then so many business decisions are based on having
> > enough excuses to do what you want rather than doing what would
> > logically be right. As Giampaolo comments, some people (especially
> > PHBs) simply see it as "that Linux stuff blew up, best go with
> > Microsoft like everyone else".
> 
> The two who have "pointed out that real world PHB do exactly that sort
> of thing" now are operating broken systems. So much for credibility.

See, Jerry. Credibility is something one have to gain. In my small domain, I
already did it. What about you?

I see you're quite far from it at the moment, since you are trying to drive
people to think that complains are only from bad sysadms. I can't of course
speak for others, but I'm complaining because of the bad light in which the
ClamAV team put open-software with the 0.96 case.

My systems, Jerry, work fine, thank you. But I had a couple of phone calls
from some friend sysadmins (yes, I have friends colleagues. Do you?) who
were in trouble due to ClamAV.

Open software shouldn't behave this way. The ClamAV team should have
implemented ways to not screw old installation while going for its own way.
There were feasible ways to do this, but they chose not to follow them.
Period.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 2:17 PM, Giampaolo Tomassoni wrote:



Instead, I preferred ClamAV. And I'm still helping the way I can: I'm
reporting malware, and now I'm debating on the 0.96 case. And I'm  
really sad
when I discover that a move could put in danger the reputability of  
the

whole project.

Because I'm a bit old. And I like freedom. And I prefer to have to  
bother
with mailing lists and bulletin reports and have the control of  
systems,
instead of put my work in the hand of people who could change the  
rules at

will.

An open-source project is not supposed to change rules at will. The  
license
itself of open source software is often oriented toward this view,  
such that
it guarantees people to keep using software they already got, even  
when the

project becomes a completely commercial one.


Exactly but the ONLY thing open-source guarantees is that you will not  
be charged for the source code. The fact that the community provides  
binaries is a convenience for you (and the rest of us). If you chose  
to build your own, you could have prevented this by modifying the  
source code.


A remote kill is very dangerous to a commercially-oriented product,  
but may
be a real disaster to an open-source one. Because the open-source  
idea is

all based on freedom.


They did not do a "Remote kill" They sent out one of the new style  
signatures which your installed version could not handle. It is still  
your responsibility as it is the responsibility of everyone who sets  
up a server to ensure it DOES what they want in case of a failure. You  
chose to keep the default behavior which is to block mail when it  
can't be scanned and want to blame ClamAV for that. All they are  
responsible for is sending out the new signatures as they had promised.


The ClamAV team can't act the way it did and not risk to be censured  
by the

open-source community.

If people blames you and feels betrayed by you, it is not a "sysadm
matter"...

Giampaolo

Yes it is, as my systems did not fail nor did anyone who bothered to  
heed the warnings that clamd would STOP working and took steps to  
mitigate the situation. That could be by upgrading or not accepting  
new signatures or ANY other method including modifying the source code.






As far as whether or not you can trust ClamAV, if this was sprung  
upon

server operators without notice, that might be a consideration.  It
wasn't.

The difference is that this screaming gets attention and gets the
attention of incompetently managed server operators so that things  
get

fixed.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Francesco Peeters]

On 4/16/10 23:18 , Chuck Swiger wrote:
> On Apr 16, 2010, at 1:42 PM, Giampaolo Tomassoni wrote:
>   
>>> The owner of the box.  They may not be qualified to manage the machine,
>>> but computers don't plug themselves into the network-- every machine
>>> belongs to someone who pays for electrical power and network
>>> connectivity.
>>>   
>> What if your PS3 stops working because the maker thinks it is a too-old
>> model to still go?
>> 
> A fine question.  Let's suppose a certain old PS3 model has a serious 
> manufacturing defect, such that it can overheat and catch fire.
>
> Let's suppose Sony starts releasing firmware updates on new games, or via 
> network updates, etc, which check for the presence of the defect and produce 
> a big red warning on the screen saying, "This machine has a problem and it 
> needs a human to check and fix it."  They don't stop you from playing your 
> game, but they have been trying hard to catch your attention.  
>
> Six months later, Sony releases a new game which happens to really beat on 
> the PS3 and is pretty likely (or even dead-certain) to cause machines which 
> have this problem to catch fire.  Should Sony release firmware which causes 
> the PS3 to refuse to run this game?
>
>   
 If nobody had to turn off freshclam, why clamscan had to stop working?
 
>>> Sufficiently old versions of ClamAV don't work with all of the current
>>> signatures, and bugs in these old versions prevent the ClamAV team from
>>> writing more complex signatures that they would like to use.
>>>   
>> Just prevent old versions from upgrading. It is not that difficult.
>> 
> I agree with you entirely.  You're welcome to roll back to the 2010-4-14 
> virus signatures before the less-than-0.95 kill switch was turned on, and 
> your outdated ClamAV will continue to run just fine with these old signatures.
>
> Regards,
>   
Just one remark: Anyone Ran Linux on their PlayStation lately?

http://en.wikipedia.org/wiki/PlayStation_3#Removal_of_.22Other_OS.22_support_with_firmware_v3.21

--FP
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chuck Swiger]

On Apr 16, 2010, at 1:42 PM, Giampaolo Tomassoni wrote:
>> The owner of the box.  They may not be qualified to manage the machine,
>> but computers don't plug themselves into the network-- every machine
>> belongs to someone who pays for electrical power and network
>> connectivity.
> 
> What if your PS3 stops working because the maker thinks it is a too-old
> model to still go?

A fine question.  Let's suppose a certain old PS3 model has a serious 
manufacturing defect, such that it can overheat and catch fire.

Let's suppose Sony starts releasing firmware updates on new games, or via 
network updates, etc, which check for the presence of the defect and produce a 
big red warning on the screen saying, "This machine has a problem and it needs 
a human to check and fix it."  They don't stop you from playing your game, but 
they have been trying hard to catch your attention.  

Six months later, Sony releases a new game which happens to really beat on the 
PS3 and is pretty likely (or even dead-certain) to cause machines which have 
this problem to catch fire.  Should Sony release firmware which causes the PS3 
to refuse to run this game?

>>> If nobody had to turn off freshclam, why clamscan had to stop working?
>> 
>> Sufficiently old versions of ClamAV don't work with all of the current
>> signatures, and bugs in these old versions prevent the ClamAV team from
>> writing more complex signatures that they would like to use.
> 
> Just prevent old versions from upgrading. It is not that difficult.

I agree with you entirely.  You're welcome to roll back to the 2010-4-14 virus 
signatures before the less-than-0.95 kill switch was turned on, and your 
outdated ClamAV will continue to run just fine with these old signatures.

Regards,
-- 
-Chuck

PS: I wonder just how strong the correlation is between people who are 
complaining about this issue and ones who also don't have adequate backups such 
that they actually could revert to yesterday's signature files?
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >I guess around 25-50% of the malware is old, well-known one. So it is
> not
> >that silly to have an outdated AV running to lower the received one.
> >
> >But anyway, we are speaking of stuff which worked. It wasn't perfect,
> but it
> >worked. And in this days the ClamAV staff decided to break it, without
> a
> >rationale close to the point.
> >
> >Isn't this weird? Is clamav a trustable project? This is what a
> sysadmin may
> >end thinking next time he/she installs a new system.
> 
> If ClamAV went the other direction and just left people hanging with a
> false sense of security, all the while happily returning a "yup, not
> infected" to every file with modernish malware in it, there would be
> just as much "can I trust 'em?"

Dave, look. These are few files scanned with 0.96:

79504-Jesus.1.exe: 79504-Jesus.1.exe.UNOFFICIAL FOUND
Contract.1.exe: Contract.1.exe.UNOFFICIAL FOUND
Contract.2.exe: Contract.2.exe.UNOFFICIAL FOUND
instructions.1.exe: instructions.1.exe.UNOFFICIAL FOUND
Instructions.1.exe: Instructions.1.exe.UNOFFICIAL FOUND
Instructions.2.exe: Instructions.2.exe.UNOFFICIAL FOUND
Instructions.3.exe: Instructions.3.exe.UNOFFICIAL FOUND
Instructions.4.exe: Instructions.5.exe.UNOFFICIAL FOUND
Instructions.5.exe: Instructions.5.exe.UNOFFICIAL FOUND
Instructions.6.exe: Instructions.6.exe.UNOFFICIAL FOUND
officexp-KB910721-FullFile-ENU.1.exe:
officexp-KB910721-FullFile-ENU.1.exe.UNOFFICIAL FOUND
password.1.exe: password.1.exe.UNOFFICIAL FOUND
settings.1.exe: settings.1.exe.UNOFFICIAL FOUND
settings.2.exe: settings.2.exe.UNOFFICIAL FOUND
settings.3.exe: settings.3.exe.UNOFFICIAL FOUND
settings.5.exe: settings.5.exe.UNOFFICIAL FOUND
settings.6.exe: settings.6.exe.UNOFFICIAL FOUND
settings.7.exe: settings.7.exe.UNOFFICIAL FOUND
settings.exe: settings.exe.UNOFFICIAL FOUND
setup.1.exe: setup.1.exe.UNOFFICIAL FOUND
setup.2.exe: setup.2.exe.UNOFFICIAL FOUND
UPS_invoice_2794.1.exe: UPS_invoice_2794.1.exe.UNOFFICIAL FOUND

I reported to ClamAV each of them. The oldest one is from February, 3. They
are still not detected unless via an .hdb.

This is F-Prot, intead:

[Found security risk]Contract.1.exe
[Found trojan] Contract.2.exe
[Found trojan] instructions.1.exe
[Found trojan]Instructions.1.exe
[Found trojan]Instructions.2.exe
[Found trojan] Instructions.3.exe
[Found trojan]Instructions.4.exe
[Found trojan]Instructions.5.exe
[Found trojan] Instructions.6.exe
[Found virus]   officexp-KB910721-FullFile-ENU.1.exe
[Found virus]   settings.1.exe
[Found trojan]settings.2.exe
[Found trojan] settings.3.exe
[Found downloader] settings.5.exe
[Found trojan] settings.6.exe
[Found security risk]settings.7.exe
[Found downloader] settings.exe
[Found trojan] setup.1.exe
[Found trojan]UPS_invoice_2794.1.exe

It detect all but the most recent ones. So, who should I trust the most with
respect to this?

Instead, I preferred ClamAV. And I'm still helping the way I can: I'm
reporting malware, and now I'm debating on the 0.96 case. And I'm really sad
when I discover that a move could put in danger the reputability of the
whole project.

Because I'm a bit old. And I like freedom. And I prefer to have to bother
with mailing lists and bulletin reports and have the control of systems,
instead of put my work in the hand of people who could change the rules at
will.

An open-source project is not supposed to change rules at will. The license
itself of open source software is often oriented toward this view, such that
it guarantees people to keep using software they already got, even when the
project becomes a completely commercial one.

A remote kill is very dangerous to a commercially-oriented product, but may
be a real disaster to an open-source one. Because the open-source idea is
all based on freedom.

The ClamAV team can't act the way it did and not risk to be censured by the
open-source community.

If people blames you and feels betrayed by you, it is not a "sysadm
matter"...

Giampaolo


> 
> As far as whether or not you can trust ClamAV, if this was sprung upon
> server operators without notice, that might be a consideration.  It
> wasn't.
> 
> The difference is that this screaming gets attention and gets the
> attention of incompetently managed server operators so that things get
> fixed.

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Rick Cooper]

Original Message
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of Giampaolo
Tomassoni Sent: Friday, April 16, 2010 2:17 PM To: 'ClamAV users ML'
Subject: Re: [Clamav-users] The EOL tweets

>> The sysadmins could have done this by turning off freshclam.. and
>> saved themselves from having to deal with the upgrade.
> 
> Who is the sysadmin of an unmanaged box?
> 
> If nobody had to turn off freshclam, why clamscan had to stop working?
> 
> In this thread I'm seeing a lot of people blaming the sysadmin. Is it
> crowded by sysadmins who like to show they are much more competent than
> their colleagues?
> 
> Why nobody from the ClamAV team likes to explain to *users* why they
> decided 
> to stop their own working clamscan, when there were tons of suitable
> alternatives?
> 
> Nobody here gave a serious rationale about it. The way "sysadmins" are
> attacked here, seems to me that the 0.96 case has nothing to do with open
> software, but instead with marketing.
> 
> So please, the genius in the management who came out with this smart idea
> may please came out and explain to us the why? Many people already know
> the 
> when...
> 
> Giampaolo
> 

http://www.clamav.net/eol-clamav-094/


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Giampaolo Tomassoni :


I'm know a bit uncomfortable with the idea that the ClamAV team can so
easily "unplug the wire". When there are other ways to do the same with few
more effort, if at all, too.


So am I.  And I'm a little uncomfortable that I didn't suggest other
ways to accomplish this when they first announced this and asked
for feedback.  And I'm a lot uncomfortable about all the other people
who are so upset now who also never spoke up when asked to.  It is
our fault for not speaking up when asked to, for not complaining when
this was announced, for keeping quiet each time they told us repeatedly
this was coming.  It is not their fault for doing something they told
us they were going to do and we didn't have the smarts to reply to or
suggest alternative to.  It is our fault, so lets own up and take the
responsibility, and not blame them for our failings.

It reminds me of the people who don't vote, then complain about who
was elected...


Giampaolo


--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chris Meadors]

On Fri, 2010-04-16 at 22:30 +0200, Giampaolo Tomassoni wrote:

> So ClamAV should obey to the rules governing the open-software community.
> 
> One is that everybody is free to run it own copy of the software, in
> whichever shape he/she likes it.

You can use ClamAV how ever you like.  You just can't use the new
signatures with versions older than 0.95.  If you load a new signature
into an older version it will crash.

So if you want to use an older one, you can:  1. fix it so it doesn't
crash when fed a new format signature.  2. Stop updating signatures.  3.
Download the new signatures and remove the new style ones before
installing them.

None of those options will happen automatically.  Anyone who has been
content to ignore the update requirements and continues to download new
signatures will be faced with a crashing clamd.  The ClamAV team just
chose to make it crash with a meaningful message.

> This is not a matter of missing upgrades. This is a matter of proactively
> breaking running systems.

Exactly.  They proactively broke the scanner so people would know why it
broke, rather than letting it die with nothing more than an obscure
malformatted hexstring error.

-- 
Chris

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jim Preston]

On Apr 16, 2010, at 1:30 PM, Giampaolo Tomassoni wrote:


Then that is their choice and when it fails, they can bitch to the
developers of that system and switch to another vendor ...


Apart the fact that open software is not yet-another-vendor. It is a
culture.



No, ClamAV is a VENDOR that happens to be part of the open software
community.


So ClamAV should obey to the rules governing the open-software  
community.


One is that everybody is free to run it own copy of the software, in
whichever shape he/she likes it.

And you are free to do so, just as the developers are free to release  
signatures that do not work with older versions. That is ALL that  
happened. In doing so, clamd fails to be able to properly read the  
database and fails.



There have been numerous pieces of software that I have used over the
years that have died on the vine and no longer suitable for new
systems. Do I rant at them that they MUST provide me with a new
version, no, I deal with it. Either building my own from sources or
moving on to a new piece of software.


This is not a matter of missing upgrades. This is a matter of  
proactively

breaking running systems.


They didn't, YOU did.  You failed to properly configure your email to  
handle a failure in clamd.
Were there many others like you who also failed to configure their  
systems to handle a failure in clamd? Yes, but that again was their  
decision as it was yours.




Jim, you keep adding apples and pears together. Aren't you starting  
feeling

the importance of what the ClamAV team wanted and let happen?



Yes, they were concerned that new signatures coming out are not  
compatible with older versions, stated so, and sent one of them out.  
You would be in exactly the same situation next month.
The fact that they made a conscious decision to not have separate  
signatures was THEIR decision to make and YOURS to ignore.





The way the clamav team managed this case hits the open software
community
as a whole, being the ClamAV project a well-known member of that
community.


Yes, but not necessarily in a negative way.. One of the MAJOR
problems with Microsoft software is their insane insistence on
backwards compatibility. Sometimes it does not make sense to do so  
and
you just have to bite the bullet and let people know it will not  
work.

In Microsoft's case they simply fail to let people know.. in
addition to breaking it.


This is a good point of view which I can easily endorse. But we are  
still
speaking of stopping working systems. We are not speaking about  
introducing

a backward incompatibility.


Yes we are, we are speaking of signatures that can not be handled by  
versions older than 0.95. They decided to forego compatibility just as  
YOU chose to ignore their warnings. And before we get back to "I  
didn't know", as judges are quick to point out, ignorance of the law  
(or in this case changes coming down the pike) is no excuse.
We are not trying to say you shouldn't feel bad about it sneaking up  
on you, but that does not change the fact that the ClamAV team put out  
notices 6 months ago that this would happen.




Giampaolo



Jim

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Giampaolo Tomassoni :


No, ClamAV is a VENDOR that happens to be part of the open software
community.


So ClamAV should obey to the rules governing the open-software community.

One is that everybody is free to run it own copy of the software, in
whichever shape he/she likes it.


It isn't the software per se that is the problem, it is the virus
database subscription...  If you want to maintain your own virus
database, you can run as old a version of clamav software as you want.

Asking clamav to support definitions for old versions is like asking
other vendors to keep supplying updates for old versions.  At some point]
they stop providing updates.  At some point, clamav stops providing updates.
If you don't want the updates, you can keep using the software, in both
cases.


This is not a matter of missing upgrades. This is a matter of proactively
breaking running systems.


By using their database updates, you agree to their terms...  This is nothing
to do with the software.  If it broke anything but the clamav software,
that is really your fault, not theirs.


This is a good point of view which I can easily endorse. But we are still
speaking of stopping working systems. We are not speaking about introducing
a backward incompatibility.


Actually, we are talking about both (breaking working clamav services
because of a backward incompatibility with new signatures).  You can avoid
it by not using their new signatures, or by upgrading your clamav software.
Your choice.


Giampaolo


--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >> The sysadmins could have done this by turning off freshclam..
> and
> >> saved themselves from having to deal with the upgrade.
> >
> > Who is the sysadmin of an unmanaged box?
> 
> The owner of the box.  They may not be qualified to manage the machine,
> but computers don't plug themselves into the network-- every machine
> belongs to someone who pays for electrical power and network
> connectivity.

What if your PS3 stops working because the maker thinks it is a too-old
model to still go?


> > If nobody had to turn off freshclam, why clamscan had to stop
> working?
> 
> Sufficiently old versions of ClamAV don't work with all of the current
> signatures, and bugs in these old versions prevent the ClamAV team from
> writing more complex signatures that they would like to use.

Just prevent old versions from upgrading. It is not that difficult.


> ClamAV isn't different from other anti-virus software or security
> mechanisms in general.  If the software is too old, it doesn't provide
> useful protection from current malware.  If you've ever administered an
> older Windows box at some client site, it's not uncommon to find a 3-
> year out-of-date antivirus install that either has been logging
> complaints for ages, or has been disabled completely because the local
> user got tired of being nagged about the outdated version.

Infact I did find stuff like that. I also found expired Norton AVs that
messed the OS when uninstalled (probably the uninstaller didn't made a very
clean job)...

I was very happy to find an open-source AV product in internet, because I
had the feeling that it was the right solution to avoid that crap in mission
critical applications.

I'm know a bit uncomfortable with the idea that the ClamAV team can so
easily "unplug the wire". When there are other ways to do the same with few
more effort, if at all, too.


> It's also not uncommon to find such machines infected six ways from
Sunday.

If one can't afford the upgrade, let him/her live the way he/she can. Come
on...

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> >> Then that is their choice and when it fails, they can bitch to the
> >> developers of that system and switch to another vendor ...
> >
> > Apart the fact that open software is not yet-another-vendor. It is a
> > culture.
> >
> 
> No, ClamAV is a VENDOR that happens to be part of the open software
> community.

So ClamAV should obey to the rules governing the open-software community.

One is that everybody is free to run it own copy of the software, in
whichever shape he/she likes it.


> There have been numerous pieces of software that I have used over the
> years that have died on the vine and no longer suitable for new
> systems. Do I rant at them that they MUST provide me with a new
> version, no, I deal with it. Either building my own from sources or
> moving on to a new piece of software.

This is not a matter of missing upgrades. This is a matter of proactively
breaking running systems.

Jim, you keep adding apples and pears together. Aren't you starting feeling
the importance of what the ClamAV team wanted and let happen?


> > The way the clamav team managed this case hits the open software
> > community
> > as a whole, being the ClamAV project a well-known member of that
> > community.
> 
> Yes, but not necessarily in a negative way.. One of the MAJOR
> problems with Microsoft software is their insane insistence on
> backwards compatibility. Sometimes it does not make sense to do so and
> you just have to bite the bullet and let people know it will not work.
> In Microsoft's case they simply fail to let people know.. in
> addition to breaking it.

This is a good point of view which I can easily endorse. But we are still
speaking of stopping working systems. We are not speaking about introducing
a backward incompatibility.

Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jerry]

On Fri, 16 Apr 2010 21:56:39 +0200, Giampaolo Tomassoni
 articulated:

[snip]

Obviously, you are choosing to be dense. The bottom line is that the
particulars regarding this event were published. Whether or not you
availed yourself of that notification is immaterial. There was not
anything nefarious in the ClamAV team's actions. You have obviously
bought into the shibboleth that software authors, distributors, etc must
adhere to your specifications. Your rantings against them have turned
puerile.

Your server(s) are your responsibility. That responsibility includes
keeping abreast of events that might adversely affect them. Obviously,
at least to me, that would include the software installed on said
machines. I subscribe to every major software forum for the software
installed on my machines. It is part of my job description. If you are
too busy to keep abreast of the latest developments regarding your
system, or unwilling to do what is required to keep your system
fully functional and assuming others are dependent upon you doing so,
then perhaps it is time to start looking for a new line of work.

-- 
Jerry
clamav.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__

Say no, then negotiate.

Helga
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Chris Meadors]

On Fri, 2010-04-16 at 16:00 -0400, Christopher X. Candreva wrote:

> Older versions of clamd were going to crash on signatures that newer 
> versions would accept, and the devs have been prevented for at least 6 
> months from using that type of signature. They have posted since then for 
> people to upgrade.
> 
> When they did was publish this type of signature (has to do with length, 
> greater than about 900bytes), where the signature itself is an error 
> message, so when the program dumped the signature the error would be 
> displayed.
> 
> That's all, not a kill switch as such, but using a known bug to deliver a 
> message, rather than have it just bomb out with a hex dump when they tried 
> to use a larger signature.

Exactly!

Again, one of the first messages today showed exactly that.  The error
message which it dies with is:

cli_hex2str(): Malformed hexstring: This ClamAV version has reached End
of Life! Please upgrade to version 0.95 or later. For more information
see www.clamav.net/eol-clamav-094 and www.clamav.net/download

As you can see there isn't a "kill switch", but a bug in the parser 0.94
which doesn't handle the type of signature which they plan to use in the
future.  0.95 just ignores this new signature, as it will do with the
actual malware signatures which will be coming soon.

-- 
Chris

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Jason Bertoch]

On 2010/04/16 3:56 PM, Giampaolo Tomassoni wrote:

The ClamAV team have commanded old versions of its product to stop working.
Not even Microsoft do this.


I can't tell you how many support calls I've received over the years 
with people saying "my Internet stopped working" and it was due to their 
Norton or McAfee license expiring.


As someone so eloquently stated earlier, your clamav<0.95 license has 
expired.  It's as simple as that.


If you felt other consequences, like mail stopped flowing, change your 
mail config to fail-open rather than fail-closed.  Your mail config is 
simply not anyone else's responsibility.


--
/Jason



smime.p7s
Description: S/MIME Cryptographic Signature
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Christopher X. Candreva]

On Fri, 16 Apr 2010, Giampaolo Tomassoni wrote:

> The ClamAV team have commanded old versions of its product to stop working.

I would not describe what they did that way.

Older versions of clamd were going to crash on signatures that newer 
versions would accept, and the devs have been prevented for at least 6 
months from using that type of signature. They have posted since then for 
people to upgrade.

When they did was publish this type of signature (has to do with length, 
greater than about 900bytes), where the signature itself is an error 
message, so when the program dumped the signature the error would be 
displayed.

That's all, not a kill switch as such, but using a known bug to deliver a 
message, rather than have it just bomb out with a hex dump when they tried 
to use a larger signature.


==
Chris Candreva  -- ch...@westnet.com -- (914) 948-3162
WestNet Internet Services of Westchester
http://www.westnet.com/
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Giampaolo Tomassoni]

> > If nobody had to turn off freshclam, why clamscan had to stop
> working?
> 
> Have you actually been reading and comprehending what has been stated
> in this thread?

Yes, I did. Did you? If you know, just tell me why.


> > In this thread I'm seeing a lot of people blaming the sysadmin. Is it
> > crowded by sysadmins who like to show they are much more competent
> > than their colleagues?
> 
> Who should I blame, my barber? The SA has primary responsibility for
> his/her system. It would be ludicrous to attempt to pass the blame onto
> someone else.

The ClamAV team have commanded old versions of its product to stop working.
Not even Microsoft do this. And an inexistent SA has to be blamed for this?
It maybe, but because it trusted the ClamAV project, not because he/she
didn't manage something that he/she didn't have to...

But imagine that the SA is a horrible and ugly person, who takes the money
and don't care to give a decent work in return. Even in that case the ClamAV
team should have refrained from stopping that working system. I can't
understand why you have difficulties in understanding this. One can't simply
go and turn stuff off at will.


> > Why nobody from the ClamAV team likes to explain to *users* why they
> > decided to stop their own working clamscan, when there were tons of
> > suitable alternatives?
> 
> They have explained it, you just choose to not listen or accept their
> explanation.

Nono. They haven't. There is no single work about the rationale which drove
to the 0.96 case. I mean, a technical reason which says that the way this
was handled was the only feasible way to do it. It had been said this was to
alleviate the servers load (play with dns, then!), it had been said that the
ClamAV team don't owe anything to its users. It had been a lot of things
against bad sysadmins as opposed to good ones.

All, but the rationale.


> > Nobody here gave a serious rationale about it. The way "sysadmins"
> are
> > attacked here, seems to me that the 0.96 case has nothing to do with
> > open software, but instead with marketing.
> 
> Who has been attacked? Certainly not competent SAs. Conversely, SAs who
> would rather procrastinate than keep their systems up-to-date are
> openly
> criticizing the ClamAV team for a decision that was theirs to make. In
> today's culture, blaming others for our mistakes does seem to be the
> norm.

Oh, came on. Proactively shutting down software is not something like "you
knew that could happen"...


> > So please, the genius in the management who came out with this smart
> > idea may please came out and explain to us the why? Many people
> > already know the when...
> 
> They all ready have explained their reasoning. How many times must they
> reiterate it before you comprehend what they are saying? It has come to
> the point now that all you are doing is "beating a dead horse."

Do, you mean management is behind this?


Giampaolo

___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Re: [Clamav-users] The EOL tweets

[Eric Rostetter]

Quoting Giampaolo Tomassoni :


> In this thread I'm seeing a lot of people blaming the sysadmin. Is it
> crowded by sysadmins who like to show they are much more competent
than
> their colleagues?

Yes, of course it is.


Which is wrong, anyway. Since nobody is perfect, instead of pointing out the
other's mistake (if any) sysadmins should co-operate. Otherwise others may
gain some advantages by adopting the "divide et impera" paradigm...


Pointing out that they are wrong, why they are wrong, and how they should
do things instead _IS_ helping them.  That is the way people work, that
is the way people learn, that is how wrong situations get corrected.

Now, should they do that in a nice, polite way.  Yes.  Do they often
do it in a rude or condescending way instead.  Unfortunately yes.  That
is perhaps the part that needs fixing.


Check the mailing list archives...


Let me see: I subscribed to this list in Nov 2009. I need more time to fetch
it.


If you subscribed to it in Nov. 2009 and have been reading it, then you
should have known about this issue, and how to avoid any problems. So there
should be no problem.


Giampaolo


--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Go Longhorns!
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml