[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: include much needed antivirus products in FC2



On Fri, 09 Jan 2004 00:44:39 +0100, Nicolas Mailhot wrote:

> > > Name a core package that requires this amount of fiddling around before 
> > > it will work, and I will comment on it if I have ever used it... I can't 
> > > think on any!
> > 
> > dhcpd, samba, ldap, mrtg, cvs, rsync, this-is-silly. There are many other
> > services which don't come preconfigured to a level you would just need to
> > run "service foo start" to get going. Not even mentioning any services
> > which require GUI tools to configure them.
> 
> Don't get me wrong - I care zip about AV, never evaluated the different
> packages available, etc. I do care about the "RedHat touch", which is
> things should just work by default. Even atrocious packages like samba
> come with a sane default config that will do something if the samba
> service is started as-is.

"Do something" is rather vague. A preconfigured ready-to-start ClamAV
daemon is useless when no instances make use of it. *When* any
dependencies require it to work out of the box, *then* it makes much more
sense to ship a default config that does something.

> And yes it's useless in normal life (production) because some apps want
> to be customized before being really useful but it's a lifesaver for
> people acquainting themselves with a new app (ie test setups).

Here I read "apps" and "app" while the main ClamAV app "clamscan" works
without prior manual configuration.

> If as you write there are security problems involved - make the default
> setup as insanely pedantically secure as you want to. The point is there
> should be a default setup, that should do something (even something so
> utterly naïve/limited as to be useless except as an example). 

What should the default setup do?

> When you argue users should just copy the example config in some magic
> place because it's dangerous out of the box 

That's a poor summary of what the user is expected to do.

> that speaks volumes about the care you've spent on it. 

Oh, I think the package set is more elaborate and flexible than you think.
That a single [and somewhat impatient] user wants to get a ClamAV daemon
running (without describing his specific requirements and environment in
any details) in a matter of seconds after package installation, is
somewhat surprising but at the same time it has been clear that some
people would not like a few manual steps. You can't please everyone.

> You're eluding problems and trying to push
> them onto the user - how is he supposed to write a sane config if you're
> not confident on your own ability to do it ?

Is that the case? 

The included config files are preconfigured up to the point of requiring
the admin to choose names for multiple server instances and adjust a very
few lines where to decide what type of server to start, where to make a
server accessible and which special user to drop privileges to.

A helper configuration script could aid the admin in performing those few
steps. But that is not the point, as such a script needs extra development
resources and could be added later or contributed by someone.

> If such complex and potentially dangerous/exposed RedHat services as
> Apache, Postfix, Samba all come with a default config that is already
> installed in the right place I can't see how you can justify not doing
> it for your AV app.

Then please review the package and propose improvements. It's bug 268,
IIRC.
 
-- 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]