[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: eicar.com installer in Debian, and pre-upload interface to ftpmaster



Marc Haber wrote:
> On Sun, 06 Jul 2003 11:03:37 +0200, Thomas Viehmann <tv@beamnet.de>
> wrote:
>>*Look* at #198311 and search for debian-devel and then ask yourself why Marc
>>thinks that -devel should only be used as a forum to discredit ftpmasters work,
>>and not as a place where ITPs should be reviewed.
> That was indeed an omission, caused by the fact that I filed an RFP
> first and later retitled the bug to ITP. Surely you never make any
> mistakes.
I make a lot of mistakes. (That's why I prefer working on computers/math over
things like medicine.)

In fact, I made a similar mistake with the ITP of libchipcard (IIRC) because the
X-Debbugs-CC got lost because I usually call reportbug -p and copy stuff into my
mailclient when reporting bugs. (And it might be a reasonable idea to
investigate posting ITPs on debian-devel by other means than the
X-Debbug-CC-Header so such obmissions are impossible).

However, I sincerely believe that without this obmission, the ITP might have
been shot down (or held reasonable) before the upload (and possibly before the
creation) of the package. Thus (leaving the style issue that upset you aside) I
think that the (technical) merit of your complaint is somewhat limited.

As far as the eicar license is concerned: Is it really that difficult to obtain
a statement from eicar on whether or not they believe that the test file is
copyrightable and maybe a general permission to distribute the file? From your
comment I guess you tried, but quite possibly they understand better Debian's
concern about licensing with all the publicity the SCO lawsuit has.

That said, I see additional issues with the inclusion of the eicar file (aside
from the obvious point that probably it'd rest just as well in another package
containing a virus scanner): Debian mirrors and CDs will be quite possibly be
identified as carrying virii.
Quite possibly, it's reasonable to "obfuscate" (in a documented way) the file
(e.g. xor it and provide a program for decryption) or include a script or
download instructions rather than the file itself. Possibly, even the original
installer package looks a lot less silly on second thought.

Cheers

T.

Attachment: pgpkdcPSDCPAC.pgp
Description: PGP signature


Reply to: