Re: opposition against clamav-data in debian volatile

To: debian-devel@lists.debian.org
Subject: Re: opposition against clamav-data in debian volatile
From: Hilko Bengen <bengen@debian.org>
Date: Mon, 21 Sep 2009 13:47:22 +0200
Message-id: <[🔎] 87skegcyet.fsf@msgid.hilluzination.de>
In-reply-to: <[🔎] 20090920212830.GA813@khazad-dum.debian.net> (Henrique de Moraes Holschuh's message of "Sun, 20 Sep 2009 18:28:30 -0300")
References: <[🔎] 20090917230205.48fd6e67.michael.s.gilbert@gmail.com> <[🔎] 4AB31891.3010407@debian.org> <[🔎] 8e2a98be0909180724m4121bcefo247a243b58ebacb1@mail.gmail.com> <[🔎] 4AB3A50B.8040201@gmail.com> <[🔎] slrnhb7bcn.uej.trash@kelgar.0x539.de> <[🔎] E1MovNj-00032x-Lf@swivel.zugschlus.de> <[🔎] slrnhb9vhh.5q0.trash@kelgar.0x539.de> <[🔎] E1MpNut-0004CJ-QR@swivel.zugschlus.de> <[🔎] 4AB645F5.6070605@debian.org> <[🔎] E1MpRcN-0006zu-WD@swivel.zugschlus.de> <[🔎] 20090920212830.GA813@khazad-dum.debian.net>

* Henrique de Moraes Holschuh:

> On Sun, 20 Sep 2009, Marc Haber wrote:
>> As long as you do not expect me to manually sign every single upload,
> Why not?  

ClamAV, like about every other antivirus scanner, is used to fight
rapidly moving targets. It relies on current -data files to provide any
kind of useful service to its users.

"Malware vs. Anti-Malware: (How) Can We Still Survive?"[1] may give you
a bit of an idea how fast the targets are moving.

I have written and maintained scripts that download signature file
updates for several commercial antivirus scanners and built packages for
them -- which is pretty much the same thing that clamav-getfiles does.
10 updates to the signature files per day are not uncommon in the
proprietary space and I'd be very surprised if things were any different
for ClamAV.

If it's really necessary to generate the signature with manual
intervention, we are going to need a 24/7 commitment by a group of
people to a response time of a few hours or less for every update.

> It is a package, it has root access anywhere it is being installed or
> removed. Even if you abuse the DM machinery to have a key restricted
> to only upload clamav-data, it would still be risky. 

There are only a few places from where malicious code could be executed
on behalf of the package creator: The maintainer scripts (preinst,
postinst, prerm, postrm, config) and any executables that may be part of
the package.

The maintainer scripts can be checked and stay constant across new
version, and the list of files shipped in the clamav-data package is
fixed. This stuff can easily be checked automatically between upload and
accepting the package into the archive.

I know that whenever I claim that something should be easy, people tend
to answer "show me the code", so there: If whoever in charge states that
my idea is acceptable, I'll be happy to implement limited checking of
pacakge contents in the archive software.

-Hilko

[1] http://av-test.org/down/papers/2008-02_vb_comment.pdf

Reply to:

Follow-Ups:
- Re: opposition against clamav-data in debian volatile
  - From: Philipp Kern <trash@philkern.de>

References:
- Re: Packages that download/install unsecured files
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: Packages that download/install unsecured files
  - From: Patrick Matthäi <pmatthaei@debian.org>
- Re: Packages that download/install unsecured files
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: Packages that download/install unsecured files
  - From: Tom Feiner <feiner.tom@gmail.com>
- Re: Packages that download/install unsecured files
  - From: Philipp Kern <trash@philkern.de>
- opposition against clamav-data in debian volatile (was: Packages that download/install unsecured files)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: opposition against clamav-data in debian volatile (was: Packages that download/install unsecured files)
  - From: Philipp Kern <trash@philkern.de>
- Re: opposition against clamav-data in debian volatile (was: Packages that download/install unsecured files)
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: opposition against clamav-data in debian volatile
  - From: Luk Claes <luk@debian.org>
- Re: opposition against clamav-data in debian volatile
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: opposition against clamav-data in debian volatile
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

Prev by Date: Bug#547659: ITP: rephrase -- Specialized passphrase recovery tool for GnuPG
Next by Date: Re: Seeking advice on packaging of pion-net
Previous by thread: Re: opposition against clamav-data in debian volatile
Next by thread: Re: opposition against clamav-data in debian volatile
Index(es):
- Date
- Thread