[clamav-users] ClamAV 0.105 release candidate

Wed Mar 16 20:50:19 UTC 2022

I think you vastly overestimate the size of the audience that has that problem.

— 
Sent from my  iPad

> On Mar 16, 2022, at 16:23, Bowie Bailey via clamav-users <clamav-users at lists.clamav.net> wrote:
> 
> On 3/16/2022 12:35 PM, G.W. Haywood via clamav-users wrote:
>> Hi there,
>> 
>>> On Wed, 16 Mar 2022, Bowie Bailey via clamav-users wrote:
>>> On 3/16/2022 10:09 AM, Joel Esler via clamav-users wrote:
>>>> On Mar 16, 2022, at 5:35 AM, Gary R. Schmidt <grschmidt at acm.org> wrote:
>>>>> On 16/03/2022 20:19, Christoph Moench-Tegeder via clamav-users wrote:
>>>>>> ## Joel Esler via clamav-users (clamav-users at lists.clamav.net):
>>>>>>> 
>>>>>>> Can’t use wget.
>>>>>> 
>>>>>> Looks like "can't use anything which doesn't look like a web browser",
>>>>>> as BSD fetch hits the 403, too.
>>>>>> That's a major PITA on the BSD side (just like openSuse), but it
>>>>>> was working just fine at the time of the 0.104.2 release (and all
>>>>>> the time prior to that). Is there any reason behind making the source
>>>>>> (not talking about the database files) inaccessible like that?
>>>>> 
>>>>> Hanlon's Razor: "Never attribute to malice what can be adequately explained by neglect, ignorance, or incompetence."
>>>>> 
>>>>> With the added FLOSS variant, "or trying to show just how much smarter they are than everybody else.”
>>>> 
>>>> It was done because there are people that download the entire ClamAV package from the same every every 1 minute and do a complete reinstall.
>>> 
>>> Why not simply block the IP addresses that are doing excessive downloads?
>>> There can't be that many people who are doing constant rebuilds.
>>> 
>>> The system I use for building ClamAV has no GUI.  I download the files by grabbing the URL from my desktop and then pasting it into a wget on the build machine.  Am I going to have to make wget spoof its user-agent every time I need to update ClamAV? ...
>> 
>> I don't see much in the way of sympathy for a company that spends good
>> money on a content delivery network in order to provide a FREE service
>> to the community, only then to take flak from that same community when
>> they are obliged to prevent literally hundreds of thousands of what I
>> can only describe as scrotes from flagrantly abusing the service.
> 
> That was my point.  They are inconveniencing their users with a change that is unlikely to slow down these abusers for any length of time.
> 
>> Before grumbling about the implementation of the solutions, would it
>> not at least be reasonable to find out what the problems are?
> 
> I understand the problem.  I just don't see this as a good solution.
> 
>> How often do you update ClamAV?  It must be all of a thirty-second job
>> to write a user agent string, and e.g. pop it in a 'bash' alias.
> 
> And all of the people who are doing excessive downloads will spend the same 30 seconds and then be back in business.  So what has been gained?  A few days or weeks of reduced server load until they all update their scripts and then you are right back where you started.
> 
> At the same time, every ClamAV user (new or existing) that wants to download from the command line will have to spend time figuring out why they are getting errors trying to download from the published links.  Since this software is designed to be used on a server, that will probably be a decent percentage of the user base who are all going to have to figure out this undocumented issue (since documenting the work-around would kind of defeat the point).  I would bet that quite a few prospective new users will simply give up on ClamAV and assume the website is broken when they keep getting "403 forbidden" on the downloads.
> 
> -- 
> Bowie
> 
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml