----- Original Message ----- From: "Fred A. Miller" <fmiller@lightlink.com> To: "opensuse" <opensuse@opensuse.org> Sent: Tuesday, July 08, 2008 1:16 PM Subject: Re: [opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!
Jim Henderson wrote:
On Tue, 08 Jul 2008 03:41:25 +0200, Carlos E. R. wrote:
At worst, you can only do damage to your own user. No big deal. Next time you will be more careful :-P
Arguably, Carlos, damaging files in your own user home directory is the bigger deal. I don't know about others here, but I can replace my OS; I can't replace my documents.
Quite right, Jim. Carlos is smug about this whole issue, but because of Linux's popularity, we WILL SOON have much more of this to deal with. On access filtering IS the correct answer when your mail isn't being fed through your own or business email server software. Here again, in particular for newbies, it MUST be working out-of-the-box - easy for them to install and setup.
I think you are just plain wrong about this. You can stop picking on Carlos. Many people who are smarter than you or I share the same opinion on this topic. (It could also be argued that smarter people than me wrote dazuko, *shrug*) Universal, kernel-level, on-access scanning is a horrendous kludge patch slapped onto an otherwise insecure and fundamentally insecurable os (windows). It's necessary there because the underlying os is not capable of promising actual security. To make linux or any *ix do that is retarded. Otherwise, why stop at files? If the on-access argument is valid, then so is memory acces, and nic traffic, and serial traffic, and keybaord input, etc... Take the on-access argument to it's next logical progression and have memory access scanning. But, what will scan the memoy before it's accessed? Code stored in other memory. Better scan _that_... never ending and basically not sane. The sane approach is make the kernel able to make certain promises, and all of kernel and userspace can safely make assumptions based on that. In the case of linux, barring the usual exceptions of plain bugs which all software has including virus scanners, the kernel can and does make those promises, and so it is perfectly safe to build the rest of the system on top of that and so only certain files ever need to be scanned and those only need to be scanned during certain operations, not every access by the kernel. Files in a samba share can be scanned _by samba_ or by an agent samba invokes, as they are being written or read _via samba_. Any other files and subsystems can have a similar targeted scanning module, such as postfix, etc.. You are right that software should do a better job of "just working", but you should probably not try to meddle in basic system design. Instead, openSUSE, if it's going to declare that dazuko is not a proper design and will not be supported, should probably just remove all rpm's and dpendancies rather than have broken ones in the repo's. And place an explanation in the release notes. Let MS do on-access scanning. The fact that it needs to is just part of why that os sucks. We do not need to emulate it. -- Brian K. White brian@aljex.com http://www.myspace.com/KEYofR +++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++. filePro BBx Linux SCO FreeBSD #callahans Satriani Filk! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org