Does the "Update Assistant" panel make sense? #91
Comments
|
Hi, Thank you for the feedback. Here's the problem I was faced with: antivirus signatures (for ClamAV, on Linux) are stored in directory writable only by root. And for the most part, that's fine. Except... users expected to be able to update the signatures when they wanted to, like a commercial AV on Windows. It finally dawned on me that you can specify where you download and place the signatures - and the user can control the signature updates if they're placed somewhere like... the user's personal clamtk directory (~/.clamtk). If you use a system where there are multiple users, it makes sense to just use the signatures that root will download. So this was an attempt to fit both of those "needs". At the time, Fedora (and other rpm-based systems) didn't come with an easy-to-setup signature updating configuration file. You had to tweak it a little as root, while some distros came with packages that enabled automatic signature downloads. That part sounds nice, except users didn't know that, and some were likely downloading it to their home directory while the system continued downloading them to the /var/lib/clamav directory. The scheduler will only work for a regular user if they've chosen "manual" updates, while if root does it, the updates are scheduled to download to (e.g.) /var/lib/clamav. Okay, so getting to the point :), the update assistant was the "easy" way to jump back and forth if needed to downloading them manually because you wanted to, or assuming the system was doing it for you and choose that option. I was trying to allow for different choices across distributions that are not in-sync with their packaging. So after reading that, would you still propose changes? And if so, how?
respectfully, |
|
Dave M wrote:
Thank you for the feedback.
You're welcome, and thanks for the explanation! Sorry for the delay in
replying.
I think what you've written should be a part of ClamTk documentation.
Okay, so getting to the point :), the update assistant was the "easy"
way to jump back and forth if needed to downloading them manually
because you wanted to, or assuming the system was doing it for you and
choose that option. I was trying to allow for different choices across
distributions that are not in-sync with their packaging.
Perhaps if ClamTk came with clearly-stated packaging requirements, ClamTk
could move all update scheduling (including turning auto-update on/off) to
one panel (more on this idea below).
So after reading that, would you still propose changes? And if so, how?
1. remove the user's choice, and assume the system will do it? (most, I
think do this now)
I think this is a good choice, so long as it is clearly stated to all
packagers that this will be expected of them to handle. Overall, it seems
to me that with simpler goals and some clearly-stated expectations from
packagers, perhaps ClamAV could be auto-updated and switch to providing a
UI to more easily control that updating while integrating with whatever the
system provides?
Or how about supplying auto-updater examples for common updater commands
for schedulers people use today (cron, systemd, etc.) so packagers can find
a working example configuration file to install in the right place to make
ClamAV auto-update, and then ClamTk could focus on reading the current
state of ClamAV to determine if it's up-to-date or not?
Or how about a panel one must unlock (ala MacOS system preference panes)
where all ClamTk users can read how the scheduler is set to handle updates,
but to change that schedule or turn auto-update on/off, one unlocks the
ClamTk pane, makes the change they want, and commits the setting?
Would this eliminate the need for a signature file in their homedir (which
struck me as a workaround for letting a non-root-running ClamTk handle
updates)?
Thanks for ClamTk and your consideration.
|
|
I'm running Ubuntu 17.04 and just installed ClamTk. I've tried out ClamTk before and always get confused that the automatic updates never shows any new signatures.
The ui doesn't say I have any signatures installed so I assume the program is broken, has no updates and doesn't work, so I uninstall at this point. Maybe I'm thinking too simplistically, but why not just have ClamTk always open with elevated priveleges? Or at least show the definitions last update time and version in the user ui? That's all I need to think it's up-to-date if it's set to autoupdate. I just don't understand why the ui doesn't read something that tells it what definitions version its on instead of simply showing a zero. Can it not read that information because it doesn't have security to read what definitions are installed? |
|
Hi,
Sorry about the delay; I had Ubuntu 17.04 in a VirtualBox but it prompted me for an update, so I did that.
Please clarify - are you saying you're not sure if it needs updates, or ClamTk itself is telling you with the warning at the bottom that it can't find any signatures?
I don't think that would be good from a security perspective. If you read the above posts, once I figured out you can save sigs in the user's home directory (thereby allowing the user to update sigs at their own discretion), we did away with the need for root/sudo at all.
Ok, so you want something up front, upon startup, with a notice that the sigs are updated and/or the date of the sigs? That's probably doable. Can you clarify if that's what you mean? Right now, there are warning bars (by color) if there are issues - but I may be able to add a (e.g.) green bar at the bottom, have it display the information for a few seconds. Hopefully i got the gist of your post. Please let me know if I'm off, and if the intended solution would be beneficial. respectfully, |
|
If I log in as a standard user and my av signatures are set to auto-update, the signature version simply shows as zero and it's out-of-date. I can opt to change from auto-update to manual update and then I can update my av signatures but as a standard user perspective, at least on Ubuntu, I don't see that the auto-update is automatically updating av signatures. |
This is the part that is throwing me. I haven't seen the "zero signatures" thing in years. Check the attached screenshots - this was 17.04, updated to 17.10, and ClamTk only installed to ensure it worked properly prior to release. In other words, no changes at all, and it's just working. The auto-update part happens through ClamAV, not ClamTk, so I don't have much control over that. The only thing that I can think of offhand is to have ClamTk remember what its signatures were upon shutdown, and if they've changed when ClamTk starts up again, notify the user. Is that right? respectfully, |
|
I guess that makes sense |
|
Hello! I would like to know something about this. When you say about having signature files for an user, you mean something like allowing the user to have signatures not installed by the system? When using Windows at home, you normally have an user that can run stuff as admin (because admin privileges account). Isn't the AV something run by the system? It has "admins operations", but not for a normal user, just by the "admin" user. The "regular" user can only run checks, he can't disable the AV for a brief moment or update it. Is this correct? (I have not used windows since 2010, and the last thing I can remember is that I could not do anything in my school PCs like shutting down the AV -- NORTON or something like that). Besides that, clamav has an update tool that runs like a systemd service to self update. It has for debian, fedora, arch and ubuntu. Extra signatures are normally packages from the distribution. If you want to give users the power to have extra signatures, then call it a feature and finish this. If you have root on a computer and the signatures were outdated, wouldn't be better to update the signatures from the system? Now, if you meant to replace the system update and it had to be done like this because you did not want to use sudo/pkexec, you could go to a solution like the two terminals in ubuntu 12.04:
Just my two cents on this. Feel free to disagree and comment on anything. Thanks for the attention! |
@denisfa - to be clear, this means having users keep their own copy in their home directory, so they can update the signatures themselves. By default, users don't have access to the antivirus signature directory (usually /var/lib/clamav and some other variations). With most distributions now, signatures can automatically be updated. It's possible this feature (i.e., letting users update) is no longer needed. The possible solutions you've listed for sudo-like functionality look interesting too. But is this still needed (see last paragraph)? respectfully, |
|
Hey,
I understand. I agree it does feel not needed at all now. But at the same time I see clamtk as a gui for clamav, in the same you described AV for windows. It will still be like that, but more as a non-admin user AV of windows (if the NORTON stuff I described is correct; I will setup a VM and check this). All the updates fit this part actually; they may be not needed at all. Thanks for the attention! |
I'm using ClamTk version 5.24 on Debian GNU/Linux.
When I look at the Update Assistant panel I see two choices in a radio button (pick at most and at least one):
If I set "I would like to update signatures myself" and use the scheduler panel to set an update schedule, I can come back to the update assistant panel and pick either option even though only "My computer automatically receives updates" makes sense now. If I remove my scheduled update I can select "My computer automatically receives updates" even though that might not be true. Both options seem completely disconnected from signature updating and the scheduler appears (to me) to implement all the signature update functionality one needs.
This leads me to wonder what is the point of the update assistant panel?
Perhaps the scheduler signature update portion should be removed and the update assistant panel becomes the way the user sets the signature update time. Therefore the first option should change to read:
My computer automatically receives updates at [time setting].
Where "[time setting]" is some UI that lets the user pick the time when a signature update attempt is made.
Or perhaps the update assistant panel should be removed entirely because its entire functionality (as far as I can tell) is already implemented in the scheduler.
I could be missing something about the update assistant panel. If so, I hope someone could explain what I'm missing or point me to documentation where the purpose of this panel is explained.
Thanks.
The text was updated successfully, but these errors were encountered: