Slashdot Mirror


ClamAV Forced Upgrade Breaks Email Servers

An anonymous reader writes "A couple of weeks ago Sourcefire announced end-of-life for version 0.94 of its free ClamAV antivirus package (and in fact has been talking about it for six months). The method that Sourcefire chose to retire 0.94 was to shut down the server that provided its service. Those who had failed to upgrade are scrambling now. Many systems have no choice but to disable virus checking in order to continue to process email. I am very glad I saw the announcement last week!"

11 of 299 comments (clear)

  1. Alternative by InsertWittyNameHere · · Score: 4, Insightful

    The alternative was them not doing anything and then months later we see a story about how "ClamAV silently stops support. Virus outbreaks ensue."

    1. Re:Alternative by Anonymous Coward · · Score: 5, Insightful

      It's kind of an inflammatory article:

      Rather than simply phase this geriatric version out (it was at least one year old, revised to versions .95 and .96 since release, and announcements about the need to upgrade had been made for six months) the development team put to halt instances of V0.94 in production

      So, it's a year and two versions out of date AND they'd been saying for 6 months to move off it.. Yet still it's their fault for shutting down the server!? I'm sorry, but how much support do you want for something that's free?

    2. Re:Alternative by HarrySquatter · · Score: 4, Insightful

      Would you trust an email server that is running a virus scanner that is more than a year out of date?

    3. Re:Alternative by Jiro · · Score: 4, Insightful

      It may not have occurred to you that some of us only do IT for out organizations part time, and visiting the blogs of every single open-source component on our servers is not always practical.

      The issue has nothing to do with your servers, really; it has to do with their servers. If you're using a free service on someone else's servers, you really can't be surprised when that service suddenly stops functioning. It's not your equipment.

      And I would wager that while visiting the blogs of everything on your servers isn't practical, visiting the blogs of (or subscribing to a mailing list, or other monitoring of) everything that's on your servers but uses someone else's servers is practical

  2. So you had 6 months to upgrade by gparent · · Score: 5, Insightful

    And you didn't, and now are going to complain when shit doesn't work? Go fuck yourself.

  3. [clamav-announce] by 0racle · · Score: 4, Insightful

    It exists for a reason.

    --
    "I use a Mac because I'm just better than you are."
  4. this is common by digitalsushi · · Score: 4, Insightful

    This is what we get when we're all our own "netadmins". I'm one of them. I don't follow security lists. I don't upgrade my products. Why not? Because I'm not really a netadmin. I just have a little server that runs until it breaks. I think that's the difference between a netadmin and a fake netadmin -- a fake netadmin like me reacts. A real netadmin is proactive.

    Which honestly, as pathetic as it sounds on the surface, works fairly well when your data and uptime don't matter. Because it's not pathetic because I have better things to do with my time than "run the family webserver".

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  5. No fallback ? by morcego · · Score: 4, Insightful

    People with critical servers that don't have fallback configurations to handle this kind of thing deserve to have their servers shutdown.

    I've been using 0.95 for some time now, so none of my servers were affected but, even if they were, my servers are smart enough not to interrupt the services, and to notify me.

    It is really disgusting the way people build servers these days. They think all they need to do is to install a couple packages, change a couple config lines and boom, the server is ready. They are getting what they asked for when stuff like this happens.

    --
    morcego
  6. Re:It's not like they didn't tell... by mysidia · · Score: 4, Insightful

    SUPPORT WILL END does not imply killing instances in production. It implies you stop delivering support services (such as tech support or new updates).

    How would you feel if the Ubuntu folks delivered a 'security update' to Ubuntu 8.x to disable your system entirely, until you can get a chance to go install a non-EOL'd major release of your OS?

    How about all those Windows Vista users who haven't upgraded to Windows 7?

    Firefox 2 users who haven't upgraded to 3.

    Users who are still using IE6.

    Would users trust the vendors anymore with auto-updates, if they all released updates to 'kill the old product' in order to force you to manually do a clean upgrade?

  7. Re:*Correction* by Anonymous Coward · · Score: 5, Insightful

    Wow. They could have just stopped publishing updates for older versions; they do have some method of versioning, right?. Older installations could have kept chugging along using the older definitions and newer installations could get the newer definitions. But to remotely *DISABLE* older installations? I don't care if the product and service is free or not; that is pretty fucked up.

  8. Yes, they did the right thing... by Slipped_Disk · · Score: 4, Insightful

    As someone who was bitten by the issue (yeah, I'll man up and admit it - my company's mail server went wonky for about a half hour while I upgraded) I agree -- they pretty much did the right thing.

    There was plenty of notice -- The fact that many of us weren't on the clamav-announce list is OUR fault, not theirs.
    A kill command may not be the most "polite" way of retiring an old version of software, but for a free service I certainly don't expect them to invest huge amounts of time and money in figuring out how to support the old stuff forever.

    --
    /~mikeg