My wording could be better 
, I just meant that for example if my favorite VPN developer had an rpm and fedora packagers wrote their own version that interacted better with the system, I would still prefer the rpm from the original developer. Most software, I wouldn’t care strongly either way but with security stuff I do.
Thanks, I’ll share the link here so that others can reach it too:
Well, every RPM you install could contain malware. Doesnt matter what the package SHOULD do.
And a lot of stuff is security relevant, like most of the system. If your time sync is bad for example.
I mean, sure? I don’t think I understand your point here. Pretty much anything can contain malware, on that we can certainly agree.
I just prefer getting such software from the original developers. I don’t especially distrust Fedora packagers, the opposite if anything.
I would argue that is more of a generally applicable and/or required tool then a VPN. I don’t think most people or their respective developers would put them in the same category.
Is there a better way for me to distinguish tools such as VPNs and anti-viruses from time sync and tar? Personally, I don’t see the latter group the same as the former. I’d also argue that we’re all more scared with the latter, as seen in the somewhat recent tar attack, since they’re so foundational.
Would you prefer the term “dedicated security software”? It is a bit of a mouthful though. I’m eager to learn how I may better express myself, so please share your preferred expression if you have one.
“Shiny security tools” maybe
You mean xz? Or was there one on tar too? Good example of how a random piece of software can do something entirely different
.
Yeah, I somehow mentally registered that under tar
There is a fine line between paranoid and adequately suspicious.
It is a fact that fedora packages software provided from upstream.
It is also a fact that tiny tweaks may be required to ensure each software package works properly in the fedora environment, with newer kernels, etc.
Installing from the upstream source has at least 2 negative factors.
In general, if the same package comes from fedora you can usually be assured that it is 1) the same as gotten from upstream, and 2) should work without modification, and 3) is every bit as secure as the original.
Even when a bug is reported the fix comes from the upstream source so everything always is the same as upstream.
The great majority of what fedora does (as a rule) is to test new updates and confirm they work as expected before pushing them out to users. For many (if not most) software packages fedora does nothing to what is received from upstream except to ensure proper packaging as rpms.
I am not a fedora admin or developer and this info is what I have gleaned from years of using fedora and observing distribution and communications.
Thanks for the explanation.
To be clear, I’m not suspicious of Fedora packagers for ClamAV. This is just a preference I’ve developed after witnessing dedicated security software developers disagreeing over the preferences within or around their software with distro maintainers. Sometimes developers have diverging interests and/or desires with distro maintainers, that is entirely natural and something we all learn to navigate in our own way.
This is why I try to follow developer preferences over packager preferences with certain software. It isn’t a matter of doubt over the packagers intentions. Its just that I prefer following the original developer when it comes to security software because with them, I believe it worthwhile to risk some incompatibility or time.
Some of those are identical, some have minuscule differences that help it work better in Fedora. Sticking to my principles is easier than checking them all.
If you just needed to scan something in your user’s home directory could you use a toolbox for something like this?
If you are referring to Debian or specifically the Debian+KeepassXC debacle…
Then you would use Fedora software AND a container. Why not try clamd and see if that installs?
The @clamav COPR doesnt seem up-to-date but anyways, a response from them would be helpful too
sudo$ ./clamav.sh /tmp/test_dir
Trying to pull docker.io/clamav/clamav:stable...
Getting image source signatures
Copying blob 0ee1fbfa8da7 skipped: already exists
Copying blob 5e67a26e688a skipped: already exists
Copying blob 2360db1e9ffb skipped: already exists
Copying blob fc90846f3868 skipped: already exists
Copying blob d7176c5de2c5 skipped: already exists
Copying blob 2fc7f9a5be54 skipped: already exists
Copying blob 1f3e46996e29 skipped: already exists
Copying config 759b4742e8 done |
Writing manifest to image destination
WARNING: Can't open file /scandir/grubx64.efi: Permission denied
/scandir/20250209.pdf: OK
/scandir/f42-01-night.jxl: OK
----------- SCAN SUMMARY -----------
Known viruses: 8704164
Engine version: 1.4.2
Scanned directories: 1
Scanned files: 2
Infected files: 0
Total errors: 1
Data scanned: 3.51 MB
Data read: 5.63 MB (ratio 0.62:1)
Time: 14.214 sec (0 m 14 s)
Start Date: 2025:02:12 07:34:58
End Date: 2025:02:12 07:35:12
$ ls -lathri /tmp/test_dir
total 5,7M
19952 -rw-r--r--. 1 hricky hricky 268K 9 фев 12:42 20250209.pdf
19958 -rwx------. 1 root root 3,9M 11 фев 00:45 grubx64.efi
19969 -rw-r--r--. 1 hricky hricky 1,6M 11 фев 11:02 f42-01-night.jxl
19946 drwxr-xr-x. 2 hricky hricky 100 11 фев 11:04 .
1 drwxrwxrwt. 22 root root 440 12 фев 08:35 ..
$ sudo chown hricky: /tmp/test_dir/grubx64.efi
$ ./clamav.sh /tmp/test_dir
Trying to pull docker.io/clamav/clamav:stable...
Getting image source signatures
Copying blob 0ee1fbfa8da7 skipped: already exists
Copying blob 1f3e46996e29 skipped: already exists
Copying blob fc90846f3868 skipped: already exists
Copying blob d7176c5de2c5 skipped: already exists
Copying blob 2360db1e9ffb skipped: already exists
Copying blob 2fc7f9a5be54 skipped: already exists
Copying blob 5e67a26e688a skipped: already exists
Copying config 759b4742e8 done |
Writing manifest to image destination
/scandir/grubx64.efi: OK
/scandir/20250209.pdf: OK
/scandir/f42-01-night.jxl: OK
----------- SCAN SUMMARY -----------
Known viruses: 8704164
Engine version: 1.4.2
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 7.63 MB
Data read: 5.63 MB (ratio 1.35:1)
Time: 15.088 sec (0 m 15 s)
Start Date: 2025:02:12 07:35:48
End Date: 2025:02:12 07:36:03
podman container run --privilieged — Podman documentation
--privilieged$ cat clamav.sh
#! /usr/bin/env bash
podman container run \
--pull=always \
--rm \
--mount type=bind,source=${1},destination=/scandir \
docker.io/clamav/clamav:stable \
clamscan /scandir
$ ./clamav.sh test_dir
Trying to pull docker.io/clamav/clamav:stable...
Getting image source signatures
Copying blob 0ee1fbfa8da7 skipped: already exists
Copying blob d7176c5de2c5 skipped: already exists
Copying blob fc90846f3868 skipped: already exists
Copying blob 2360db1e9ffb skipped: already exists
Copying blob 5e67a26e688a skipped: already exists
Copying blob 2fc7f9a5be54 skipped: already exists
Copying blob 1f3e46996e29 skipped: already exists
Copying config 759b4742e8 done |
Writing manifest to image destination
/scandir: Can't open directory.
----------- SCAN SUMMARY -----------
Known viruses: 8704164
Engine version: 1.4.2
Scanned directories: 0
Scanned files: 0
Infected files: 0
Total errors: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 13.414 sec (0 m 13 s)
Start Date: 2025:02:12 09:21:20
End Date: 2025:02:12 09:21:34
As I already mentioned, I am not familiar with ClamAV. The examples using Podman are just for a quick test and there are probably more efficient container configs.
Huh? Fedora seems more willing to make exceptions and let certain things update and roll compared to something like Debian, but in the end isn’t keeping things (slightly) outdated exactly what it does?
Thank you very much! I appreciate your concise answers
Alright, I’ll try and continue with this. Once, I can reach a satisfactory config with full features, I’ll also post it here so that others can have an easier time.
No matter what the intent, I don’t think there is any alternative to a built in delay.
It takes time for software to travel from the upstream developer to fedora, then for packaging and testing. All of which must be done before release of the updates.
Toolbox lacks a few QOL features that generally discourage me. Distrobox works for basic clamscan but not much else. You really need the system call, connecting to ports, etc for other features of ClamAV.