Project Status

[stevenlafl]

Hello,

I'm willing to support the continued development of this project. I'm not looking for any special treatment here other than a priority look at PRs and some information to help me collaborate.

The current roadmap states one item left to finalize 0.4.0

• Technical: Releases in .x64.deb, .x64.dmg, and .x64.msi formats

Questions:

1. Are there any special things you want to account for with .deb, .dmg or .msi releases? Have you confirmed this does work cross-platform or does that need validation?
2. Are there any other items until 0.4.0 can be released?
3. Would you like assistance in setting this workflow up?
4. There are also numerous PRs that should be closed or addressed manually.

[ivangabriele]

Hello!

I indeed didn't work on the project for a long time but restarted a few weeks ago. The currently checked boxes are misleading because I in fact need to complete the security schemas and then implement them. This is a full embedded antivirus, not just some random GUI for a common webapp like Discord or Spotify. So it requires a lot of careful thinking if we (I) don't want to release anything that could pose a serious risk to end-users.

I will also update the description because ClamAV Desktop is not just a GUI, it's a fully-fledged antivirus using ClamAV engine.

Security patterns are extremely complex: it's really easy to leave vulnerable blind spots when we don't master how each OS files and execution architecture work.

I would love to get help if any of you are experienced:

• with Rust (or similar low level languages like C++, etc)
• and/or OS native layers
• and/or as macOS/Windows desktop app developers

Where I need help is:

• Security Architecture (FS, permissions, execution strategy)
• Core and Daemon in general
• ClamAV Embedding (sidecars), even though I solved most issues there
• CI
• E2E Testing, even though — same — I solved most issues there
• Helping users with debugging
• Technical documentation (anything that can help devs contribute and tinker with the project)

Just beware I'm quite attentive to good practices, Git, and CI workflows 🙃.

There is a big difference between coding a first release, and properly handling issues + maintenance + deployment across dozens of platform setups, replying to users, etc.

I just opened a Stoat server in case you want to chat about contributing: https://stt.gg/xH2w834e.

Regarding forking, it's open source, so anybody is free to do it 😌. I see you already did it anyway Steven so I wish you good luck if you plan on going on with your own version. This is the soul of OSS!

A note on LLMs (which I love since I'm slowly becoming an LLMOps myself): I would strongly advise against vibe-coding an antivirus though, especially the Rust core and daemon parts unless you want to end up distributing a walking "security cheese" to unaware end-users. That's just a personal advice.

Poke @bluehysteric, @s-b-repo, @OMPT, @RokeJulianLockhart since you were on the discussions I marked as duplicates.

[stevenlafl]

Hey. I saw the roadmap and drafted code all the way to 0.5.0 while you were away. There's not much there in the fork as I kept it locally. I took a long look at the architecture and made a lot of decisions.

For example, I wanted to prefer system binaries if they exist (package install of clamav) and use only clamd. I just connect to it over TCP and tell it to scan. The daemon runs clamd now automatically. The idea is to allow for existing config and support on-access scanning.

Regarding "vibe coding" that isn't something I do except for rapid prototyping. I saw it was inactive and really wanted to get it going. But seeing you're doing it now it's better to have things reviewed in a real setup.

As for my experience mostly C++ and typescript but I like Rust. Not a problem. You'll see a metric ton of that in my profile dating back to before AI existed.

What I can do now is treat it as a learning experience, start over with it as a potential roadmap and collaborate on tasks. I don't want to take it and run, I will help where you need.

[ivangabriele]

I indeed saw you have quite some experience on your GitHub profile which I guess only represents part of your dev experience.

And I also think it's better to join our "forces". Once I won't be not the only core contributor for some time, it will even make more sense to move this project into its own organization.

If that's fine with you, I would suggest to:

1. Write down a todo list focused on the quickest path to a safe-enough and usable release.
2. Draw some (mermaid) schemas regarding the concerns, files, and permissions architecture (particularly around the daemon access and communication, and the quarantine directory).
3. When possible, keep our PRs short (you know the drill!) to make reviews and progress easier.

For the global design around ClamAV, that's a major question. As you already guessed, my wish is to make ClamAV Desktop installable and ready-to-use for anybody, especially non-tech users. And I have the feeling it's not far from that (the sidecars already compile and build without any issue on each OS from what I tested so far).

We can challenge this wish, but it would almost make it an entirely different project which would mainly use the UI part of this one, a sort of cross-platform ClamTK. I also admit it would make it a bit less interesting for me 🤔 (my secret hope being that, someday, ClamAV replaces most popular closed-source antiviruses).

[GOMpt]

@ivangabriele @stevenlafl

Wonderful to hear that this project is moving ahead and thank you both for the recent work on it. Hopefully the two of you can work together to get this up and running before too much longer. If I knew more and had more time, I'd happily help out but sadly I have neither time nor skills. Looking forward to watching the progress.

[bluehysteric]

That's great—the project is still ongoing. And we have new people joining us.It would be even better if we could package it as an Arch package.

[bluehysteric]

@stevenlafl Can you build an Arch package? There are missing dependencies after the DEB conversion.

[s-b-repo]

TBH just use claude mythos when it releases and opus i have been doing it with my hacking framework

[GOMpt]

@stevenlafl @ivangabriele A quick question, How is the progress going to revive this project? I am sure many other Linux users would be keen to use this. I've abandoned clamav-gui. It's resource heavy and appears to target MS users.