[Openvas-discuss] OpenVAS - ready to try? Or not?

Michael Wiegand michael.wiegand at intevation.de
Wed Jul 9 09:14:45 CEST 2008


Am Mittwoch, 9. Juli 2008 03:43:02 schrieb Rodney Thayer:
> I just tried installing OpenVAS.
> It didn't work.

I'm sorry to hear that. But thank you for taking your time to give us 
feedback! I am not very involved into the packaging for Debian myself, but 
maybe I can help to explain some issues from a developer POV.

> 1. you are not keeping interfaces compatible
> AND you are implying you are keeping interfaces compatible.
> OpenVAS client 1.0.3 is not compatible with 1.0.4, as far
> as I can tell.

Could you be more specific as to which interfaces you mean? The GUI or the 
CLI?

There were a few changes in the GUI, mainly due to the removal of obsolete 
features like non-SSL connections.

The command line parsing for the CLI was completely reworked in 1.0.4, but 
should behave like 1.0.3 and even fixes some options that were broken or 
unusable since Nessus times. If you spotted some differences there, please 
let me know.

> The original theory of revision numbers said "if it's three
> tuples, the third one is minor changes".  So 1.0.3 -> 1.0.4 being
> incompatible is not to be expected.

I agree. We are still in the process of fixing issues in the code we inherited 
from Nessus, so it is quite often a close call between staying as compatible 
as possible while fixing issues and repairing functionality. Likewise, a 
change that looks minor from the developer side might sometimes inadvertently 
lead to not-so-minor changes from an user perspective. Again, I'd love to 
hear more about the inconsistencies you spotted.

As you can see in the change requests on the OpenVAS website, there a some 
changes in store for OpenVAS-Client that are most certainly no minor changes, 
so the next release will be 1.1.0.

> 2. You seem to be renaming the client.  Is it OpenVAS-Client?
> Is it openvas-client?  What is it called now, for what revision
> of now?

Thanks for spotting this; to me, OpenVAS-Client is the name of the client 
itself (and of the executable) while openvas-client is the name of the module 
containing the client. I do not know if all other developers see it this way; 
I agree this might be confusing, but we are trying to get to a consistent 
naming scheme soon, so please bear with us.

> 3. when it fails the client just blurts out some dialog boxes
> and fails.  No logging, no messages you can troubleshoot,
> no debug mode, no verbose mode.  So if you fail login, you're screwed.

Again, the sparse to non-existent error messages are mostly a relic from 
Nessus times. We are trying to provide better feedback to the user in case of 
errors as you can see in 1.0.4, but this will take some time.

You could help improve this situation by telling us where you found unhelpful 
error messages or where messages are missing.

> 4. creating users doesn't quite work.  with the packages (that don't
> work) you can create users with passwords.  with the source
> currently you create users and it insists on halfway trying to create
> certs, which then don't work (and you can't troubleshoot it because
> there's too little help from the client - see #3.

User can be created using the openvas-adduser command provided by the 
openvas-server module. If you found an error there, please report it to the 
openvas mailing lists or better yet, to our bug tracker at 
http://bugs.openvas.org.

You will be pleased to hear that improved documentation is on its way; we had 
to remove some of the Nessus documentation from OpenVAS due to licensing 
issues.

> Who said I wanted a graphical client, anyway?  What's wrong with a
> command line client?  At least then I could get angry in my own
> dev environment and insert printfs to figure out what the blazes you
> people are doing ;-)

You don't have to use the GUI. OpenVAS-Client does work from the command line; 
the man page or the --help option will provide you with more information.

You can even compile the client without any GTK support; I don't know if it 
makes sense to package the non-GTK version seperately. Maybe someone involved 
in the Debian packaging might be able to shed more light on this.

> So.  It doesn't have packages, and it doesn't work, and it's
> hard to troubleshoot.

Again, I'm sorry to hear that. But you are already helping us a great deal to 
provide you with a working version by reporting these issues.

> Does this stuff work for someone, in some configuration?

It does work for me. :)

> Are there debian packages, for the whole thing?

Not for the "whole thing" AFAIK. You can get more information about the 
current state of affairs from the OpenVAS website at http://www.openvas.org/.

> How are you supposed to troubleshoot client login problems?

Again, due to the bad/non-existent error message this can be difficult at the 
moment. But please keep on reporting the issues you find to the mailing list 
or the bug tracker and we will try to help you. If you use IRC, you might be 
able to find some of us in #openvas on irc.oftc.net.

> If there aren't packages, is there information on building from source (with
> for example the list of packages you have to install first on
> Debian to get it to configure/compile?

You can information on this at http://www.openvas.org/openvas-server.html and 
http://www.openvas.org/openvas-client.html.

Thank you for your feedback, I hope I was able to help you at least a little. 
Please be aware OpenVAS is currently a work-in-progress, but we are trying to 
achieve progress as quickly (and as compatible) as possible. :)

Regards,

Michael

-- 
Michael Wiegand                                   OpenPGP key: D7D049EC
Intevation GmbH, Osnabrück                    http://www.intevation.de/
Amtsgericht Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner



More information about the Openvas-discuss mailing list