[Openvas-discuss] OpenVAS - ready to try? Or not?
michael.wiegand at intevation.de
Wed Jul 9 09:14:45 CEST 2008
Am Mittwoch, 9. Juli 2008 03:43:02 schrieb Rodney Thayer:
> I just tried installing OpenVAS.
> It didn't work.
I'm sorry to hear that. But thank you for taking your time to give us
feedback! I am not very involved into the packaging for Debian myself, but
maybe I can help to explain some issues from a developer POV.
> 1. you are not keeping interfaces compatible
> AND you are implying you are keeping interfaces compatible.
> OpenVAS client 1.0.3 is not compatible with 1.0.4, as far
> as I can tell.
Could you be more specific as to which interfaces you mean? The GUI or the
There were a few changes in the GUI, mainly due to the removal of obsolete
features like non-SSL connections.
The command line parsing for the CLI was completely reworked in 1.0.4, but
should behave like 1.0.3 and even fixes some options that were broken or
unusable since Nessus times. If you spotted some differences there, please
let me know.
> The original theory of revision numbers said "if it's three
> tuples, the third one is minor changes". So 1.0.3 -> 1.0.4 being
> incompatible is not to be expected.
I agree. We are still in the process of fixing issues in the code we inherited
from Nessus, so it is quite often a close call between staying as compatible
as possible while fixing issues and repairing functionality. Likewise, a
change that looks minor from the developer side might sometimes inadvertently
lead to not-so-minor changes from an user perspective. Again, I'd love to
hear more about the inconsistencies you spotted.
As you can see in the change requests on the OpenVAS website, there a some
changes in store for OpenVAS-Client that are most certainly no minor changes,
so the next release will be 1.1.0.
> 2. You seem to be renaming the client. Is it OpenVAS-Client?
> Is it openvas-client? What is it called now, for what revision
> of now?
Thanks for spotting this; to me, OpenVAS-Client is the name of the client
itself (and of the executable) while openvas-client is the name of the module
containing the client. I do not know if all other developers see it this way;
I agree this might be confusing, but we are trying to get to a consistent
naming scheme soon, so please bear with us.
> 3. when it fails the client just blurts out some dialog boxes
> and fails. No logging, no messages you can troubleshoot,
> no debug mode, no verbose mode. So if you fail login, you're screwed.
Again, the sparse to non-existent error messages are mostly a relic from
Nessus times. We are trying to provide better feedback to the user in case of
errors as you can see in 1.0.4, but this will take some time.
You could help improve this situation by telling us where you found unhelpful
error messages or where messages are missing.
> 4. creating users doesn't quite work. with the packages (that don't
> work) you can create users with passwords. with the source
> currently you create users and it insists on halfway trying to create
> certs, which then don't work (and you can't troubleshoot it because
> there's too little help from the client - see #3.
User can be created using the openvas-adduser command provided by the
openvas-server module. If you found an error there, please report it to the
openvas mailing lists or better yet, to our bug tracker at
You will be pleased to hear that improved documentation is on its way; we had
to remove some of the Nessus documentation from OpenVAS due to licensing
> Who said I wanted a graphical client, anyway? What's wrong with a
> command line client? At least then I could get angry in my own
> dev environment and insert printfs to figure out what the blazes you
> people are doing ;-)
You don't have to use the GUI. OpenVAS-Client does work from the command line;
the man page or the --help option will provide you with more information.
You can even compile the client without any GTK support; I don't know if it
makes sense to package the non-GTK version seperately. Maybe someone involved
in the Debian packaging might be able to shed more light on this.
> So. It doesn't have packages, and it doesn't work, and it's
> hard to troubleshoot.
Again, I'm sorry to hear that. But you are already helping us a great deal to
provide you with a working version by reporting these issues.
> Does this stuff work for someone, in some configuration?
It does work for me. :)
> Are there debian packages, for the whole thing?
Not for the "whole thing" AFAIK. You can get more information about the
current state of affairs from the OpenVAS website at http://www.openvas.org/.
> How are you supposed to troubleshoot client login problems?
Again, due to the bad/non-existent error message this can be difficult at the
moment. But please keep on reporting the issues you find to the mailing list
or the bug tracker and we will try to help you. If you use IRC, you might be
able to find some of us in #openvas on irc.oftc.net.
> If there aren't packages, is there information on building from source (with
> for example the list of packages you have to install first on
> Debian to get it to configure/compile?
You can information on this at http://www.openvas.org/openvas-server.html and
Thank you for your feedback, I hope I was able to help you at least a little.
Please be aware OpenVAS is currently a work-in-progress, but we are trying to
achieve progress as quickly (and as compatible) as possible. :)
Michael Wiegand OpenPGP key: D7D049EC
Intevation GmbH, Osnabrück http://www.intevation.de/
Amtsgericht Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
More information about the Openvas-discuss