You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by ji...@jidanni.org on 2008/09/05 23:10:54 UTC
1000 times easier to just do sa-update --nogpg
You know, it is a 1000 times easier to just do
$ sa-update --nogpg
than to try to figure our the right way from the messages that
surround "channel: GPG validation failed, channel failed", or the
sa-update man page, or writing this group and asking what to do. So
there, the result is gpg is defeated.
The cure is to have the error message to say
"Do sa-update --import bbblllaaa", with the exact name it wants.
I challenge you to figure it out just from the failure message to
sa-update -D. One ends up lost reading
http://www.gnupg.org/faq/subkey-cross-certify.html.
It is 1000 times easier to just do
$ sa-update --nogpg.
Re: 1000 times easier to just do sa-update --nogpg
Posted by Sahil Tandon <sa...@tandon.net>.
jidanni@jidanni.org <ji...@jidanni.org> wrote:
> Yes, I'm saying instead of just letting sa-update fail with the generic
> GNU message and GNU hyperlink, setting the user off on a PhD Thesis
> effort
Wow. Hyperbole much?
--
Sahil Tandon <sa...@tandon.net>
Re: 1000 times easier to just do sa-update --nogpg
Posted by ji...@jidanni.org.
>> Hello, this is the sa-update program talking to you.
>> We've detected a problem.
>> You need to do
>> $ wget http://spamassassin.apache.org/updates/GPG.KEY
>> $ sa-update --import GPG.KEY
>> and then run sa-update again. Thank you.
DCWO> Patches welcome. Please keep in mind, when parsing the output of GPG,
DCWO> that the error text may be platform dependent. For instance, even
DCWO> getting the cross-signed key error is platform dependent.
Well as I am more an expert in breakfast cereals than whatever that is
all about, somebody else please write the patch. Thanks.
Re: 1000 times easier to just do sa-update --nogpg
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 06/09/2008 4:09 PM, jidanni@jidanni.org wrote:
> Yes, I'm saying instead of just letting sa-update fail with the generic GNU
> message and GNU hyperlink, setting the user off on a PhD Thesis effort
> of trying to figure out what to do, instead just detect the problem and print out:
> ----------------
> Hello, this is the sa-update program talking to you.
> We've detected a problem.
> You need to do
> $ wget http://spamassassin.apache.org/updates/GPG.KEY
> $ sa-update --import GPG.KEY
> and then run sa-update again. Thank you.
> ----------------
> Have that hardwired into the sa-update program, ready and waiting for
> the next time it fails. What could be wrong with that? You can even add:
Patches welcome. Please keep in mind, when parsing the output of GPG,
that the error text may be platform dependent. For instance, even
getting the cross-signed key error is platform dependent.
Daryl
Re: 1000 times easier to just do sa-update --nogpg
Posted by ji...@jidanni.org.
>>>>> "K" == Kelson <ke...@speed.net> writes:
K> Pardon me for putting words in someone's mouth, but I got the
K> impression that the original poster's point was not to advocate
K> disabling signature checking, but to suggest that the error message
K> should be more useful.
Yes, I'm saying instead of just letting sa-update fail with the generic GNU
message and GNU hyperlink, setting the user off on a PhD Thesis effort
of trying to figure out what to do, instead just detect the problem and print out:
----------------
Hello, this is the sa-update program talking to you.
We've detected a problem.
You need to do
$ wget http://spamassassin.apache.org/updates/GPG.KEY
$ sa-update --import GPG.KEY
and then run sa-update again. Thank you.
----------------
Have that hardwired into the sa-update program, ready and waiting for
the next time it fails. What could be wrong with that? You can even add:
----------------
If that doesn't work, use sa-update --nogpg, and consult
http://news.gmane.org/gmane.mail.spam.spamassassin.general/ ...
Re: 1000 times easier to just do sa-update --nogpg
Posted by Kelson <ke...@speed.net>.
SM wrote:
> There is a reason the updates are signed. You can either try and figure
> out the right way or you can wait for someone to compromise one of the
> endpoints to deliver illegitimate updates.
Pardon me for putting words in someone's mouth, but I got the impression
that the original poster's point was not to advocate disabling signature
checking, but to suggest that the error message should be more useful.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: 1000 times easier to just do sa-update --nogpg
Posted by SM <sm...@resistor.net>.
At 14:10 05-09-2008, jidanni@jidanni.org wrote:
>You know, it is a 1000 times easier to just do
>$ sa-update --nogpg
As it's 1000 times easier to disable the firewall to solve user issues.
>than to try to figure our the right way from the messages that
>surround "channel: GPG validation failed, channel failed", or the
There is a reason the updates are signed. You can either try and
figure out the right way or you can wait for someone to compromise
one of the endpoints to deliver illegitimate updates.
Regards,
-sm
Re: 1000 times easier to just do sa-update --nogpg
Posted by Duane Hill <d....@yournetplus.com>.
On Sat, 6 Sep 2008, jidanni@jidanni.org wrote:
> You know, it is a 1000 times easier to just do
> $ sa-update --nogpg
> than to try to figure our the right way from the messages that
> surround "channel: GPG validation failed, channel failed", or the
> sa-update man page, or writing this group and asking what to do. So
> there, the result is gpg is defeated.
>
> The cure is to have the error message to say
> "Do sa-update --import bbblllaaa", with the exact name it wants.
>
> I challenge you to figure it out just from the failure message to
> sa-update -D. One ends up lost reading
> http://www.gnupg.org/faq/subkey-cross-certify.html.
>
> It is 1000 times easier to just do
> $ sa-update --nogpg.
I don't have any issues using GPG. Instructions have ALWAYS been clear and
when followed to the letter, have no issues.
-d
Re: 1000 times easier to just do sa-update --nogpg
Posted by Kai Schaetzl <ma...@conactive.com>.
LuKreme wrote on Tue, 9 Dec 2008 23:23:19 -0700:
> Ok, where in those directions are you supposed to find the keyid?
where the channel maintainer announces the channel and tells you how to
use it.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: 1000 times easier to just do sa-update --nogpg
Posted by LuKreme <kr...@kreme.com>.
On 9-Dec-2008, at 23:11, Theo Van Dinter wrote:
> On Tue, Dec 09, 2008 at 10:54:23PM -0700, LuKreme wrote:
>>
>>> curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY
>>> echo "24F434CE" >> gpg.keys
>>> sa-update --import sa.gpg
>>> echo "updates.spamassassin.org" >> channel.list
>>
>> The three lines that are echo "HEXCODE" >> gpg.keys are the issue for
>> me, I guess. Where do those numbers come from?
>
> They're the keyids for the given channels you're using. The channel
> publishers should state the keyid in use for the channel. You need
> to specify them so that when sa-update checks the signature on the
> update file, it will know what keyid to consider valid, which
> protects you from someone else creating a channel update file and
> signing it with another random key.
Ok, where in those directions are you supposed to find the keyid?
--
Growing up leads to growing old, and then to dying/And dying to me
don't sound like all that much fun.
Re: 1000 times easier to just do sa-update --nogpg
Posted by Theo Van Dinter <fe...@apache.org>.
On Tue, Dec 09, 2008 at 10:54:23PM -0700, LuKreme wrote:
> >echo "24F434CE" >> gpg.keys
> >echo "6C6191E3" >> gpg.keys
> >echo "856AA88A" >> gpg.keys
>
> The three lines that are echo "HEXCODE" >> gpg.keys are the issue for
> me, I guess. Where do those numbers come from?
They're the keyids for the given channels you're using. The channel
publishers should state the keyid in use for the channel. You need to specify
them so that when sa-update checks the signature on the update file, it will
know what keyid to consider valid, which protects you from someone else
creating a channel update file and signing it with another random key.
--
Randomly Selected Tagline:
"I've always tried to teach you two things. Never let them see you bleed,
always have an escape plan." - Q in "The World is Not Enough"
Re: 1000 times easier to just do sa-update --nogpg
Posted by LuKreme <kr...@kreme.com>.
On 5-Sep-2008, at 15:32, mouss wrote:
> curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY
> echo "24F434CE" >> gpg.keys
> sa-update --import sa.gpg
> echo "updates.spamassassin.org" >> channel.list
>
> curl -o jm.gpg http://yerp.org/rules/GPG.KEY
> echo "6C6191E3" >> gpg.keys
> sa-update --import jm.gpg
> echo "sought.rules.yerp.org" >> channel.list
>
> curl -o sare.gpg http://daryl.dostech.ca/sa-update/sare/GPG.KEY
> echo "856AA88A" >> gpg.keys
> sa-update --import sare.gpg
> #echo "...." >> channel.list
The three lines that are echo "HEXCODE" >> gpg.keys are the issue for
me, I guess. Where do those numbers come from?
--
'How do you know I'm mad?' said Alice 'You must be' said the Cat
'or you wouldn't have come here.'
Re: 1000 times easier to just do sa-update --nogpg
Posted by mouss <mo...@netoyen.net>.
jidanni@jidanni.org wrote:
> You know, it is a 1000 times easier to just do
> $ sa-update --nogpg
> than to try to figure our the right way from the messages that
> surround "channel: GPG validation failed, channel failed", or the
> sa-update man page, or writing this group and asking what to do. So
> there, the result is gpg is defeated.
>
> The cure is to have the error message to say
> "Do sa-update --import bbblllaaa", with the exact name it wants.
>
> I challenge you to figure it out just from the failure message to
> sa-update -D. One ends up lost reading
> http://www.gnupg.org/faq/subkey-cross-certify.html.
>
> It is 1000 times easier to just do
> $ sa-update --nogpg.
curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY
echo "24F434CE" >> gpg.keys
sa-update --import sa.gpg
echo "updates.spamassassin.org" >> channel.list
curl -o jm.gpg http://yerp.org/rules/GPG.KEY
echo "6C6191E3" >> gpg.keys
sa-update --import jm.gpg
echo "sought.rules.yerp.org" >> channel.list
curl -o sare.gpg http://daryl.dostech.ca/sa-update/sare/GPG.KEY
echo "856AA88A" >> gpg.keys
sa-update --import sare.gpg
#echo "...." >> channel.list
sa-update --gpgkeyfile gpg.keys --channelfile channel.list
I see no gpg failure...