You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2022/04/28 18:32:59 UTC
svn commit: r1900365 - /spamassassin/trunk/sa-update.raw
Author: hege
Date: Thu Apr 28 18:32:59 2022
New Revision: 1900365
URL: http://svn.apache.org/viewvc?rev=1900365&view=rev
Log:
It's really pointless to download SHA512/256 checksums if GPG is used, so don't waste the mirrors with that.
Modified:
spamassassin/trunk/sa-update.raw
Modified: spamassassin/trunk/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/trunk/sa-update.raw?rev=1900365&r1=1900364&r2=1900365&view=diff
==============================================================================
--- spamassassin/trunk/sa-update.raw (original)
+++ spamassassin/trunk/sa-update.raw Thu Apr 28 18:32:59 2022
@@ -813,19 +813,6 @@ foreach my $channel (@channels) {
next;
}
- # SHA512 of the archive file
- ($result_fname, $http_ok) = http_get("$mirror/$newV.tar.gz.sha512", $UPDDir);
- if (!$http_ok || !-s $result_fname) {
- # If not found, try SHA256 instead
- ($result_fname, $http_ok) = http_get("$mirror/$newV.tar.gz.sha256", $UPDDir);
- if (!$http_ok || !-s $result_fname) {
- dbg("channel: No sha512 or sha256 file available from $mirror, %s",
- %mirrors ? "sleeping $sleep_sec sec and trying next" : 'no mirrors left');
- sleep($sleep_sec) if %mirrors;
- next;
- }
- }
-
# if GPG is enabled, the GPG detached signature of the archive file
if ($GPG_ENABLED) {
($result_fname, $http_ok) = http_get("$mirror/$newV.tar.gz.asc", $UPDDir);
@@ -836,6 +823,20 @@ foreach my $channel (@channels) {
next;
}
}
+ else {
+ # SHA512 of the archive file
+ ($result_fname, $http_ok) = http_get("$mirror/$newV.tar.gz.sha512", $UPDDir);
+ if (!$http_ok || !-s $result_fname) {
+ # If not found, try SHA256 instead
+ ($result_fname, $http_ok) = http_get("$mirror/$newV.tar.gz.sha256", $UPDDir);
+ if (!$http_ok || !-s $result_fname) {
+ dbg("channel: No sha512 or sha256 file available from $mirror, %s",
+ %mirrors ? "sleeping $sleep_sec sec and trying next" : 'no mirrors left');
+ sleep($sleep_sec) if %mirrors;
+ next;
+ }
+ }
+ }
$download_ok = 1;
last;
@@ -861,7 +862,7 @@ foreach my $channel (@channels) {
}
}
- unless ($content && ( $SHA512 || $SHA256 ) && (!$GPG_ENABLED || $GPG)) {
+ unless ($content && (($GPG_ENABLED && $GPG) || (!$GPG_ENABLED && ($SHA512 || $SHA256)))) {
channel_failed("channel '$channel': could not find working mirror");
next;
}
@@ -2130,19 +2131,18 @@ Use --reallyallowplugins option to bypas
=item B<--gpg>, B<--nogpg>
-sa-update by default will verify update archives by use of SHA256 and SHA512
-checksums and GPG signature. SHA* hashes can verify whether or not the
-downloaded archive has been corrupted, but it does not offer any form of
-security regarding whether or not the downloaded archive is legitimate
-(aka: non-modifed by evildoers). GPG verification of the archive is used to
-solve that problem.
-
-If you wish to skip GPG verification, you can use the B<--nogpg> option
-to disable its use. Use of the following gpgkey-related options will
-override B<--nogpg> and keep GPG verification enabled.
+sa-update by default will verify update archives by use of GPG signature.
+
+If you wish to skip GPG verification (very unsafe), you can use the
+B<--nogpg> option to disable its use. Use of the following gpgkey-related
+options will override B<--nogpg> and keep GPG verification enabled.
+
+If GPG is disabled, only SHA512 or SHA256 checksums are used to verify
+whether or not the downloaded archive has been corrupted, but it does not
+offer any form of security regarding whether or not the downloaded archive
+is legitimate (aka: non-modifed by evildoers).
-Note: Currently, only GPG itself is supported (ie: not PGP). v1.2 has been
-tested, although later versions ought to work as well.
+Note: Only GnuPG is supported (ie: not any other PGP software).
=item B<--gpgkey>