You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/02/15 11:39:54 UTC
Re: what does the 'new' --allowupdates option to sa-update do?
Anthony Peacock writes:
> snowcrash+spamassassin wrote:
> >> The man page is pretty straightforward IMO.
> >
> > sigh.
> >
> > ok.
> >
> > as it's clear to one of the developers (!), it _must_ just be me, then. ;-)
> >
> >> > do i need to change it to not 'lose' any capability?
> >>
> >> it depends on the channels you were using. it doesn't change anything
> >> for the official SA channel. YMMV for third-party channels. imo,
> >> don't worry about it right now.
> > <snip>
> >> Hope this clarifies some more. :)
> >
> > yes, it does clarify the "what?", nicely. thanks!
> >
> > now, the "for which?" is there a wiki page, or some commentay here on
> > list (yet?), from others/all as to which/what to 'trust' -- or more
> > importantly, *not* trust?
> >
> > given that SA's scoring is all about building trust, and, at least at
> > the beginning, accepting the "community's" recommendations for default
> > scoring/trust, i'm curious, then, as to recommendations _here_.
> >
> > e.g., _i_ currently run cron jobs that regularly exec,
> >
> > sa-update --channelfile .../DIST-channels.conf
> > sa-update --channelfile .../SARE-channels.conf
> >
> > where,
> >
> > cat .../DIST-channels.conf
> > updates.spamassassin.org
> >
> > and
> >
> > cat .../SARE-channels.conf
> > 70_sare_obfu.cf.sare.sa-update.dostech.net
> > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
> > 70_sare_evilnum0.cf.sare.sa-update.dostech.net
> > 70_sare_evilnum1.cf.sare.sa-update.dostech.net
> > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
> > 70_sare_header.cf.sare.sa-update.dostech.net
> > 70_sare_header_eng.cf.sare.sa-update.dostech.net
> > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
> > 70_sare_spoof.cf.sare.sa-update.dostech.net
> > 70_sare_random.cf.sare.sa-update.dostech.net
> > 70_sc_top200.cf.sare.sa-update.dostech.net
> > 70_sare_oem.cf.sare.sa-update.dostech.net
> > 70_sare_unsub.cf.sare.sa-update.dostech.net
> > 70_sare_uri.cf.sare.sa-update.dostech.net
> > 70_sare_specific.cf.sare.sa-update.dostech.net
> > 70_sare_oem.cf.sare.sa-update.dostech.net
> > 70_sare_html.cf.sare.sa-update.dostech.net
> > 70_sare_genlsubj.cf.sare.sa-update.dostech.net
> > 70_sare_adult.cf.sare.sa-update.dostech.net
> > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net
> > 70_sare_stocks.cf.sare.sa-update.dostech.net
> > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net
> > bogus-virus-warnings.cf.sare.sa-update.dostech.net
> >
> > since i certainly trust the project, and DOS' contributions, should i
> > simply mod my cron jobs to,
> >
> > sa-update --allowplugins --channelfile .../DIST-channels.conf
> > sa-update --allowplugins --channelfile .../SARE-channels.conf
>
> my understanding of Theo's comments is no you shouldn't do that. My
> understanding of what he said was that none of the standard or SARE
> channels update plugins this way.
>
> From a security point of view you should not enable this by default, by
> doing that you would be leaving a wide open security hole, which could
> get compromised in the future.
>
> This switch is there for the rare occasion where you decide to allow a
> channel to update a plugin automatically. This is something you would
> do only after reviewing that channel.
Yep -- I can't see any standard channel needing to use it. Typically
if someone was to publish a channel that requires a certain custom
plugin, they would indicate that in the channel's documentation...
--j.
Re: what does the 'new' --allowupdates option to sa-update do?
Posted by Theo Van Dinter <fe...@apache.org>.
On Thu, Feb 15, 2007 at 06:17:17AM -0800, snowcrash+spamassassin wrote:
> still, would be nice to be able to verify -- using cmd line option --
> what, if anyhting, the channel sa-update DID, in fact, 'send over'.
> namely, did/does it install a plugin, in addition to any rules, even
> IF disabled ...
"sa-update -D" will tell you anything you want to know, such
as "what files does this new update provide". Otherwise, "cd
/var/lib/spamassassin/<version>/<update_channel>", and "ls" is pretty
simple IMO for already installed updates. :)
--
Randomly Selected Tagline:
"Now let's say I like sheep... And now let's say I take the sheep to a
Christmas party..." - Bob Golub
Re: what does the 'new' --allowupdates option to sa-update do?
Posted by snowcrash+spamassassin <sc...@gmail.com>.
> > > since i certainly trust the project, and DOS' contributions, should i
> > > simply mod my cron jobs to,
> > >
> > > sa-update --allowplugins --channelfile .../DIST-channels.conf
> > > sa-update --allowplugins --channelfile .../SARE-channels.conf
> >
> > my understanding of Theo's comments is no you shouldn't do that. My
> > understanding of what he said was that none of the standard or SARE
> > channels update plugins this way.
> >
> > From a security point of view you should not enable this by default, by
> > doing that you would be leaving a wide open security hole, which could
> > get compromised in the future.
> >
> > This switch is there for the rare occasion where you decide to allow a
> > channel to update a plugin automatically. This is something you would
> > do only after reviewing that channel.
>
> Yep -- I can't see any standard channel needing to use it. Typically
> if someone was to publish a channel that requires a certain custom
> plugin, they would indicate that in the channel's documentation...
all clear, now, thanks!
still, would be nice to be able to verify -- using cmd line option --
what, if anyhting, the channel sa-update DID, in fact, 'send over'.
namely, did/does it install a plugin, in addition to any rules, even
IF disabled ...
thanks.