You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2019/06/09 08:27:37 UTC

svn commit: r1860877 - in /spamassassin: branches/3.4/sa-update.raw trunk/sa-update.raw

Author: hege
Date: Sun Jun  9 08:27:37 2019
New Revision: 1860877

URL: http://svn.apache.org/viewvc?rev=1860877&view=rev
Log:
Clarify --allowplugins dangerousness

Modified:
    spamassassin/branches/3.4/sa-update.raw
    spamassassin/trunk/sa-update.raw

Modified: spamassassin/branches/3.4/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/sa-update.raw?rev=1860877&r1=1860876&r2=1860877&view=diff
==============================================================================
--- spamassassin/branches/3.4/sa-update.raw (original)
+++ spamassassin/branches/3.4/sa-update.raw Sun Jun  9 08:27:37 2019
@@ -1906,7 +1906,7 @@ Options:
   --install filename      Install updates directly from this file. Signature
                           verification will use "file.asc", "file.sha256",
                           and "file.sha512".
-  --allowplugins          Allow updates to load plugin code
+  --allowplugins          Allow updates to load plugin code (DANGEROUS)
   --gpgkey key            Trust the key id to sign releases
                           Use multiple times for multiple keys
   --gpgkeyfile file       Trust the key ids in the file to sign releases
@@ -2002,6 +2002,9 @@ Allow downloaded updates to activate plu
 activate plugins; any C<loadplugin> or C<tryplugin> lines will be commented
 in the downloaded update rules files.
 
+You should never enable this for 3rd party update channels, since plugins
+can execute unrestricted code on your system!
+
 =item B<--gpg>, B<--nogpg>
 
 sa-update by default will verify update archives by use of SHA256 and SHA512

Modified: spamassassin/trunk/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/trunk/sa-update.raw?rev=1860877&r1=1860876&r2=1860877&view=diff
==============================================================================
--- spamassassin/trunk/sa-update.raw (original)
+++ spamassassin/trunk/sa-update.raw Sun Jun  9 08:27:37 2019
@@ -1906,7 +1906,7 @@ Options:
   --install filename      Install updates directly from this file. Signature
                           verification will use "file.asc", "file.sha256",
                           and "file.sha512".
-  --allowplugins          Allow updates to load plugin code
+  --allowplugins          Allow updates to load plugin code (DANGEROUS)
   --gpgkey key            Trust the key id to sign releases
                           Use multiple times for multiple keys
   --gpgkeyfile file       Trust the key ids in the file to sign releases
@@ -2002,6 +2002,9 @@ Allow downloaded updates to activate plu
 activate plugins; any C<loadplugin> or C<tryplugin> lines will be commented
 in the downloaded update rules files.
 
+You should never enable this for 3rd party update channels, since plugins
+can execute unrestricted code on your system!
+
 =item B<--gpg>, B<--nogpg>
 
 sa-update by default will verify update archives by use of SHA256 and SHA512