You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by he...@apache.org on 2019/06/09 08:27:37 UTC
svn commit: r1860877 - in /spamassassin: branches/3.4/sa-update.raw
trunk/sa-update.raw
Author: hege
Date: Sun Jun 9 08:27:37 2019
New Revision: 1860877
URL: http://svn.apache.org/viewvc?rev=1860877&view=rev
Log:
Clarify --allowplugins dangerousness
Modified:
spamassassin/branches/3.4/sa-update.raw
spamassassin/trunk/sa-update.raw
Modified: spamassassin/branches/3.4/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/branches/3.4/sa-update.raw?rev=1860877&r1=1860876&r2=1860877&view=diff
==============================================================================
--- spamassassin/branches/3.4/sa-update.raw (original)
+++ spamassassin/branches/3.4/sa-update.raw Sun Jun 9 08:27:37 2019
@@ -1906,7 +1906,7 @@ Options:
--install filename Install updates directly from this file. Signature
verification will use "file.asc", "file.sha256",
and "file.sha512".
- --allowplugins Allow updates to load plugin code
+ --allowplugins Allow updates to load plugin code (DANGEROUS)
--gpgkey key Trust the key id to sign releases
Use multiple times for multiple keys
--gpgkeyfile file Trust the key ids in the file to sign releases
@@ -2002,6 +2002,9 @@ Allow downloaded updates to activate plu
activate plugins; any C<loadplugin> or C<tryplugin> lines will be commented
in the downloaded update rules files.
+You should never enable this for 3rd party update channels, since plugins
+can execute unrestricted code on your system!
+
=item B<--gpg>, B<--nogpg>
sa-update by default will verify update archives by use of SHA256 and SHA512
Modified: spamassassin/trunk/sa-update.raw
URL: http://svn.apache.org/viewvc/spamassassin/trunk/sa-update.raw?rev=1860877&r1=1860876&r2=1860877&view=diff
==============================================================================
--- spamassassin/trunk/sa-update.raw (original)
+++ spamassassin/trunk/sa-update.raw Sun Jun 9 08:27:37 2019
@@ -1906,7 +1906,7 @@ Options:
--install filename Install updates directly from this file. Signature
verification will use "file.asc", "file.sha256",
and "file.sha512".
- --allowplugins Allow updates to load plugin code
+ --allowplugins Allow updates to load plugin code (DANGEROUS)
--gpgkey key Trust the key id to sign releases
Use multiple times for multiple keys
--gpgkeyfile file Trust the key ids in the file to sign releases
@@ -2002,6 +2002,9 @@ Allow downloaded updates to activate plu
activate plugins; any C<loadplugin> or C<tryplugin> lines will be commented
in the downloaded update rules files.
+You should never enable this for 3rd party update channels, since plugins
+can execute unrestricted code on your system!
+
=item B<--gpg>, B<--nogpg>
sa-update by default will verify update archives by use of SHA256 and SHA512