> On Jan 11, 2019, at 10.55, Henrik K <h...@hege.li> wrote: > > On Wed, Jan 09, 2019 at 11:59:36PM -0500, listsb wrote: >> >>> sa-update -vvv --allowplugins ... > > Just a general note, I would never ever use --allowplugins unless it's your > personal channel. There is no reason why official channels should ever > distribute plugins as it would be basically remote code run as root.
thanks for mentioning this. i'd wondered about that - the documentation ["Allow downloaded updates to activate plugins."] doesn't quite express what exactly --allowplugins does/means, imho. i would like to better understand this. that said, i don't quite follow the second statement, if i'm honest. i suppose that some people may run sa-update or spamassassin as root, but i don't, and would be filing bugs against any packagers or distributors that were delivering it this way. that said, i would think that if there were to be any channel that should be trusted to deliver safe plugins [regardless of if the code involved were to run as either a privileged or non-privileged user], it would be the official channel, wouldn't it?
