On Sat, Jan 12, 2019 at 02:10:37PM -0500, listsb wrote: > > that said, i don't quite follow the second statement, if i'm honest. i > suppose that some people may run sa-update or spamassassin as root, but i > don't, and would be filing bugs against any packagers or distributors that > were delivering it this way.
Things like virtual users or privileged ports require starting as root. Even if it is configured to switch users, it can run some linting/compiling stuff from plugins as root. > that said, i would think that if there were to be any channel that should > be trusted to deliver safe plugins [regardless of if the code involved > were to run as either a privileged or non-privileged user], it would be > the official channel, wouldn't it? Sure, but I think it's just a legacy extra feature that has never been used, and in my opinion there's no reason to use it ever. Most people don't have the option enabled anyway, so it would be pointless to distribute anything, that's what version updates are for..
