On Wed, Feb 14, 2007 at 06:48:05PM -0800, snowcrash+spamassassin wrote: > though i read the sa-update manpage, & read the commit here, > and, found nothing on the wiki, i'm unclear.
The man page is pretty straightforward IMO. > can someone explain why this is important? what it does do for me? It's security related, see below. > as this is a new/recent change, does the addition of this option > TOGGLE any previously default functionality? Yes, certain config options are disabled from updates by default now. > what do i need to do/change in order to keep my functionality 'as before'? > do i need to change it to not 'lose' any capability? it depends on the channels you were using. it doesn't change anything for the official SA channel. YMMV for third-party channels. imo, don't worry about it right now. The longer version is that before 3.1.8, any sa-update channel you used had the option of including perl modules which the channel config could then load for you. This is a potential security issue if you think about it -- a cron job you have could automatically download new code and start running it, probably as root. Now arguably, you need to have a level of trust to use an update channel, but maybe you're not comfortable with that... For example, when I was at LISA '06's SpamAssassin BoF, everyone there basically said that they would feel better if such things were disabled by default, and the SA dev community generally agreed, so ... What happens now is that any updates that are downloaded have certan config options commented out during installation, such as loadplugin, tryplugin, bayes_store_module, etc -- commands that will load modules. I only know of one channel which shipped a *.pre file that loaded plugins (standard ones, none included with the update), which IMO it shouldn't have been doing anyway, so nothing is different for you. Plugins provided by the channel will still be installed, so you could load them manually if you wanted to. Otherwise, if you trust the update channel, you can use the new option and allow the channel to do what it wants. Hope this clarifies some more. :) -- Randomly Selected Tagline: "They have this game where you put in a dollar and you get four quarters! I win every time!" - Family Guy
pgp00JrkadVj1.pgp
Description: PGP signature
