snowcrash+spamassassin wrote:
since i certainly trust the project, and DOS' contributions, should i simply mod my cron jobs to,sa-update --allowplugins --channelfile .../DIST-channels.conf sa-update --allowplugins --channelfile .../SARE-channels.conf
Nope. Neither include plugins, or other ways to load code, in their channels. If they were to in the future I'm sure there'd be some attempt to make people aware of it.
in the first case, its clear to trust ... but in the second (SARE) case, which channel/author am i actually trusting? DOS, SARE, others?
My involvement in the contents of the channels goes no further than you trusting me to not have a setup that makes it easy (or even likely/probable) to compromise the channels and that I'm reproducing the same data available from the SARE website. Beyond that I have no involvement. I do not audit existing or new ruleset channels (new ones are created automatically). Whatever SARE provides is what you get. So whatever mechanisms they have in place to ensure you can trust them is what you're relying on (the same as if you were using RDJ or whatever to get the rules directly from them).
Daryl
