Re: [External] ANNOUNCE: Apache SpamAssassin 3.4.6 available

2021-04-14 Thread Sidney Markowitz 

Kevin A. McGrail wrote on 15/04/21 2:08 am:

Want me to look into it again?


I think it's the right thing to do. If you think it requires another 
vote to proceed, feel free to call one, but my opinion is that it is a 
settled issue and we can just go ahead with it.


 Sidney

Re: [External] ANNOUNCE: Apache SpamAssassin 3.4.6 available

2021-04-14 Thread Kevin A. McGrail 
Yeah, I found what happened.  On 3/2 I called for a vote.  Then the 
pandemic hit and I drafted but did not send an email suggested we wait a 
few months.


Here's my notes on it:


*** On March 1, 2020, we will stop publishing rulesets with SHA-1 checksums.
    If you do not update to 3.4.2 or later, you will be stuck at the last
    ruleset with SHA-1 signatures. ***

Simply changing the dns to static is all what is primarily needed

1 - Confirm with private@ - EMAILED 3/2/20

Sent Mar 3 at 9:35AM
Barring objections in the next 48 hours, I will change the DNS entries 
to a static point in time so that updates on older versions are no 
longer produced. I will also work with sysadmin to turn off the creation 
of md5 and sha-1 signatures. I will also update the build readmes for 
trunk and 3.4 to know that those signature should not be produced again.


I think it's the community has so much upheaval about this they can 
easily download the rules updates sign them themselves and put them up 
on an alternate channel.



1a - Hold off due to pandemic


Want me to look into it again?

Regards,
KAM


On 4/13/2021 9:10 PM, Kevin A. McGrail wrote:
We should also update the zone file to static for the older versions 
too so they never try and get a newer update.


On Tue, Apr 13, 2021, 21:08 Sidney Markowitz > wrote:


Kevin A. McGrail wrote on 14/04/21 12:22 am:
> BTW, did we actually turn off the sha-1 signature generation?  I
think
> that was when David and the pandemic hit...

You are right.
http://sa-update.spamassassin.org/1888609.tar.gz.sha1
 exists.

But now that it has been officially announced that we no longer
support
it we can turn it off.

I'm adding a Cc to sysadmins since that's where someone can go
ahead and
remove the generation of the sha1 files.

  Sidney


--




*Kevin A. McGrail*
/CEO Emeritus/
*Peregrine Computer Consultants Corporation*
+1.703.798.0171 kmcgr...@pccc.com
 https://pccc.com/  https://raptoremailsecurity.com

10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA

Re: [External] ANNOUNCE: Apache SpamAssassin 3.4.6 available

2021-04-13 Thread Kevin A. McGrail 
We should also update the zone file to static for the older versions too so
they never try and get a newer update.

On Tue, Apr 13, 2021, 21:08 Sidney Markowitz  wrote:

> Kevin A. McGrail wrote on 14/04/21 12:22 am:
> > BTW, did we actually turn off the sha-1 signature generation?  I think
> > that was when David and the pandemic hit...
>
> You are right. http://sa-update.spamassassin.org/1888609.tar.gz.sha1
> exists.
>
> But now that it has been officially announced that we no longer support
> it we can turn it off.
>
> I'm adding a Cc to sysadmins since that's where someone can go ahead and
> remove the generation of the sha1 files.
>
>   Sidney
>

Re: [External] ANNOUNCE: Apache SpamAssassin 3.4.6 available

2021-04-13 Thread Sidney Markowitz 

Kevin A. McGrail wrote on 14/04/21 12:22 am:
BTW, did we actually turn off the sha-1 signature generation?  I think 
that was when David and the pandemic hit...


You are right. http://sa-update.spamassassin.org/1888609.tar.gz.sha1 exists.

But now that it has been officially announced that we no longer support 
it we can turn it off.


I'm adding a Cc to sysadmins since that's where someone can go ahead and 
remove the generation of the sha1 files.


 Sidney