On 20 Dec 2018, at 17:56, Kevin A. McGrail wrote:
We've had a few occurrences of essentially the same problem (a bad
rules package due to an ignored lint failure in a nightly update)
over
the past few years. In addition to correcting the problematic rule I
have also fixed the script which intentionally (!) masked the lint
failure and allowed the broken rules package to be built and
distributed.
The file shouldn't get installed though because sa-update checks the
lint, doesn't it?
It depends on why the lint failed in the update process and on the local
config. In the immediate case, sa-update installed the bad package.
The root cause of this particular failure was a 'replace_tag' rule that
was outside an 'ifplugin Mail::SpamAssassin::Plugin::ReplaceTags' block.
Because 'make build_rules' runs with minimal plugins loaded, the rule
failed to parse and the design error in the mkrules script papered over
the problem with an empty 72_active.cf. The rules package was assembled
correctly with that empty file. When tested by sa-update after download,
the rules pass lint because the file where the 'bad' rule would have
gone was empty.