Anthony Peacock writes: > snowcrash+spamassassin wrote: > >> The man page is pretty straightforward IMO. > > > > sigh. > > > > ok. > > > > as it's clear to one of the developers (!), it _must_ just be me, then. ;-) > > > >> > do i need to change it to not 'lose' any capability? > >> > >> it depends on the channels you were using. it doesn't change anything > >> for the official SA channel. YMMV for third-party channels. imo, > >> don't worry about it right now. > > <snip> > >> Hope this clarifies some more. :) > > > > yes, it does clarify the "what?", nicely. thanks! > > > > now, the "for which?" is there a wiki page, or some commentay here on > > list (yet?), from others/all as to which/what to 'trust' -- or more > > importantly, *not* trust? > > > > given that SA's scoring is all about building trust, and, at least at > > the beginning, accepting the "community's" recommendations for default > > scoring/trust, i'm curious, then, as to recommendations _here_. > > > > e.g., _i_ currently run cron jobs that regularly exec, > > > > sa-update --channelfile .../DIST-channels.conf > > sa-update --channelfile .../SARE-channels.conf > > > > where, > > > > cat .../DIST-channels.conf > > updates.spamassassin.org > > > > and > > > > cat .../SARE-channels.conf > > 70_sare_obfu.cf.sare.sa-update.dostech.net > > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > > 70_sare_evilnum1.cf.sare.sa-update.dostech.net > > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > > 70_sare_header.cf.sare.sa-update.dostech.net > > 70_sare_header_eng.cf.sare.sa-update.dostech.net > > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > 70_sare_spoof.cf.sare.sa-update.dostech.net > > 70_sare_random.cf.sare.sa-update.dostech.net > > 70_sc_top200.cf.sare.sa-update.dostech.net > > 70_sare_oem.cf.sare.sa-update.dostech.net > > 70_sare_unsub.cf.sare.sa-update.dostech.net > > 70_sare_uri.cf.sare.sa-update.dostech.net > > 70_sare_specific.cf.sare.sa-update.dostech.net > > 70_sare_oem.cf.sare.sa-update.dostech.net > > 70_sare_html.cf.sare.sa-update.dostech.net > > 70_sare_genlsubj.cf.sare.sa-update.dostech.net > > 70_sare_adult.cf.sare.sa-update.dostech.net > > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > > 70_sare_stocks.cf.sare.sa-update.dostech.net > > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > > bogus-virus-warnings.cf.sare.sa-update.dostech.net > > > > since i certainly trust the project, and DOS' contributions, should i > > simply mod my cron jobs to, > > > > sa-update --allowplugins --channelfile .../DIST-channels.conf > > sa-update --allowplugins --channelfile .../SARE-channels.conf > > my understanding of Theo's comments is no you shouldn't do that. My > understanding of what he said was that none of the standard or SARE > channels update plugins this way. > > From a security point of view you should not enable this by default, by > doing that you would be leaving a wide open security hole, which could > get compromised in the future. > > This switch is there for the rare occasion where you decide to allow a > channel to update a plugin automatically. This is something you would > do only after reviewing that channel.
Yep -- I can't see any standard channel needing to use it. Typically if someone was to publish a channel that requires a certain custom plugin, they would indicate that in the channel's documentation... --j.