Justin Mason wrote, On 19/01/10 12:55 PM: > proposed release announcement mail is there, too. We need 3 +1 votes > and no -1's over the next 72 hours to "bless" this as an official > release.
I have an issue with the proposed release announcement. Not enough for a hard -1 vote, but we can change it without canceling the release, correct? It says to install rules by either running sa-update as root, or going through a series of steps for installing from files that has you download GPG.KEY using curl and then importing the key and then running sa-update on the downloaded tarball. This is wrong in several ways. 1) Either you already have the key imported and don't have to before running sa-update, or you do have to import the key first. That is the same whether running sa-update over the net or from files. The instructions for getting the key should come first, before the two sets of instructions for running sa-update. 2) The instructions as given are insecure and are what you should do if you are in a hurry to get the install done and didn't think about getting the release key before and now you are not worried about the possibility of an attack on people getting SpamAssassin rule updates. Proposed text for the portion of instructions regarding the release key, to come before the instructions that begin with running sa-update as root. This is going to be very lightly edited, so suggestions welcome: ======== Rules are normally installed by running the sa-update command. The version of sa-update program should match the version of SpamAssassin modules, so invoking sa-update should be performed only after installing or upgrading SpamAssassin code, not before. There is a new signing key for the 3.3.0 release and which will be used for sa-update rules starting now. You will have to download and import the new key before using sa-update to install the rules. Always be careful to verify that a new signing key is the authentic one from the Apache Spamassassin project. Some ways of verifying it include confirming that the same key file is on both apache.org web site locations listed below, that you have accessed the web sites using SSL and the sites have valid apache.org SSL certificates, and if you have an old SpamAssassin release key that the new one verifies as being signed by the old one. Obtain the current rule signing key, from https://spamassassin.apache.org/updates/GPG.KEY or from https://www.apache.org/dist/spamassassin/KEYS If this signing key is new to you, import it to a SpamAssassin gpg keyring using the file name that you saved it as (e.g., GPG-KEY): sa-update --import GPG.KEY Once you have the current key, installing rules from network is done with a single command, normally run as root: sa-update To instead install rules from files: obtain all the following files: Mail-SpamAssassin-rules-xxx.tgz Mail-SpamAssassin-rules-xxx.tgz.asc Mail-SpamAssassin-rules-xxx.tgz.md5 Mail-SpamAssassin-rules-xxx.tgz.sha1 (where xxx may look something like '3.3.0.r893295') install rules from a compressed tar archive: sa-update --install Mail-SpamAssassin-rules-xxx.tgz (sa-update will need corresponding .asc and .sha1 files with the same base name in a current directory) ==============
