On 26/01/2011 11:48 PM, Daryl C. W. O'Shea wrote:
On 26/01/2011 10:12 PM, Kevin A. McGrail wrote:
On 1/26/2011 5:39 PM, Karsten Bräckelmann wrote:
Just came up on the users list. Escalating. ;) The facts:
1.3.3.updates.spamassassin.org descriptive text "1052462"
2.3.3.updates.spamassassin.org descriptive text "1052462"
Rule update tarball available on mirrors. 4 weeks old revision from
trunk.
0.3.3.updates.spamassassin.org descriptive text "1061118"
Tarball NOT available. 6 days old revision from tags, not trunk.
Not quite sure why 3.3.0 would be different from 3.3.1+2 would be
different
OK, found the cause. Somebody broke it by manually changing the 3.3.0
update version in DNS to point at 1061118 which is a 3.4.0 version (and
not necessarily compatible with 3.3.0!). This is seriously bad.
I won't point fingers, but here's the last log for the zone at that time:
wtogami pts/5 cpe-76-93-222-12 Thu Jan 20 04:22 - 04:40 (00:18)
wtogami sshd cpe-76-93-222-12 Thu Jan 20 04:22 - 04:40 (00:18)
wtogami pts/8 cpe-76-93-222-12 Thu Jan 20 04:08 - 04:40 (00:32)
wtogami sshd cpe-76-93-222-12 Thu Jan 20 04:08 - 04:11 (00:03)
Anyway... it just became visible as 3.4.0 (trunk) version rules are only
retained for a week before being automatically deleted.
I imagine this was done to push an update to some broken rule as
referenced in bug 6533. Of course this would have only "fixed" 3.3.0,
if it didn't break it in some other way.
So I've took the following corrective action:
I've copied update 1052462 (which, I checked, passed 3.3.0 validation)
to a new update 1061119 to supersede the bogus 1061118 update.
I've updated the DNS record for 3.3.0 to the 1061119 update version.
DNS should reload in about 10 minutes now... once they mirrors have time
to sync.
Going forward... we, probably me, need to get an automated way to push
some sort of emergency rule update.
The current manually steps would be:
- un-tar an existing STABLE version rule update
- make the changes (using a patch or manually)
- test that those rules work with all .x versions that you're going to
publish the update for (that is 3.3.0, 3.3.1, 3.3.2, etc...)
- tar up, sign and hash the update
- copy the three update files to the update tarball directory on the zone
- make the files all 544 and owned by updatesd:dns
- update the DNS record for each .x version
- wait 16 or more minutes (the mirrors rsync every 15) and reload the
DNS zone
- alternatively for the last step you could immediately do this:
echo
/export/home/updatesd/svn/spamassassin/build/mkupdates/tick_zone_serial
| at -q n now + 16min
Daryl
The way you need to do it now is use an existin
