https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7397
--- Comment #18 from Michael P <[email protected]> --- Sorry, yes.. maybe not clear in my notes, but it is already weighted, just this is an opportunity to consider if there is demand to change the behavior.. Should add a couple of notes: * Channels can override the behavior of using the existing MIRRORED.BY even if less than seven(7) days. Or via the use of the CLI option --refreshmirrors. * Even on first install, there is no reason for a package maintainer to ship a MIRRORED.BY, as it will always be stale, unless created via a post install etc.. Would recommend that it not be shipped by default. * Channels will have their own MIRRORED.BY, just to be clear * Channel maintainers may want different policies on how long to cache that information. And yes, I considered that maybe there was concern that a MIRRORED.BY file get subverted, and that this was a poor man's method to limit the exposure to that case.. However, in contrast the risk of one 'bad mirror' existing, and people still using it for seven days, would at least offset the advantage of that caching. I do think that by securing the information in the MIRRORED.BY, (future) eg, DNSSEC on the DNS entry, and forced HTTPS, and checksums, this can be mitigated in other/better ways. -- You are receiving this mail because: You are the assignee for the bug.
