Re: spamassassin Debian package unsafe to use in stable?
Hi,
On Mon, Jun 09, 2025 at 01:18:37AM +0200, Vincent Lefevre wrote:
> Is the spamassassin Debian package unsafe to use in stable?
I think so. I think the general expectation of spamassassin is that you
use a release for a long time.
> The issue is that things related to spam evolves rapidly, but
> Debian stable is... stable.
The scores assigned to most of the different rules are updated from the
spamassassin project itself (and other places if you enable that) using
sa-update, which is fully supported in Debian.
> its rules become obsolete, such as those that generate
>
> RCVD_IN_VALIDITY_CERTIFIED_BLOCKED
> RCVD_IN_VALIDITY_RPBL_BLOCKED
> RCVD_IN_VALIDITY_SAFE_BLOCKED
>
> while upstream gave them zero scores in May.
sa-update already picked it up:
$ grep RCVD_IN_VALIDITY /var/lib/spamassassin/4.000001/updates_spamassassin_org/50_scores.cf
score RCVD_IN_VALIDITY_CERTIFIED 0
score RCVD_IN_VALIDITY_SAFE 0
score RCVD_IN_VALIDITY_RPBL 0
#score RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001
#score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001
#score RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001
There was a post on the spamassassin list to warn users that these DNS
lists would stop getting points for everyone doing updates due to the zero
score. This was not to alert people to make manual updates, as that's
not necessary if using sa-update.
On Debian, sa-update is called from the spamassassin-maintenance.service
systemd service, which is itself called by the similarly named timer
unit. I don't recall whether that timer is enabled by default.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Reply to: