Re: [exim-dev] Exim 4.96-RC0 released

On 2022-04-27 Jeremy Harris via Exim-dev <exim-dev@???> wrote:
> On 26/04/2022 08:28, Andrew C Aitchison via Exim-dev wrote:
>>> • Jeremy Harris via Exim-announce [2022-04-23 20:23]:
>>>> Notable removals since 4.95:

>>>>   - the "allow_insecure_tainted_data" main config option and the
>>>>     "taint" log_selector.  These were previously deprecated.

>> That isn't a good combination. Please could we keep the option to
>> allow_insecure_tainted_data if there are new taint features ?

>> That way we can continue to run live systems while we resolve
>> these sort of problems.

> The trouble with that is that it means the coverage of tracking
> tainted data use can never be extended.
[...]

Hello,

I think it could be less problematic if configurations that already
triggered an error in 4.95 (and needed allow_insecure_tainted_data to
work) stopped working with 4.96 even if allow_insecure_tainted_data was
set.

However users need/want something equivalent to test upgrades to 4.96
for problems with the new taint checks (requirement for quoting in
query-style lookups and taint-check exec arguments for
transport-initiated external processes).

People upgrading directly from < 4.93 to 4.96 would still have to deal
with hard breakage on upgrades, but requirig a two step upgrade might be
considered a fair compromise.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'