Autor: Andreas Metzler Data: Dla: exim-dev Temat: Re: [exim-dev] Exim 4.96-RC0 released
On 2022-04-27 Jeremy Harris via Exim-dev <exim-dev@???> wrote: > On 26/04/2022 08:28, Andrew C Aitchison via Exim-dev wrote:
>>> • Jeremy Harris via Exim-announce [2022-04-23 20:23]:
>>>> Notable removals since 4.95: >>>> - the "allow_insecure_tainted_data" main config option and the
>>>> "taint" log_selector. These were previously deprecated. >> That isn't a good combination. Please could we keep the option to
>> allow_insecure_tainted_data if there are new taint features ? >> That way we can continue to run live systems while we resolve
>> these sort of problems. > The trouble with that is that it means the coverage of tracking
> tainted data use can never be extended. [...]
Hello,
I think it could be less problematic if configurations that already
triggered an error in 4.95 (and needed allow_insecure_tainted_data to
work) stopped working with 4.96 even if allow_insecure_tainted_data was
set.
However users need/want something equivalent to test upgrades to 4.96
for problems with the new taint checks (requirement for quoting in
query-style lookups and taint-check exec arguments for
transport-initiated external processes).
People upgrading directly from < 4.93 to 4.96 would still have to deal
with hard breakage on upgrades, but requirig a two step upgrade might be
considered a fair compromise.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'