1SA-UPDATE(1) User Contributed Perl Documentation SA-UPDATE(1)
2
6 sa-update - automate SpamAssassin rule updates
7
9 sa-update [options]
10 Options:
12 --channel channel Retrieve updates from this channel
14 Use multiple times for multiple channels
15 --channelfile file Retrieve updates from the channels in the file
16 --checkonly Check for update availability, do not install
17 --install filename Install updates directly from this file. Signature
18 verification will use "file.asc", "file.sha256",
19 and "file.sha512".
20 --allowplugins Allow updates to load plugin code (DANGEROUS)
21 --gpgkey key Trust the key id to sign releases
22 Use multiple times for multiple keys
23 --gpgkeyfile file Trust the key ids in the file to sign releases
24 --gpghomedir path Store the GPG keyring in this directory
25 --gpg and --nogpg Use (or do not use) GPG to verify updates
26 (--gpg is assumed by use of the above
27 --gpgkey and --gpgkeyfile options)
28 --import file Import GPG key(s) from file into sa-update's
29 keyring. Use multiple times for multiple files
30 --updatedir path Directory to place updates, defaults to the
31 SpamAssassin site rules directory
32 (default: /var/lib/spamassassin/3.004004)
33 --refreshmirrors Force the MIRRORED.BY file to be updated
34 --httputil util Force used download tool. By default first found
35 from these is used: curl, wget, fetch, lwp
36 -D, --debug [area=n,...] Print debugging messages
37 -v, --verbose Be verbose, like print updated channel names;
38 For more verbosity specify multiple times
39 -V, --version Print version
40 -h, --help Print usage message
41 -4 Force using the inet protocol (IPv4), not inet6
42 -6 Force using the inet6 protocol (IPv6), not inet
43
45 sa-update automates the process of downloading and installing new rules
46 and configuration, based on channels. The default channel is
47 updates.spamassassin.org, which has updated rules since the previous
48 release.
49 Update archives are verified using SHA256 and SHA512 hashes and GPG
51 signatures, by default.
52 Note that "sa-update" will not restart "spamd" or otherwise cause a
54 scanner to reload the now-updated ruleset automatically. Instead,
55 "sa-update" is typically used in something like the following manner:
56 sa-update && /etc/init.d/spamassassin reload
58 This works because "sa-update" only returns an exit status of 0 if it
60 has successfully downloaded and installed an updated ruleset.
61 The program sa-update uses the underlying operating system umask for
63 the updated rule files it installs. You may wish to run sa-update from
64 a script that sets the umask prior to calling sa-update. For example:
65 #!/bin/sh
67 umask 022
68 sa-update
69
71 --channel
72 sa-update can update multiple channels at the same time. By
73 default, it will only access "updates.spamassassin.org", but more
74 channels can be specified via this option. If there are multiple
75 additional channels, use the option multiple times, once per
76 channel. i.e.:
77 sa-update --channel foo.example.com --channel bar.example.com
79 --channelfile
81 Similar to the --channel option, except specify the additional
82 channels in a file instead of on the commandline. This is useful
83 when there are a lot of additional channels.
84 --checkonly
86 Only check if an update is available, don't actually download and
87 install it. The exit code will be 0 or 1 as described below.
88 --install
90 Install updates "offline", from the named tar.gz file, instead of
91 performing DNS lookups and HTTP invocations.
92 Files named file.sha256, file.sha512, and file.asc will be used for
94 the SHA256 and SHA512 hashes and the GPG signature, respectively.
95 The filename provided must contain a version number of at least 3
96 digits, which will be used as the channel's update version number.
97 Multiple --channel switches cannot be used with --install. To
99 install multiple channels from tarballs, run "sa-update" multiple
100 times with different --channel and --install switches, e.g.:
101 sa-update --channel foo.example.com --install foo-34958.tgz
103 sa-update --channel bar.example.com --install bar-938455.tgz
104 --allowplugins
106 Allow downloaded updates to activate plugins. The default is not
107 to activate plugins; any "loadplugin" or "tryplugin" lines will be
108 commented in the downloaded update rules files.
109 You should never enable this for 3rd party update channels, since
111 plugins can execute unrestricted code on your system, even possibly
112 as root! This includes spamassassin official updates, which have no
113 need to include running code.
114 Use --reallyallowplugins option to bypass warnings and make it
116 work.
117 --gpg, --nogpg
119 sa-update by default will verify update archives by use of SHA256
120 and SHA512 checksums and GPG signature. SHA* hashes can verify
121 whether or not the downloaded archive has been corrupted, but it
122 does not offer any form of security regarding whether or not the
123 downloaded archive is legitimate (aka: non-modifed by evildoers).
124 GPG verification of the archive is used to solve that problem.
125 If you wish to skip GPG verification, you can use the --nogpg
127 option to disable its use. Use of the following gpgkey-related
128 options will override --nogpg and keep GPG verification enabled.
129 Note: Currently, only GPG itself is supported (ie: not PGP). v1.2
131 has been tested, although later versions ought to work as well.
132 --gpgkey
134 sa-update has the concept of "release trusted" GPG keys. When an
135 archive is downloaded and the signature verified, sa-update
136 requires that the signature be from one of these "release trusted"
137 keys or else verification fails. This prevents third parties from
138 manipulating the files on a mirror, for instance, and signing with
139 their own key.
140 By default, sa-update trusts key ids "24F434CE" and "5244EC45",
142 which are the standard SpamAssassin release key and its sub-key.
143 Use this option to trust additional keys. See the --import option
144 for how to add keys to sa-update's keyring. For sa-update to use a
145 key it must be in sa-update's keyring and trusted.
146 For multiple keys, use the option multiple times. i.e.:
148 sa-update --gpgkey E580B363 --gpgkey 298BC7D0
150 Note: use of this option automatically enables GPG verification.
152 --gpgkeyfile
154 Similar to the --gpgkey option, except specify the additional keys
155 in a file instead of on the commandline. This is extremely useful
156 when there are a lot of additional keys that you wish to trust.
157 --gpghomedir
159 Specify a directory path to use as a storage area for the
160 "sa-update" GPG keyring. By default, this is
161 /etc/mail/spamassassin/sa-update-keys
163 --import
165 Use to import GPG key(s) from a file into the sa-update keyring
166 which is located in the directory specified by --gpghomedir.
167 Before using channels from third party sources, you should use this
168 option to import the GPG key(s) used by those channels. You must
169 still use the --gpgkey or --gpgkeyfile options above to get sa-
170 update to trust imported keys.
171 To import multiple keys, use the option multiple times. i.e.:
173 sa-update --import channel1-GPG.KEY --import channel2-GPG.KEY
175 Note: use of this option automatically enables GPG verification.
177 --refreshmirrors
179 Force the list of sa-update mirrors for each channel, stored in the
180 MIRRORED.BY file, to be updated. By default, the MIRRORED.BY file
181 will be cached for up to 7 days after each time it is downloaded.
182 --updatedir
184 By default, "sa-update" will use the system-wide rules update
185 directory:
186 /var/lib/spamassassin/3.004004
188 If the updates should be stored in another location, specify it
190 here.
191 Note that use of this option is not recommended; if you're just
193 using sa-update to download updated rulesets for a scanner, and sa-
194 update is placing updates in the wrong directory, you probably need
195 to rebuild SpamAssassin with different "Makefile.PL" arguments,
196 instead of overriding sa-update's runtime behaviour.
197 -D [area,...], --debug [area,...]
199 Produce debugging output. If no areas are listed, all debugging
200 information is printed. Diagnostic output can also be enabled for
201 each area individually; area is the area of the code to instrument.
202 For example, to produce diagnostic output on channel, gpg, and
203 http, use:
204 sa-update -D channel,gpg,http
206 For more information about which areas (also known as channels) are
208 available, please see the documentation at
209 <http://wiki.apache.org/spamassassin/DebugChannels>.
210 -h, --help
212 Print help message and exit.
213 -V, --version
215 Print sa-update version and exit.
216
218 In absence of a --checkonly option, an exit code of 0 means: an update
219 was available, and was downloaded and installed successfully. If
220 --checkonly was specified, an exit code of 0 means: an update was
221 available.
222 An exit code of 1 means no fresh updates were available.
224 An exit code of 2 means that at least one update is available but that
226 a lint check of the site pre files failed. The site pre files must
227 pass a lint check before any updates are attempted.
228 An exit code of 3 means that at least one update succeeded while other
230 channels failed. If using sa-compile, you should proceed with it.
231 An exit code of 4 or higher, indicates that errors occurred while
233 attempting to download and extract updates, and no channels were
234 updated.
235
237 Mail::SpamAssassin(3) Mail::SpamAssassin::Conf(3) spamassassin(1)
238 spamd(1) <http://wiki.apache.org/spamassassin/RuleUpdates>
239
241 "Mail::SpamAssassin"
242
244 See <http://issues.apache.org/SpamAssassin/>
245
247 The Apache SpamAssassin(tm) Project <https://spamassassin.apache.org/>
248
250 SpamAssassin is distributed under the Apache License, Version 2.0, as
251 described in the file "LICENSE" included with the distribution.
252 Copyright (C) 2015 The Apache Software Foundation
254perl v5.30.1 2020-02-03 SA-UPDATE(1)