Parametring cancel processing (Cancel-Lock vs unauthenticated cancels)

Russ Allbery eagle at eyrie.org
Sun Jan 2 21:41:53 UTC 2022


Julien ÉLIE <julien at trigofacile.com> writes:

> I like this idea.  I suggest that the default be "require-auth" (4) if
> INN was built with Cancel-Lock support, and "all" (1) otherwise.  Or
> maybe "none" (2) otherwise?  We can do that change in the upcoming major
> 2.7.0 release.

I like this idea.  I'd default to "none" otherwise (may as well be more
secure by default, and we're allowed to break some compatibility in the
2.7.0 release).

> I also suggest removing the "innd -C" flag, or rather make it a no-op,
> as the "docancels" parameter does the same thing, better.

I think it shouldn't be a no-op; it should either work to override the
config setting or we should remove it so that it will cause an error and
people will have to update their configuration.  Otherwise, I think we
risk silent and surprising behavior change.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list