Discussion about Cancel-Lock support

Julien ÉLIE julien at trigofacile.com
Thu Jan 6 18:18:39 UTC 2022


Hi Russ,

> It may be worth considering getting rid of verifycancels while
> we're at it to reduce some complexity, since the check it enables is
> essentially meaningless and RFC 5537 actively recommends against this.
> Cancel-Lock support is the correct approach to achieve the same ends
> (although of course most people don't generate Cancel-Lock headers).

Having a look at innd's code to implement Cancel-Lock verification, I 
came into that verifycancels stuff.
It verifies that at least one newsgroup in the cancel message is present 
in the article to be cancelled.  Isn't it a check that should be kept?
It is not done by default.

RFC 5537 indicates that:

    To best ensure that it will be relayed to the same news servers as
    the original message, a cancel control message SHOULD have the same
    Newsgroups header field as the message it is cancelling.

So maybe the change to do is to only do the check in nnrpd (at injection 
time) and not do it when relaying?
The verifycancels option would then apply only at injection time, and 
should be enabled by default.  (Another possibility is to force it in 
nnrpd without configurable option.)



What RFC 5537 actively recommends against is that From and Sender header 
fields match, which is a check that was removed in INN 2.5.1 from innd.

Incidentally, I suggest removing that check everywehre in INN (I see 
that inews still does it).

-- 
Julien ÉLIE

« J'oubliais qu'Assurancetourix a une nouvelle corde à sa harpe ! »
   (Astérix)


More information about the inn-workers mailing list