Discussion about Cancel-Lock support

[Russ Allbery]

Julien ÉLIE <julien at trigofacile.com> writes:

> Having a look at innd's code to implement Cancel-Lock verification, I came
> into that verifycancels stuff.

> It verifies that at least one newsgroup in the cancel message is present
> in the article to be cancelled.  Isn't it a check that should be kept?
> It is not done by default.

> RFC 5537 indicates that:

>    To best ensure that it will be relayed to the same news servers as
>    the original message, a cancel control message SHOULD have the same
>    Newsgroups header field as the message it is cancelling.

> So maybe the change to do is to only do the check in nnrpd (at injection
> time) and not do it when relaying?

RFC 5537 is recommending that for agents that generate cancels, since
otherwise the cancel may not propagate to the same servers as the original
message.  The problem caused by not doing this is that the cancel doesn't
reach the right servers and thus the article isn't cancelled.

In other words, this is a client issue where, if the client doesn't follow
that advice, the cancel may not work.  It's not a security issue, and it's
not really a server issue.  Cancels issued to the wrong group don't cause
any *harm*; if they're authenticated, they're still authenticated and thus
legitimate, and if they're not authenticated, who knows.

So, basically, I wouldn't bother.  I think it would just be extra
complexity in INN to no real purpose.  The agent generating the cancel
should get this right, but I don't think nnrpd needs to try to enforce it.
(And in general it may not be possible to check anyway, since the cancel
may be issued for an article the local server doesn't have, and thus has
no idea what Newsgroups to which it was posted.)

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.