From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#58472: [PATCH] Make `message-unique-id' less prone to collisions Date: Mon, 17 Oct 2022 15:40:55 +0000 Message-ID: References: <871qr794o2.fsf@rfc20.org> <83sfjm3lvu.fsf@gnu.org> <87lepehmzw.fsf@gnus.org> <87mt9uelue.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="23873"; mail-complaints-to="usenet@ciao.gmane.io" Cc: matt@rfc20.org, Eli Zaretskii , Paul Eggert , 58472@debbugs.gnu.org To: Lars Ingebrigtsen Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Mon Oct 17 17:43:05 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1okSGe-000617-PS for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 17 Oct 2022 17:43:04 +0200 Original-Received: from localhost ([::1]:47618 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1okSGd-0008J8-8p for geb-bug-gnu-emacs@m.gmane-mx.org; Mon, 17 Oct 2022 11:43:03 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54006) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1okSFk-0008IL-O4 for bug-gnu-emacs@gnu.org; Mon, 17 Oct 2022 11:42:08 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:50605) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1okSFe-0000VK-9u for bug-gnu-emacs@gnu.org; Mon, 17 Oct 2022 11:42:08 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1okSFe-00049x-60 for bug-gnu-emacs@gnu.org; Mon, 17 Oct 2022 11:42:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 17 Oct 2022 15:42:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 58472 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 58472-submit@debbugs.gnu.org id=B58472.166602126415902 (code B ref 58472); Mon, 17 Oct 2022 15:42:02 +0000 Original-Received: (at 58472) by debbugs.gnu.org; 17 Oct 2022 15:41:04 +0000 Original-Received: from localhost ([127.0.0.1]:49680 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1okSEh-00048P-M9 for submit@debbugs.gnu.org; Mon, 17 Oct 2022 11:41:04 -0400 Original-Received: from mail-oa1-f46.google.com ([209.85.160.46]:38700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1okSEf-00047O-20 for 58472@debbugs.gnu.org; Mon, 17 Oct 2022 11:41:01 -0400 Original-Received: by mail-oa1-f46.google.com with SMTP id 586e51a60fabf-1322d768ba7so13688427fac.5 for <58472@debbugs.gnu.org>; Mon, 17 Oct 2022 08:41:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:from:to:cc:subject:date:message-id:reply-to; bh=BlDRmu7OnpE6W7XY8YjLVDsHnLCubVBUr9KxAHeh2qE=; b=ByQJx+MAqDwLqkjC+Smznd7lpR1i17yfag5QzQrrVgLZtYsbk7vSxt0mPBwAUJUcPn BcoNHc4XqTI5aP4j5xKM9Zhhw+bTAPYj2un26+k5zgiP4VJM2yO2fn6cUTjG+j8yOcv5 Y1VEP5dslAu90RcXNoSYnzhqC2raDnGuva/7DVHYi3ES/rYgIVKNdChCK0r1wEocJpKl DgvTY+ZIYxrck/5lWc9j7nY9tjbWtZEctnll7JZjjdstBNxfiZLkboOjX7C0OkPB5BpX 4/05w3NOKmrfCce0E50EE+nEx135QSkCTuUsHKYpi9dj37XTHdua67Z85HdwmuFmoX8j oKzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:mime-version:references:in-reply-to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BlDRmu7OnpE6W7XY8YjLVDsHnLCubVBUr9KxAHeh2qE=; b=kyF3Vp2dJgYfHjI+3mYalgLHzHXhMdwm8Gyf1YsWTG1jU2Y8AqnofwhXx2i7PX+T5F wdgpVhDuLknAmx0n4N1EtquYPZj1U/VD8V+lyPupxtQIY3MZdp93IseWx5m83QhjGqw2 g42OY5l0KZZnnAfnNbBxDjGLg+emoeveUIfgFDux2ClyV2b+iUSud6/cC5e4TFv57oxv EEkzgBQYGRvmsEQ+C7IikBOx0v+TgnCwAGBT52NHEFvWVi0aIeAIbQOw1kuEiVb24EAf cuqftC+2/YOkhFCSKy0rN9ej9AzXwpz+5gcW4ClN7p7IJ7iENq3G8hnVPmroLgqPmgQ+ opnA== X-Gm-Message-State: ACrzQf3uaF5DnN7PLOSXOLKzUZUPyVmHluTPhDzAWFQ+mdcvPouz3Ath kBhfD+apj7RsTIC2oJuKO0nmd8j5okLpn/92Iis= X-Google-Smtp-Source: AMsMyM7+aUjj1kWbsDnxjPbaVnfxUoqYLsQaC59Am/MUYBj70HHPHbNDPTz46Jc4yS9dIPp9my40ocXI7zXg8iEhcnU= X-Received: by 2002:a05:6870:9126:b0:132:b724:e96c with SMTP id o38-20020a056870912600b00132b724e96cmr15730930oae.199.1666021255588; Mon, 17 Oct 2022 08:40:55 -0700 (PDT) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 17 Oct 2022 15:40:55 +0000 In-Reply-To: <87mt9uelue.fsf@gnus.org> X-Hashcash: 1:20:221017:58472@debbugs.gnu.org::d97G7FRxldLwQk17:9FjR X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:245743 Archived-At: Lars Ingebrigtsen writes: > Stefan Kangas writes: > >> It still has the privacy issues I've indicated. Leaking the euid for no >> good reason leaves you vulnerable to fingerprinting (or even attack, in >> the worst case scenario). > > I don't think the privacy issues here are compelling. Do you find it problematic that it's very easy for us to have collisions? We will have a 1 in 625 chance for a _partial_ Message-ID collision every time two users: 1. send an email the same second, and 2. have the same euid (e.g. 1000 on Ubuntu, or 501 or whatever it is on macOS, etc.). Just try this: (let ((tim (time-convert nil 'integer)) (i 0) ids) (while t (cl-incf i) (cl-flet ((time-convert (lambda (_ _) tim))) (let ((id (message-unique-id))) (if (member id ids) (error "oops after %d tries" i) (push id ids)))))) We will have a _full_ Message-ID collision if they also: 3. have the same host (e.g. it's misconfigured [a not insignificant number of desktops, mind you, so it says "tickle-me" or whatever non-hilarious thing we use now], or they are on the same big domain like eecs.mit.edu). Is that really "good enough"? We could do drastically better here, with very small means, so I'm not sure why we wouldn't. > No, matching on References/In-reply-to is the only way to get at that > functionality. I still don't know which functionality that is. Getting an In-reply-to for your highly unique euid 1000? What's wrong with just checking if your email address is in To/Cc? If this use-case is important, wouldn't it be much better to use a defcustom that you could at least set yourself to something somewhat unique to you? We could just set it to 1000 or whatever by default (so we're not worse off than today, but also not leaking information by default), and then users could set that to whatever they like (even to their euid).