From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 240526DE2EAD for ; Mon, 10 Jul 2017 17:48:50 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -0.011 X-Spam-Level: X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99Zgy0yhzW0n for ; Mon, 10 Jul 2017 17:48:47 -0700 (PDT) Received: from istari.evenmere.org (istari.evenmere.org [136.248.125.194]) by arlo.cworth.org (Postfix) with ESMTP id 896B66DE2EAC for ; Mon, 10 Jul 2017 17:48:47 -0700 (PDT) Received: by istari.evenmere.org (Postfix, from userid 113) id CEEA81E006A; Mon, 10 Jul 2017 20:48:45 -0400 (EDT) Received: from [192.168.0.53] (pool-173-76-99-4.bstnma.fios.verizon.net [173.76.99.4]) by istari.evenmere.org (Postfix) with ESMTPSA id 758671E005D; Mon, 10 Jul 2017 20:48:42 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: [PATCH] emacs: change default for notmuch-crypto-process-mime to t From: Brian Sniffen X-Mailer: iPhone Mail (14F89) In-Reply-To: <8760f010si.fsf@fifthhorseman.net> Date: Mon, 10 Jul 2017 20:48:40 -0400 Cc: David Bremner , notmuch@freelists.org, notmuch@notmuchmail.org Content-Transfer-Encoding: quoted-printable Message-Id: <6987A5E2-E397-4020-A6B8-7D57BD49B225@evenmere.org> References: <20170709104614.24642-1-david@tethera.net> <8760f010si.fsf@fifthhorseman.net> To: Daniel Kahn Gillmor X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jul 2017 00:48:50 -0000 Gpg is exposed to some zip bomb problems last I looked. But the worst that c= ould do is fill your disk or crash your Emacs, right? And I suspect the MIM= E library exposes similar issues in quantity.=20 --=20 Brian Sniffen > On Jul 10, 2017, at 4:42 PM, Daniel Kahn Gillmor w= rote: >=20 >> On Sun 2017-07-09 07:46:14 -0300, David Bremner wrote: >> There are some cases like remote usage where this might cause >> problems, but those users can easily customize the variable. The >> inconvenience seems to be outweighed by the security benefit for most >> users. >=20 > lgtm. i'm not sure that this change is technically a "security > benefit", though, it looks more like a "usability benefit", since the > main use of process-crypto is likely to be decrypting messages. >=20 > for signature verification, there's some small security benefit, but > since it's mainly exposure of interesting information to the user (as > opposed to blocking users from doing unsafe things) it's still probably > more on the usability side than security. >=20 > still, i think it's a good change. If it uncovers performance problems > on use cases that normal people care about, hopefully we can get > examples of those use cases and get the performance problems fixed > (rather than just encouraging those users to set the flag to nil). >=20 > --dkg > _______________________________________________ > notmuch mailing list > notmuch@notmuchmail.org > https://notmuchmail.org/mailman/listinfo/notmuch