[PATCH] emacs: change default for notmuch-crypto-process-mime to t
Brian Sniffen
bts at evenmere.org
Mon Jul 10 17:48:40 PDT 2017
Gpg is exposed to some zip bomb problems last I looked. But the worst that could do is fill your disk or crash your Emacs, right? And I suspect the MIME library exposes similar issues in quantity.
--
Brian Sniffen
> On Jul 10, 2017, at 4:42 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>
>> On Sun 2017-07-09 07:46:14 -0300, David Bremner wrote:
>> There are some cases like remote usage where this might cause
>> problems, but those users can easily customize the variable. The
>> inconvenience seems to be outweighed by the security benefit for most
>> users.
>
> lgtm. i'm not sure that this change is technically a "security
> benefit", though, it looks more like a "usability benefit", since the
> main use of process-crypto is likely to be decrypting messages.
>
> for signature verification, there's some small security benefit, but
> since it's mainly exposure of interesting information to the user (as
> opposed to blocking users from doing unsafe things) it's still probably
> more on the usability side than security.
>
> still, i think it's a good change. If it uncovers performance problems
> on use cases that normal people care about, hopefully we can get
> examples of those use cases and get the performance problems fixed
> (rather than just encouraging those users to set the flag to nil).
>
> --dkg
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch
More information about the notmuch
mailing list