[PATCH] emacs: change default for notmuch-crypto-process-mime to t

Brian Sniffen bts at evenmere.org
Mon Jul 10 17:48:40 PDT 2017


Gpg is exposed to some zip bomb problems last I looked. But the worst that could do is fill your disk or crash your Emacs, right?  And I suspect the MIME library exposes similar issues in quantity. 

-- 
Brian Sniffen

> On Jul 10, 2017, at 4:42 PM, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> 
>> On Sun 2017-07-09 07:46:14 -0300, David Bremner wrote:
>> There are some cases like remote usage where this might cause
>> problems, but those users can easily customize the variable. The
>> inconvenience seems to be outweighed by the security benefit for most
>> users.
> 
> lgtm.  i'm not sure that this change is technically a "security
> benefit", though, it looks more like a "usability benefit", since the
> main use of process-crypto is likely to be decrypting messages.
> 
> for signature verification, there's some small security benefit, but
> since it's mainly exposure of interesting information to the user (as
> opposed to blocking users from doing unsafe things) it's still probably
> more on the usability side than security.
> 
> still, i think it's a good change.  If it uncovers performance problems
> on use cases that normal people care about, hopefully we can get
> examples of those use cases and get the performance problems fixed
> (rather than just encouraging those users to set the flag to nil).
> 
>     --dkg
> _______________________________________________
> notmuch mailing list
> notmuch at notmuchmail.org
> https://notmuchmail.org/mailman/listinfo/notmuch



More information about the notmuch mailing list