On 09/12/2013 03:11 AM, Stephen J. Turnbull wrote: > So you're proposing this, I guess: > > multipart/signed > multipart/mixed > text/whatever # optional mailman header > multipart/signed > text/whatever # original signed content > application/signature > text/whatever # optional mailman footer > application/signature
yes, that's exactly what i was proposing. Abhilash, can your code
produce messages like this?
> But the question is not whether Mailman can do that; it's trivial to
> produce it by moving the signing handler later in the pipeline.
Great! That's well-structured data, that should be able to be
legitimately rendered by any OpenPGP-compliant MUA, even ones that can
only provide validation information for messages as a whole.
If Mailman did this regularly instead of creating the common anti-pattern:
multipart/mixed
text/whatever # optional mailman header
multipart/signed
text/whatever # original signed content
application/signature
text/whatever # optional mailman footer
then those MUAs like icedove that currently do the wrong thing might be
less likely to try to do it anyway.
Note that Icedove/Thunderbird refuse to show any validation information
for S/MIME-signed messages that are forwarded through mailman with
headers or footers attached like the above structure.
> I don't believe my eyes. The MUA is passing off invalid data as
> valid, and you're saying Mailman should cater to that MUA? The sooner
> users realize such MUAs are broken by design, the better! Better they
> should bitch about Mailman (at least on Mailman channels, where we can
> explain to them what the real problem is).
that's decidedly not what i'm saying. I'm just pointing out that
mailman commonly produces what you've called "invalid data", and that
its common production of that "invalid data" is precisely what this
MUA's author cites as something he wants to be able to validate instead
of hiding the main message contents' openpgp signature entirely. [0]
I'm not saying the enigmail folks are doing the right thing here --
there's more than enough bugs and blame to go around here, if we want to
get testy :P (including the fact that thunderbird's UI makes a total
botch of display of MIME parts themselves, which makes it difficult to
attach any verification UI element to anything but the message as a whole).
But producing messages is what mailman does, so maybe we fix the
message-producing mailman wackiness on the mailman list and save fixing
the enigmail message-displaying wackiness for the enigmail list :)
Regards,
--dkg
[0]
http://thread.gmane.org/gmane.comp.mozilla.enigmail.general/17707/focus=17861
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
