>In case my point was missed:  the Attach: header was not scrubbed out.

So, I've been thinking about this more this evening, and I think I've
put my finger on the roots of my opinion.

I can boil it down to this: these headers may leak out, if there are bugs
or unusual behavior.  But I have realized ... I don't care.

I realize that sounds harsh, but I am trying to understand why leaking
those headers would be harmful.  I mean, yeah, it's not something we
should do, but AFAICT if any random header is leaked to the world, as
long as it is formatted correctly then I fail to see the harm to anything.
So this colors my thinking in this way: I understand the concerns people
have about traceability, but since in my mind the harm is zero, usability
concerns and aesthetics have a much higher weight.  And I think, in all
honesty, almost zero people would care one bit; the vast majority of
MUAs filter out unknown headers.

Now please understand, I am not completely convinced I am RIGHT.  I am
just sounding out my current thinking.  I welcome discussion here.

Thinking about it more, we already leak some "internal" headers out.
For example, _if_ you use annotations, your emails, and you dist a message
you have replied to or forwarded, those annotation headers will "leak".
Is that harmful?  I would argue no; things have been that way for more
than a few decades.  I mean, it might be harmful for YOU in terms of
privacy, but those headers don't seem to cause any harm.

>"X-" headers are deprecated by RFC 6648.  We could add, say, a Mailer

I'd be fine with that, or it seems like User-Agent is preferred nowadays.

A Marmite-less Ralph says:

>Here's that colon-prefix idea again.  Any header without has to be in
>nmh's domain.  `To' is, even if the out-going email happens to have one
>of the same name;  nmh gets in there for the aliases, encoding, etc.
>The issue tracker wants an Attach header if I'm trying to attach a file
>to an existing issue.  By using the colon prefix I'm stating it's a raw
>mail header outside of nmh's purview and it's automatically got its own
>namespace distinct from nmh's prefix-less one.

I can understand the issue that you might want to create an Attach: header
to send out.  But ... I have to ask.  Is that ACTUALLY something people
need to do?  Yes, I undertand that the namespace collision might in theory
be a problem with real headers people want to generate.  But, a large
proportion of MUAs simply don't let you add arbitrary headers to your
message; I doubt someone would create a software package that required
you to interact with it via arbitrary email headers.

Also, I do have an issue with the : prefix headers; right now everything
we generate is actually valid according to RFC 5322 syntax.  If we
are concerned about stuff leaking because of bugs or user mistakes,
we shouldn't ever have users or programs generate non-RFC 5322 format
headers in the draft, because that could be harmful.


Nmh-workers mailing list

Reply via email to