On Sat, 05 Dec 2009 09:51:58 +0100, Marten Veldthuis <marten at veldthuis.com> 
wrote:
> On Fri, 04 Dec 2009 16:39:50 -0800, Carl Worth <cworth at cworth.org> wrote:
> > But when viewing an actual message, I'm still planning on having notmuch
> > just return an arbitrary filename from the list of filenames associated
> > with that message. Does anyone see any problem with that? Can you think
> > of a case where you'd really care about seeing one or the other of
> > a particular duplicated message?
> 
> As long as it's deterministic. But if you don't display the first
> filename received, couldn't you exploit this by spoofing message ids?

What it currently does is use the filename of the first file that
notmuch encounters. That's different than "first received", but either
way, there's still a race condition here for active spoofing attempts.

And, yes, actual intentional collisions of message IDs is something I
hadn't given thought to yet. So thanks for bringing that up. It's
definitely a case where you'd want to know and see the difference.

So maybe what we really want to do is to display some full-context diff
of the message by default, and have notmuch learn about differences the
user isn't interested in seeing, (such as mailing-list footers or so).

That sounds workable and should make any spoofing attempt obvious to the
user.

-Carl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: 
<http://notmuchmail.org/pipermail/notmuch/attachments/20091205/45133194/attachment.pgp>

Reply via email to