[PATCH v3 10/15] cli/new, insert, reindex: change index.decrypt to "auto" by default

The new "auto" decryption policy is not only good for "notmuch show" and "notmuch reindex". It's also useful for indexing messages -- there's no good reason to not try to go ahead and index the cleartext of a message that we have a stashed session key for. This change updates the defaults and

[PATCH v3 08/15] cli/new, insert, reindex: update documentation for --decrypt=auto

we also include --decrypt=auto in the tab completion. --- completion/notmuch-completion.bash | 6 +++--- doc/man1/notmuch-insert.rst| 16 ++-- doc/man1/notmuch-new.rst | 10 +++--- doc/man1/notmuch-reindex.rst | 23 ++- 4 files changed,

[PATCH v3 14/15] docs: clean up documentation about decryption policies

Now that the range of sensible decryption policies has come into full view, we take a bit of space to document the distinctions. Most people will use either "auto" or "true" -- but we provide "false" and "nostash" to handle use cases that might reasonably be requested. Note also that these can

[PATCH v3 15/15] python: add decrypt_policy argument to Database.index_file()

We adopt a pythonic idiom here with an optional argument, rather than exposing the user to the C indexopts object directly. --- bindings/python/notmuch/database.py | 45 +++-- bindings/python/notmuch/globals.py | 5 + 2 files changed, 48 insertions(+), 2

[PATCH v3 06/15] cli/show: use decryption policy "auto" by default.

When showing a message, if the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, notmuch should just go ahead and try to decrypt the message with the session key (without bothering the user for access to their asymmetric secret key). The user can disable this

[PATCH v3 04/15] crypto: new decryption policy "auto"

This new automatic decryption policy should make it possible to decrypt messages that we have stashed session keys for, without incurring a call to the user's asymmetric keys. --- doc/man1/notmuch-config.rst | 11 --- lib/index.cc | 3 ++- lib/indexopts.c

session keys followup, version 3

The first part of the session-keys series has already landed -- thanks to everyone who reviewed it and shepherded it on its way! This is a respin of the remaining patches in the series, introducing very minor changes from the previous series: typo corrections, and a fix to the test suite to mark

[PATCH v3 03/15] lib: convert notmuch decryption policy to an enum

Future patches in this series will introduce new policies; this merely readies the way for them. We also convert --try-decrypt to a keyword argument instead of a boolean. --- lib/index.cc | 2 +- lib/indexopts.c | 21 +++-- lib/notmuch.h

[PATCH v3 11/15] cli/reindex: destroy stashed session keys when --decrypt=false

There are some situations where the user wants to get rid of the cleartext index of a message. For example, if they're indexing encrypted messages normally, but suddenly they run across a message that they really don't want any trace of in their index. In that case, the natural thing to do is:

[PATCH v3 07/15] cli/show, reply: document use of stashed session keys in notmuch-properties

The stashed session keys are stored internally as notmuch properties. So a user or developer who is reading about those properties might want to understand how they fit into the bigger picture. Note here that decrypting with a stored session key no longer needs -decrypt for "notmuch show" and

[PATCH v3 02/15] indexopts: change _try_decrypt to _decrypt_policy

This terminology makes it clearer what's going on at the API layer, and paves the way for future changesets that offer more nuanced decryption policy. --- lib/index.cc | 2 +- lib/indexopts.c | 10 +- lib/notmuch.h| 8 notmuch-client.h | 4 ++-- notmuch.c| 12

[PATCH v3 09/15] crypto: record whether an actual decryption attempt happened

In our consolidation of _notmuch_crypto_decrypt, the callers lost track a little bit of whether any actual decryption was attempted. Now that we have the more-subtle "auto" policy, it's possible that _notmuch_crypto_decrypt could be called without having any actual decryption take place. This

[PATCH v3 13/15] crypto: add --decrypt=nostash to avoid stashing session keys

Here's the configuration choice for people who want a cleartext index, but don't want stashed session keys. Interestingly, this "nostash" decryption policy is actually the same policy that should be used by "notmuch show" and "notmuch reply", since they never modify the index or database when

[PATCH v3 05/15] cli/reply: use decryption policy "auto" by default.

If the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, when replying to an encrypted message, notmuch should just go ahead and decrypt. The user can disable this at the command line with --decrypt=false, though it's not clear why they would ever want to do

[PATCH v3 01/15] indexing: Change from try_decrypt to decrypt

the command-line interface for indexing (reindex, new, insert) used --try-decrypt; and the configuration records used index.try_decrypt. But by comparison with "show" and "reply", there doesn't seem to be any reason for the "try" prefix. This changeset adjusts the command-line interface and the

Re: [PATCH 5/5] debian/control: put elpa-notmuch in Section: lisp.

On Thu 2017-11-30 04:40:43 -0500, Daniel Kahn Gillmor wrote: > This makes lintian stop complaining about: > > W: elpa-notmuch: wrong-section-according-to-package-name elpa-notmuch => lisp I'm withdrawing this patch for consideration. I'm convinced by bremner's argument in https://bug

Re: web interface to notmuch

Hi Brian-- On Wed 2017-12-06 10:00:19 -0500, Brian Sniffen wrote: > Okay, https://github.com/briansniffen/notmuch/tree/nmweb is now rebased > onto the notmuchmail.org head as of this morning. All of the changes > are under contrib/notmuch-web. thanks for doing this! traditionally, we've

be more honest about test suite failures due to old libraries

We have several places where tests are skipped or marked as though some test suite prereqs are missing, but in fact are due to building against older versions of libraries that don't support certain features. This series tries to be more honest about some of those tests by marking them as broken,

[PATCH 2/3] test: named query tests are broken when missing Xapian FieldProcessor

Named queries don't work without Xapian FieldProcessor. Rather than silently skipping them, we should explictly mark them as broken when building against an older version of Xapian. --- test/T600-named-queries.sh | 33 - 1 file changed, 20 insertions(+), 13

[PATCH 3/3] test: retrying lock tests are broken when built against older Xapian

If we're building against a version of Xapian that doesn't offer retrying the lock, we should be honest and describe the tests as broken, rather than marking them as missing a test prerequisite. missing test prerequisites should be for specific components of the test harness that are missing, not

[PATCH 1/3] test: searching by absolute date is broken without Xapian FieldProcessor

Previously, the test suite had simply silently skipped the absolute date test if we're using an archaic version of Xapian. For correctness, we should instead mark the test as broken. This also changes from string to numeric comparison when checking NOMTUCH_HAVE_XAPIAN_FIELD_PROCESSOR for

Re: [PATCH v2 06/21] crypto: Test restore of cleartext index from stashed session keys

On Mon 2017-12-04 21:59:18 -0400, David Bremner wrote: > Pushed patches 1 to 6. I seem to recall 7 and 8 basically adressed > concerns/suggestions Jamie had, so I'm hoping he can have a quick look > at those. to be fair, i thought Jamie's concerns were correct -- the normalized interface is

[PATCH v2] debian/control: build-depend on python3-sphinx instead of python-sphinx

python2 is going to be deprecated, and python3-sphinx is available all the way back to oldoldstable. let's use the more modern version. To make this work and still ship the manpages, tell ./configure to prefer python3 over python, if it exists. --- configure | 2 +- debian/control | 2 +-

Re: [PATCH] test: session keys are known broken without session key support

On Tue 2017-12-05 13:40:27 -0500, Daniel Kahn Gillmor wrote: > If the version of GMime we're building against doesn't support session > key extraction or re-use, mark the tests that rely on session key > capabilities as known-broken. > > This should resolve test suite failures o

[PATCH] test: session keys are known broken without session key support

@@ -183,6 +183,9 @@ EOF notmuch reindex --try-decrypt id:simple-encryp...@crypto.notmuchmail.org output=$(notmuch search sekrit) expected='thread:0001 2016-12-22 [1/1] Daniel Kahn Gillmor; encrypted message (encrypted inbox unread)' +if [ $NOTMUCH_HAVE_GMIME_SESSION_KEYS -eq 0

Re: [PATCH 4/5] debian: bump Standards-Version to 4.1.1

On Mon 2017-12-04 21:30:00 -0400, David Bremner wrote: > Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > >> No minor changes were necessary to become compliant with Debian policy >> version 4.1.1, so this is basically a freebie. > > pushed 2,3,4. Waiting for

Re: [PATCH] cli/help: give a hint about notmuch-emacs-mua

On Mon 2017-12-04 10:44:40 -0500, Daniel Kahn Gillmor wrote: > But maybe you'll find my revised version > (id:20171204154333.27505-1-...@fifthhorseman.net) mitigates the error > you're pointing out? sorry, that should be id:20171204184310.17125-1-...@fifthhorseman.net -- the previous m

[PATCH v2] cli/help: give a hint about notmuch-emacs-mua

"notmuch help" doesn't mention "notmuch-emacs-mua" even though we support it through the try_external_command() mechanism. In addition, "notmuch help emacs-mua" doesn't work, even though we ship the appropriate manpage. This changeset fixes both of these problems. --- configure | 1 + notmuch.c

Re: [PATCH] cli/help: give a hint about notmuch-emacs-mua

On Sun 2017-12-03 15:26:32 +0200, Tomi Ollila wrote: > My thought was that even though user may compile notmuch without emacs > support (and notmuch-emacs-mua not installed) we would be hinting > `notmuch emacs-mua` command to exist. Currently, if the user *does* compile with emacs support, and

Re: [PATCH 1/5] debian/control: build-depend on python3-sphinx instead of python-sphinx

On Sun 2017-12-03 15:35:04 +0200, Tomi Ollila wrote: > On Thu, Nov 30 2017, Daniel Kahn Gillmor wrote: > >> On Thu 2017-11-30 04:40:39 -0500, Daniel Kahn Gillmor wrote: >>> python2 is going to be deprecated, and python3-sphinx is available all >>> the way back to old

Re: [PATCH 15/18] crypto: actually stash session keys when try-decrypt=true

On Thu 2017-11-16 08:53:14 -0400, David Bremner wrote: > I'd be happier if we didn't further entrench the text format in the test > suite. How hard would it be to use json output (+maybe python?) here? json output seems clunkier to me, and i don't think it's necessary for the purposes of these

Re: [PATCH 18/18] python: add try_decrypt argument to Database.index_file()

On Thu 2017-11-16 09:06:09 -0400, David Bremner wrote: > I think this new bindings functionality needs a test. agreed, the python bindings do need to be added to the test suite (this is also true in the newer version of the series). I'm happy to add those tests as a condition of getting the

Re: [PATCH v2 21/21] python: add decrypt_policy argument to Database.index_file()

On Thu 2017-11-30 03:59:46 -0500, Daniel Kahn Gillmor wrote: > @@ -454,10 +487,19 @@ class Database(object): >:attr:`STATUS`.READ_ONLY_DATABASE >Database was opened in read-only mode so no message can >

Re: [PATCH v2 04/21] crypto: use stashed session-key properties for decryption, if available

On Thu 2017-11-30 03:59:29 -0500, Daniel Kahn Gillmor wrote: > +hexidecimal representation of the algorithm-specific key. For ugh, this should be hexadecimal, not hexidecimal. This is fixed in my gitlab session-keys branch [0], but doesn't seem worth re-posting the entire ser

Re: [PATCH] python: add bindings for notmuch_message_get_propert(y/ies)

On Thu 2017-11-30 09:44:19 -0400, David Bremner wrote: > Floris Bruynooghe writes: > >> This also has the binary question problem, is this returned as bytes or >> as str? Current Python bindings seem to go for .decode('utf-8', >> errors='ignore') afaik which is somewhat lossy. >>

Re: [PATCH] cli/help: give a hint about notmuch-emacs-mua

On Thu 2017-11-30 11:08:05 +0200, Tomi Ollila wrote: > On Thu, Nov 30 2017, Daniel Kahn Gillmor wrote: > >> On Thu 2017-10-26 18:27:51 -0400, Daniel Kahn Gillmor wrote: >>> "notmuch help" doesn't mention "notmuch-emacs-mua" even though we >>> suppo

Re: [PATCH 1/5] debian/control: build-depend on python3-sphinx instead of python-sphinx

On Thu 2017-11-30 04:40:39 -0500, Daniel Kahn Gillmor wrote: > python2 is going to be deprecated, and python3-sphinx is available all > the way back to oldoldstable. let's use the more modern version. > --- > debian/control | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)

Re: debian packaging cleanup

On Thu 2017-11-30 08:01:18 -0400, David Bremner wrote: > Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > >> The following patch series should be fairly unobjectionable cleanup of >> the debian packaging for notmuch. >> >> Let me know if y

[PATCH 1/5] debian/control: build-depend on python3-sphinx instead of python-sphinx

python2 is going to be deprecated, and python3-sphinx is available all the way back to oldoldstable. let's use the more modern version. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 20b8a2db..3a624fdc 100644 ---

[PATCH 4/5] debian: bump Standards-Version to 4.1.1

No minor changes were necessary to become compliant with Debian policy version 4.1.1, so this is basically a freebie. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index bb88b0f7..51129886 100644 --- a/debian/control +++

[PATCH 5/5] debian/control: put elpa-notmuch in Section: lisp.

This makes lintian stop complaining about: W: elpa-notmuch: wrong-section-according-to-package-name elpa-notmuch => lisp --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 51129886..cff610cf 100644 --- a/debian/control +++

[PATCH 2/5] debian/changelog: remove trailing whitespace

--- debian/changelog | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/changelog b/debian/changelog index 67282a07..decef1e9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -836,7 +836,7 @@ notmuch (0.9~rc2-1) experimental; urgency=low - New

debian packaging cleanup

The following patch series should be fairly unobjectionable cleanup of the debian packaging for notmuch. Let me know if you think there are problems with any of it. --dkg ___ notmuch mailing list notmuch@notmuchmail.org

[PATCH 3/5] debian/control: Priority: extra is deprecated

Move transitional package to to "oldlibs/optional" This resolves two lintian warnings: W: notmuch-emacs: transitional-package-should-be-oldlibs-optional oldlibs/extra W: notmuch-emacs: priority-extra-is-replaced-by-priority-optional --- debian/control | 1 - 1 file changed, 1 deletion(-) diff

[PATCH v2 01/21] mime-node: handle decrypt_result more safely

If (for whatever reason) we don't get a decrypt_result back, or it's not structured the way we expect it to be, we shouldn't choke on it. --- mime-node.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/mime-node.c b/mime-node.c index e1aca969..7c8b2602 100644

[PATCH v2 02/21] crypto: add _notmuch_crypto_decrypt wrapper function

We will use this centralized function to consolidate the awkward behavior around different gmime versions. It's only invoked from two places: mime-node.c's node_decrypt_and_verify() and lib/index.cc's _index_encrypted_mime_part(). However, those two places have some markedly distinct logic, so

[PATCH v2 03/21] configure: session key handling in gmime maps to built_with("session_key")

This flag should make it easier to write the code for session-key handling. Note that this only works for GMime 2.6.21 and later (the session key interface wasn't available before then). It should be fine to build the rest of notmuch if this functionality isn't available. Note that this also

[PATCH v2 16/21] cli/new, insert, reindex: change index.decrypt to "auto" by default

The new "auto" decryption policy is not only good for "notmuch show" and "notmuch reindex". It's also useful for indexing messages -- there's no good reason to not try to go ahead and index the cleartext of a message that we have a stashed session key for. This change updates the defaults and

[PATCH v2 08/21] indexopts: change _try_decrypt to _decrypt_policy

This terminology makes it clearer what's going on at the API layer, and paves the way for future changesets that offer more nuanced decryption policy. --- lib/index.cc | 2 +- lib/indexopts.c | 10 +- lib/notmuch.h| 8 notmuch-client.h | 4 ++-- notmuch.c| 12

[PATCH v2 20/21] docs: clean up documentation about decryption policies

Now that the range of sensible decryption policies has come into full view, we take a bit of space to document the distinctions. Most people will use either "auto" or "true" -- but we provide "false" and "nostash" to handle use cases that might reasonably be requested. Note also that these can

[PATCH v2 11/21] cli/reply: use decryption policy "auto" by default.

If the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, when replying to an encrypted message, notmuch should just go ahead and decrypt. The user can disable this at the command line with --decrypt=false, though it's not clear why they would ever want to do

[PATCH v2 12/21] cli/show: use decryption policy "auto" by default.

When showing a message, if the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, notmuch should just go ahead and try to decrypt the message with the session key (without bothering the user for access to their asymmetric secret key). The user can disable this

[PATCH v2 10/21] crypto: new decryption policy "auto"

This new automatic decryption policy should make it possible to decrypt messages that we have stashed session keys for, without incurring a call to the user's asymmetric keys. --- doc/man1/notmuch-config.rst | 11 --- lib/index.cc | 3 ++- lib/indexopts.c

[PATCH v2 09/21] lib: convert notmuch decryption policy to an enum

Future patches in this series will introduce new policies; this merely readies the way for them. We also convert --try-decrypt to a keyword argument instead of a boolean. --- lib/index.cc | 2 +- lib/indexopts.c | 21 +++-- lib/notmuch.h

[PATCH v2 14/21] cli/new, insert, reindex: update documentation for --decrypt=auto

we also include --decrypt=auto in the tab completion. --- completion/notmuch-completion.bash | 6 +++--- doc/man1/notmuch-insert.rst| 16 ++-- doc/man1/notmuch-new.rst | 10 +++--- doc/man1/notmuch-reindex.rst | 23 ++- 4 files changed,

[PATCH v2 15/21] crypto: record whether an actual decryption attempt happened

In our consolidation of _notmuch_crypto_decrypt, the callers lost track a little bit of whether any actual decryption was attempted. Now that we have the more-subtle "auto" policy, it's possible that _notmuch_crypto_decrypt could be called without having any actual decryption take place. This

[PATCH v2 19/21] crypto: add --decrypt=nostash to avoid stashing session keys

Here's the configuration choice for people who want a cleartext index, but don't want stashed session keys. Interestingly, this "nostash" decryption policy is actually the same policy that should be used by "notmuch show" and "notmuch reply", since they never modify the index or database when

session keys, version 2

This is the second revision of the session keys series. the earlier version of this series can be found following id:20171025065203.24403-1-...@fifthhorseman.net. This version addresses the ideas and critiques raised on list about the first version. In particular: * ./configure now detects

[PATCH v2 13/21] cli/show, reply: document use of stashed session keys in notmuch-properties

The stashed session keys are stored internally as notmuch properties. So a user or developer who is reading about those properties might want to understand how they fit into the bigger picture. Note here that decrypting with a stored session key no longer needs -decrypt for "notmuch show" and

[PATCH v2 18/21] crypto: actually stash session keys when decrypt=true

If you're going to store the cleartext index of an encrypted message, in most situations you might just as well store the session key. Doing this storage has efficiency and recoverability advantages. Combined with a schedule of regular OpenPGP subkey rotation and destruction, this can also offer

[PATCH v2 07/21] indexing: Change from try_decrypt to decrypt

the command-line interface for indexing (reindex, new, insert) used --try-decrypt; and the configuration records used index.try_decrypt. But by comparison with "show" and "reply", there doesn't seem to be any reason for the "try" prefix. This changeset adjusts the command-line interface and the

[PATCH v2 04/21] crypto: use stashed session-key properties for decryption, if available

When doing any decryption, if the notmuch database knows of any session keys associated with the message in question, try them before defaulting to using default symmetric crypto. This changeset does the primary work in _notmuch_crypto_decrypt, which grows some new parameters to handle it. The

[PATCH v2 05/21] test/corpora: add an encrypted message for index decryption tests

! diff --git a/test/corpora/crypto/simple-encrypted b/test/corpora/crypto/simple-encrypted new file mode 100644 index ..6869972d --- /dev/null +++ b/test/corpora/crypto/simple-encrypted @@ -0,0 +1,36 @@ +From: Daniel Kahn Gillmor <d...@fifthhorseman.net> +To: d...@fifthhorseman.net +S

[PATCH v2 21/21] python: add decrypt_policy argument to Database.index_file()

We adopt a pythonic idiom here with an optional argument, rather than exposing the user to the C indexopts object directly. --- bindings/python/notmuch/database.py | 46 +++-- bindings/python/notmuch/globals.py | 5 2 files changed, 49 insertions(+), 2

[PATCH v2 06/21] crypto: Test restore of cleartext index from stashed session keys

If you've got a notmuch dump that includes stashed session keys for every decrypted message, and you've got your message archive, you should be able to get back to the same index that you had before. Here we add a simple test that give some flavor of how that works. ---

[PATCH v2 17/21] cli/reindex: destroy stashed session keys when --decrypt=false

There are some situations where the user wants to get rid of the cleartext index of a message. For example, if they're indexing encrypted messages normally, but suddenly they run across a message that they really don't want any trace of in their index. In that case, the natural thing to do is:

Re: [PATCH 13/18] cli/new, insert, reindex: change index.try_decrypt to "auto" by default

On Thu 2017-11-16 08:40:41 -0400, David Bremner wrote: > Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > >> The new "auto" decryption policy is not only good for "notmuch show" >> and "notmuch reindex". It's also useful for indexing

Re: [PATCH] cli/help: give a hint about notmuch-emacs-mua

On Thu 2017-10-26 18:27:51 -0400, Daniel Kahn Gillmor wrote: > "notmuch help" doesn't mention "notmuch-emacs-mua" even though we > support it through the try_external_command() mechanism. > > In addition, "notmuch help emacs-mua" doesn't work, eve

Re: [PATCH] cli/help, completion: added pointers to notmuch-properties(7)

On Thu 2017-10-26 18:28:12 -0400, Daniel Kahn Gillmor wrote: > --- > completion/notmuch-completion.bash | 2 +- > notmuch.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) Ping on this patch as well. I think this should be safe and sim

[PATCH] crypto: signature verification reports valid User IDs

When i'm trying to understand a message signature, i care that i know who it came from (the "validity" of the identity associated with the key), *not* whether i'm willing to accept the keyholder's other identity assertions (the "trust" associated with the certificate). We've been reporting User

Re: [PATCH] python: add bindings for notmuch_message_get_propert(y/ies)

On Tue 2017-11-28 23:46:11 +0100, Ruben Pollan wrote: > Message.get_property (prop) returns a string with the value of the property > and > Message.get_properties (prop, exact=False) returns a list [(key, value)] This looks like a sensible approach to me. I'd be curious to hear what others

Re: [PATCH] python: add bindings for notmuch_message_get_property

On Wed 2017-11-15 23:29:54 +0100, Ruben Pollan wrote: > Message.get_property (prop) returns a string with the value of the property. Upon review, this is actually insufficient for making robust use of the session-key series :( In particular, it only returns the first value for the session key

Re: Stashed session keys

Hi meskio-- On Wed 2017-11-15 23:41:28 +0100, meskio wrote: > Nice feature. I'm using it and it works fine. I notice some speed up, > improving > the painfulness of reading long encrypted threads in alot. And I like to > don't > be able to have around my old private keys. cool, i'm glad it's

Re: [PATCH 05/18] crypto: Test restore of cleartext index from stashed session keys

On Tue 2017-11-14 09:13:52 -0400, David Bremner wrote: > Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > >> If you've got a notmuch dump that includes stashed session keys for >> every decrypted message, and you've got your message archive, you >> should b

Re: [PATCH 03/18] crypto: use stashed session-key properties for decryption, if available

Hi Bremner-- Thanks for the review! On Tue 2017-11-14 09:02:08 -0400, David Bremner wrote: > Since you wrote this, I've deprecated GMime 2.6. I'm not sure that > changes anything here, but seems worth mentioning well, i'm happy to hear that -- i've got no problem with deprecating GMime 2.6,

Re: Stashed session keys

On Sun 2017-11-12 11:51:11 +0800, Daniel Kahn Gillmor wrote: > On Sat 2017-11-11 15:31:36 -0800, Jameson Graef Rollins wrote: >> I haven't decided what's the best way to do that yet, but something >> like the following happening automatically at inbox view might do the >> t

Re: [PATCH 07/18] crypto: new decryption policy "auto"

On Sat 2017-11-11 15:14:03 -0800, Jameson Graef Rollins wrote: > On Wed, Oct 25 2017, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: >> diff --git a/util/crypto.h b/util/crypto.h >> index b23ca747..dc95b4ca 100644 >> --- a/util/crypto.h >> +++ b/util/cryp

Re: Stashed session keys

On Sat 2017-11-11 15:31:36 -0800, Jameson Graef Rollins wrote: > I have reviewed and tested this series, and it seems solidly > implemented and very well motivated. I have been using it regularly > for a couple weeks now and have found no issues with it's usage, and > have noticed the

Re: Stashed session keys

On Wed 2017-10-25 02:51:45 -0400, Daniel Kahn Gillmor wrote: > Now that cleartext indexing is merged, let's add the ability to stash > session keys! I'd really appreciate feedback on this series. It works for me, and i'm using it. I don't want this to take another two years to land, if po

Re: [PATCH] NEWS: cleartext indexing

On Mon 2017-10-30 12:16:25 -0400, Antoine Beaupré wrote: > I think that assumption should be made clear in the documentation, > because "security of your index" means nothing to me. Explicitly mention > FDE as an example may be a good start. again, i'm not convinced that "full disk" encryption is

Re: [PATCH] NEWS: cleartext indexing

On Mon 2017-10-30 08:46:12 -0400, Antoine Beaupré wrote: > On 2017-10-22 11:36:34, Daniel Kahn Gillmor wrote: >> + Note that the contents of the index are sufficient to roughly >> + reconstruct the cleartext of the message itself, so please ensure >> + that the

Re: web interface to notmuch

On Fri 2017-10-27 00:04:21 -0400, Brian Sniffen wrote: > With bleach integrated (all of five lines), I think this is safe enough > to let random notmuch users run it. hm, bleach might be a little too aggressive. jrollins just pointed toward:

[PATCH] cli/help: give a hint about notmuch-emacs-mua

"notmuch help" doesn't mention "notmuch-emacs-mua" even though we support it through the try_external_command() mechanism. In addition, "notmuch help emacs-mua" doesn't work, even though we ship the appropriate manpage. This changeset fixes both of these problems. --- notmuch.c | 5 - 1

[PATCH] cli/help,completion: added pointers to notmuch-properties(7)

--- completion/notmuch-completion.bash | 2 +- notmuch.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/completion/notmuch-completion.bash b/completion/notmuch-completion.bash index a0c3ac17..895fc554 100644 --- a/completion/notmuch-completion.bash

Re: web interface to notmuch

On Wed 2017-10-25 18:03:01 -0400, Brian Sniffen wrote: > That's inspiring! Now there's a demo of nmweb at > > https://nmweb.evenmere.org/ this is very nice, Brian. Your URL highlighter seems a bit trigger-happy though: https://nmweb.evenmere.org/show/8760s7zr47.fsf%40zancas.localnet I

Re: [PATCH] test: fix test database backup/restore location

est-lib-common.sh") started using a test specific > backup directories under the build tree test directory. This was in > error. Switch back to the old location, but using paths to the > location instead of relying on current working directory. > > Reported by Daniel

Re: [PATCH 03/18] crypto: use stashed session-key properties for decryption, if available

On Wed 2017-10-25 02:51:48 -0400, Daniel Kahn Gillmor wrote: > diff --git a/util/crypto.c b/util/crypto.c > index 087536ec..e014db5d 100644 > --- a/util/crypto.c > +++ b/util/crypto.c > @@ -140,13 +140,42 @@ void _notmuch_crypto_cleanup (unused(_notmuch_crypto_t > *

[PATCH 17/18] docs: clean up documentation about decryption policies

Now that the range of sensible decryption policies has come into full view, we take a bit of space to document the distinctions. Most people will use either "auto" or "true" -- but we provide "false" and "nostash" to handle use cases that might reasonably be requested. Note also that these can

[PATCH 02/18] crypto: add _notmuch_crypto_decrypt wrapper function

We will use this centralized function to consolidate the awkward behavior around different gmime versions. It's only invoked from two places: mime-node.c's node_decrypt_and_verify() and lib/index.cc's _index_encrypted_mime_part(). However, those two places have some markedly distinct logic, so

[PATCH 12/18] crypto: record whether an actual decryption attempt happened

In our consolidation of _notmuch_crypto_decrypt, the callers lost track a little bit of whether any actual decryption was attempted. Now that we have the more-subtle "auto" policy, it's possible that _notmuch_crypto_decrypt could be called without having any actual decryption take place. This

[PATCH 05/18] crypto: Test restore of cleartext index from stashed session keys

If you've got a notmuch dump that includes stashed session keys for every decrypted message, and you've got your message archive, you should be able to get back to the same index that you had before. Here we add a simple test that give some flavor of how that works. ---

[PATCH 08/18] cli/reply: use decryption policy "auto" by default.

If the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, when replying to an encrypted message, notmuch should just go ahead and decrypt. The user can disable this at the command line with --decrypt=false, though it's not clear why they would ever want to do

[PATCH 03/18] crypto: use stashed session-key properties for decryption, if available

When doing any decryption, if the notmuch database knows of any session keys associated with the message in question, try them before defaulting to using default symmetric crypto. The primary advantage this offers is a significant speedup when rendering large encrypted threads ("notmuch show") if

[PATCH 13/18] cli/new, insert, reindex: change index.try_decrypt to "auto" by default

The new "auto" decryption policy is not only good for "notmuch show" and "notmuch reindex". It's also useful for indexing messages -- there's no good reason to not try to go ahead and index the cleartext of a message that we have a stashed session key for. This change updates the defaults and

[PATCH 14/18] cli/reindex: destroy stashed session keys when --try-decrypt=false

There are some situations where the user wants to get rid of the cleartext index of a message. For example, if they're indexing encrypted messages normally, but suddenly they run across a message that they really don't want any trace of in their index. In that case, the natural thing to do is:

[PATCH 04/18] test/corpora: add an encrypted message for index decryption tests

! diff --git a/test/corpora/crypto/simple-encrypted b/test/corpora/crypto/simple-encrypted new file mode 100644 index ..6869972d --- /dev/null +++ b/test/corpora/crypto/simple-encrypted @@ -0,0 +1,36 @@ +From: Daniel Kahn Gillmor <d...@fifthhorseman.net> +To: d...@fifthhorseman.net +S

[PATCH 15/18] crypto: actually stash session keys when try-decrypt=true

If you're going to store the cleartext index of an encrypted message, in most situations you might just as well store the session key. Doing this storage has efficiency and recoverability advantages. Combined with a schedule of regular OpenPGP subkey rotation and destruction, this can also offer

[PATCH 09/18] cli/show: use decryption policy "auto" by default.

When showing a message, if the user doesn't specify --decrypt= at all, but a stashed session key is known to notmuch, notmuch should just go ahead and try to decrypt the message with the session key (without bothering the user for access to their asymmetric secret key). The user can disable this

[PATCH 10/18] cli/show, reply: document use of stashed session keys in notmuch-properties

The stashed session keys are stored internally as notmuch properties. So a user or developer who is reading about those properties might want to understand how they fit into the bigger picture. Note here that decrypting with a stored session key no longer needs -decrypt for "notmuch show" and

[PATCH 01/18] mime-node: handle decrypt_result more safely

If (for whatever reason) we don't get a decrypt_result back, or it's not structured the way we expect it to be, we shouldn't choke on it. --- mime-node.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/mime-node.c b/mime-node.c index c3d5cb9b..28326e03 100644

<    4   5   6   7   8   9   10   11   12   13   >