David Bremner [Tue, 24 Sep 2019 00:36:01 +0000 (21:36 -0300)]
Merge branch 'release'
David Bremner [Tue, 24 Sep 2019 00:34:07 +0000 (21:34 -0300)]
remove stray ` from NEWS
Daniel Kahn Gillmor [Tue, 28 May 2019 18:46:48 +0000 (14:46 -0400)]
cli/{show,reply}: use repaired form of "Mixed Up" mangled messages
When showing or replying to a message that has been mangled in transit
by an MTA in the "Mixed up" way, notmuch should instead use the
repaired form of the message.
Tracking the repaired GMimeObject for the lifetime of the mime_node so
that it is cleaned up properly is probably the trickiest part of this
patch, but the choices here are based on the idea that the
mime_node_context is the memory manager for the whole mime_node tree
in the first place, so new GMimeObject tree created on-the-fly during
message parsing should be disposed of in the same place.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Tue, 28 May 2019 18:42:26 +0000 (14:42 -0400)]
index: repair "Mixed Up" messages before indexing.
When encountering a message that has been mangled in the "mixed up"
way by an intermediate MTA, notmuch should instead repair it and index
the repaired form.
When it does this, it also associates the index.repaired=mixedup
property with the message. If a problem is found with this repair
process, or an improved repair process is proposed later, this should
make it easy for people to reindex the relevant message. The property
will also hopefully make it easier to diagnose this particular problem
in the future.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Tue, 28 May 2019 05:45:12 +0000 (01:45 -0400)]
util/repair: identify and repair "Mixed Up" mangled messages
Implement a functional identification and repair process for "Mixed
Up" MIME messages as described in
https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling-00#section-4.1
The detection test is not entirely complete, in that it does not
verify the contents of the latter two message subparts, but this is
probably safe to skip, because those two parts are unlikely to be
readable anyway, and the only part we are effectively omitting (the
first subpart) is guaranteed to be empty anyway, so its removal can be
reversed if you want to do so. I've left FIXMEs in the code so that
anyone excited about adding these additional checks can see where to
put them in.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Tue, 28 May 2019 02:46:53 +0000 (22:46 -0400)]
test: add test for "Mixed-Up Mime" message mangling
Some MTAs mangle e-mail messages in transit in ways that are
repairable.
Microsoft Exchange (in particular, the version running today on
Office365's mailservers) appears to mangle multipart/encrypted
messages in a way that makes them undecryptable by the recipient.
I've documented this in section 4.1 "Mixed-up encryption" of draft -00
of
https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling
Fortunately, it's possible to repair such a message, and notmuch can
do that so that a user who receives an encrypted message from a user
of office365.com can still decrypt the message.
Enigmail already knows about this particular kind of mangling. It
describes it as "broken PGP email format probably caused by an old
Exchange server", and it tries to repair by directly changing the
message held by the user. if this kind of repair goes wrong, the
repair process can cause data loss
(https://sourceforge.net/p/enigmail/bugs/987/, yikes).
The tests introduced here are currently broken. In subsequent
patches, i'll introduce a non-destructive form of repair for notmuch
so that notmuch users can read mail that has been mangled in this way,
and the tests will succeed.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Tomi Ollila [Sun, 1 Sep 2019 20:09:46 +0000 (23:09 +0300)]
configure: disallow whitespace in paths, extend checks to $PWD
Whitespace in $NOTMUCH_SRCDIR (and $PWD) may work in builds,
but definitely will not work in tests. It would be difficult
to make tests support whitespace in test filename paths -- and
fragile to maintain if done.
So it is just easier and safer to disallow whitespace there.
In case of out of tree build $NOTMUCH_SRCDIR differs from $PWD
(current directory). Extend this whitespace, and also previously
made unsafe characters check to $PWD too.
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:53 +0000 (11:38 -0400)]
index: avoid indexing legacy-display parts
When we notice a legacy-display part during indexing, it makes more
sense to avoid indexing it as part of the message body.
Given that the protected subject will already be indexed, there is no
need to index this part at all, so we skip over it.
If this happens during indexing, we set a property on the message:
index.repaired=skip-protected-headers-legacy-display
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:52 +0000 (11:38 -0400)]
cli/{show,reply}: skip over legacy-display parts
Make use of the previous changes to fast-forward past any
legacy-display parts during "notmuch show" and "notmuch reply".
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:51 +0000 (11:38 -0400)]
util/repair: add _notmuch_repair_crypto_payload_skip_legacy_display
This is a utility function designed to make it easier to
"fast-forward" past a legacy-display part associated with a
cryptographic envelope, and show the user the intended message body.
The bulk of the ugliness in here is in the test function
_notmuch_crypto_payload_has_legacy_display, which tests all of the
things we'd expect to be true in a a cryptographic payload that
contains a legacy display part.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:50 +0000 (11:38 -0400)]
util/crypto: _n_m_crypto_potential_payload returns whether part is the payload
Our _notmuch_message_crypto_potential_payload implementation could
only return a failure if bad arguments were passed to it. It is an
internal function, so if that happens it's an entirely internal bug
for notmuch.
It will be more useful for this function to return whether or not the
part is in fact a cryptographic payload, so we dispense with the
status return.
If some future change suggests adding a status return back, there are
only a handful of call sites, and no pressure to retain a stable API,
so it could be changed easily. But for now, go with the simpler
function.
We will use this return value in future patches, to make different
decisions based on whether a part is the cryptographic payload or not.
But for now, we just leave the places where it gets invoked marked
with (void) to show that the result is ignored.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:49 +0000 (11:38 -0400)]
util/crypto: _n_m_crypto_potential_payload: rename "payload" arg to "part"
_notmuch_message_crypto_potential_payload is called on a GMimeObject
while walking the MIME tree of a message to determine whether that
object is the payload. It doesn't make sense to name the argument
"payload" if it might not be the payload, so we rename it to "part"
for clarity.
This is a non-functional change, just semantic cleanup.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:48 +0000 (11:38 -0400)]
test: avoid showing legacy-display parts
Enigmail generates a "legacy-display" part when it sends encrypted
mail with a protected Subject: header. This part is intended to
display the Subject for mail user agents that are capable of
decryption, but do not know how to deal with embedded protected
headers.
This part is the first child of a two-part multipart/mixed
cryptographic payload within a cryptographic envelope that includes
encryption (that is, it is not just a cleartext signed message). It
uses Content-Type: text/rfc822-headers.
That is:
A └┬╴multipart/encrypted
B ├─╴application/pgp-encrypted
C └┬╴application/octet-stream
* ╤ <decryption>
D └┬╴multipart/mixed; protected-headers=v1 (cryptographic payload)
E ├─╴text/rfc822-headers; protected-headers=v1 (legacy-display part)
F └─╴… (actual message body)
In discussions with jrollins, i've come to the conclusion that a
legacy-display part should be stripped entirely from "notmuch show"
and "notmuch reply" now that these tools can understand and interpret
protected headers.
You can tell when a message part is a protected header part this way:
* is the payload (D) multipart/mixed with exactly two children?
* is its first child (E) Content-Type: text/rfc822-headers?
* does the first child (E) have the property protected-headers=v1?
* do all the headers in the body of the first child (E) match
the protected headers in the payload part (D) itself?
If this is the case, and we already know how to deal with the
protected header, then there is no reason to try to render the
legacy-display part itself for the user.
Furthermore, when indexing, if we are indexing properly, we should
avoid indexing the text in E as part of the message body.
'notmuch reply' is an interesting case: the standard use of 'notmuch
reply' will end up omitting all mention of protected Subject:.
The right fix is for the replying MUA to be able to protect its
headers, and for it to set them appropriately based on headers found
in the original message.
If a replying MUA is unable to protect headers, but still wants the
user to be able to see the original header, a replying MUA that
notices that the original message's subject differs from the proposed
reply subject may choose to include the original's subject in the
quoted/attributed text. (this would be a stopgap measure; it's not
even clear that there is user demand for it)
This test suite change indicates what we want to happen for this case
(the tests are currently broken), and includes three additional TODO
suggestions of subtle cases for anyone who wants to flesh out the test
suite even further. (i believe all these cases should be already
fixed by the rest of this series, but haven't had time to write the
tests for the unusual cases)
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:47 +0000 (11:38 -0400)]
repair: set up codebase for repair functionality
This adds no functionality directly, but is a useful starting point
for adding new repair functionality.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Thu, 29 Aug 2019 15:38:46 +0000 (11:38 -0400)]
mime-node: split out _mime_node_set_up_part
This is a code reorganization that should have no functional effect,
but will make future changes simpler, because a future commit will
reuse the _mime_node_set_up_part functionality without touching
_mime_node_create.
In the course of splitting out this function, I noticed a comment in
the codebase that referred to an older name of _mime_node_create
(message_part_create), where this functionality originally resided.
I've fixed that comment to refer to the new function instead.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Tomi Ollila [Mon, 26 Aug 2019 17:03:46 +0000 (20:03 +0300)]
configure: fix out of tree build; check unsafe characters in srcdir
While check for GMime session key extraction support... was made
out of tree build compatible, related (and some unrelated) unsafe
characters are now checked in notmuch source directory path.
The known unsafe characters in NOTMUCH_SRCDIR are:
- Single quote (') -- NOTMUCH_SRCDIR='${NOTMUCH_SRCDIR}'
is written to sh.config in configure line 1328.
- Double quote (") -- configure line 521 *now* writes "$srcdir"
into generated c source file ($NOTMUCH_SRCDIR includes $srcdir).
- Backslash (\) could also be problematic in configure line 521.
- The added $ and ` are potentially unsafe -- inside double quotes
in shell script those have special meaning.
Other characters don't expand inside double quoted strings.
Ralph Seichter [Tue, 23 Jul 2019 20:48:23 +0000 (22:48 +0200)]
notmuch-dump.c: Fix output file being closed twice
Fixed: If the output file for a dump was non-writeable, gzclose_w()
was called twice on the output file handle, resulting in SIGABRT.
David Bremner [Sun, 21 Jul 2019 19:15:19 +0000 (16:15 -0300)]
Merge branch 'release'
Debian upload 0.29.1-2
David Bremner [Sun, 21 Jul 2019 19:06:41 +0000 (16:06 -0300)]
Merge branch 'debian/unstable' into release
David Bremner [Sun, 21 Jul 2019 14:49:38 +0000 (11:49 -0300)]
debian: Changelog for re-upload to unstable
Tomi Ollila [Sat, 15 Jun 2019 14:28:44 +0000 (17:28 +0300)]
test: aggregate-results.sh: count test files where all tests skipped
Previously, when all tests were skipped on a test file, there were
no indication of this in the final results aggregate-results.sh
printed.
Now count of the files where all tests were skipped is printed.
Daniel Kahn Gillmor [Wed, 3 Jul 2019 04:31:19 +0000 (00:31 -0400)]
notmuch-show: run uncrustify
This is the result of running:
$ uncrustify --replace --config devel/uncrustify.cfg *.c *.h
In the top level source directory. I was using uncrustify
0.68.1+dfsg1-2.
I do not know why these changes were not caught in
33382c2b5ba2537952a60ea378feff36961e4713
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Tue, 25 Jun 2019 17:55:45 +0000 (13:55 -0400)]
test: run uncrustify
This is the result of running:
$ uncrustify --replace --config ../devel/uncrustify.cfg *.cc *.c *.h
in the test directory.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Wed, 26 Jun 2019 16:23:37 +0000 (12:23 -0400)]
test: replace use of gdb with LD_PRELOAD shims in T070-insert.sh
This removes the dependency of this test script on gdb, and
considerably speeds up the running of the tests.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Wed, 26 Jun 2019 16:23:36 +0000 (12:23 -0400)]
test: provide machinery to make and use test_shims
These can be used e.g. to override return values for functions, in
place of the existing scripting of gdb.
This prepends to LD_PRELOAD rather than clobbering it, thanks to a
suggestion from Tomi Ollila.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 10 Jun 2019 01:44:39 +0000 (04:44 +0300)]
emacs: add keywords to notmuch-emacs-mua.desktop
Debian's lintian has an informational alert
desktop-entry-lacks-keywords-entry, which recommends including
Keywords= in a .desktop file.
I dug around a bit in /usr/share/applications/*.desktop to make sure
that we covered the range of keywords other e-mail applications are
using. If anyone has other suggestions for keywords, they can add
them to this list.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Mon, 17 Jun 2019 05:07:45 +0000 (07:07 +0200)]
Merge branch 'release'
Ralph Seichter [Sun, 16 Jun 2019 15:18:47 +0000 (17:18 +0200)]
configure: fix mktemp call for macOS
Add missing template to mktemp, as required by macOS / OS X.
Signed-off-by: Ralph Seichter <abbot@monksofcool.net>
uncrustify [Thu, 13 Jun 2019 10:55:35 +0000 (07:55 -0300)]
lib: run uncrustify
This is the result of running
$ uncrustify --replace --config ../devel/uncrustify.cfg *.c *.h *.cc
in the lib directory
uncrustify [Thu, 13 Jun 2019 10:35:36 +0000 (07:35 -0300)]
parse-time-string: run uncrustify
This is the result of running
$ uncrustify --replace --config ../devel/uncrustify.cfg *.c *.h
in the parse-time-string directory
uncrustify [Thu, 13 Jun 2019 10:34:25 +0000 (07:34 -0300)]
compat: run uncrustify
This is the result of running
$ uncrustify --replace --config ../devel/uncrustify.cfg *.c *.h
in the compat directory
uncrustify [Thu, 13 Jun 2019 10:33:13 +0000 (07:33 -0300)]
util: run uncrustify
This is the result of running
$ uncrustify --replace --config ../devel/uncrustify.cfg *.c *.h
in the util directory
uncrustify [Thu, 13 Jun 2019 10:31:01 +0000 (07:31 -0300)]
cli: run uncrustify
This is the result of running
$ uncrustify --replace --config devel/uncrustify.cfg *.c *.h
in the top level source directory
David Bremner [Wed, 12 Jun 2019 22:47:20 +0000 (19:47 -0300)]
CLI: replace some constructs with more uncrustify friendly ones
In particular
- use (bool) instead of !!
- cuddle the opening parens of function calls
- add parens in some ternery operators
David Bremner [Thu, 13 Jun 2019 10:50:44 +0000 (07:50 -0300)]
uncrustify: indent classes
With previous settings member functions / variables are moved to
column 0.
David Bremner [Wed, 12 Jun 2019 22:49:13 +0000 (19:49 -0300)]
STYLE: document rules for calls, block comments, ternary ops
David Bremner [Fri, 14 Jun 2019 10:32:22 +0000 (07:32 -0300)]
cli: partial whitespace cleanup in notmuch-config.c
This avoids spurious tab to space conversion by uncrustify
David Bremner [Wed, 12 Jun 2019 00:12:38 +0000 (21:12 -0300)]
build: drop variable HAVE_EMACS. use WITH_EMACS instead
The extra flexibility of having both HAVE_EMACS (for yes, there is an
emacs we can use) and WITH_EMACS (the user wants emacs support) lead
to confusion and bugs. We now just force WITH_EMACS to 0 if no
suitable emacs is detected.
David Bremner [Tue, 11 Jun 2019 23:41:35 +0000 (20:41 -0300)]
Merge branch 'release'
David Bremner [Tue, 11 Jun 2019 23:16:48 +0000 (20:16 -0300)]
debian: changelog for 0.29.1-1
David Bremner [Tue, 11 Jun 2019 23:15:04 +0000 (20:15 -0300)]
NEWS: news for 0.29.1
David Bremner [Tue, 11 Jun 2019 23:11:45 +0000 (20:11 -0300)]
version: bump to 0.29.1
Tomi Ollila [Thu, 30 May 2019 19:56:14 +0000 (22:56 +0300)]
append _unused to the expression defined using unused() macro
This way if variables defined using unused() macro are actually
used then code will not compile...
- removed unused usage around one argc and one argv since those
were used
- changed one unused (char *argv[]) to unused (char **argv) to
work with modified unused() macro definition
Daniel Kahn Gillmor [Mon, 10 Jun 2019 01:22:51 +0000 (04:22 +0300)]
debian: Add appropriate substitution variables to debian/control
Without this change, dh_gencontrol emits:
dpkg-gencontrol: warning: package python-notmuch: substitution variable ${python:Provides} unused, but is defined
dpkg-gencontrol: warning: package python-notmuch: substitution variable ${python:Versions} unused, but is defined
dpkg-gencontrol: warning: package notmuch-mutt: substitution variable ${perl:Depends} unused, but is defined
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 10 Jun 2019 01:22:50 +0000 (04:22 +0300)]
debian: bump Standards-Version to 4.3.0 (no changes needed)
/usr/share/doc/debian-policy/upgrading-checklist.txt.gz suggests that
notmuch is already compliant with debian-policy 4.3.0.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthorseman.net>
Daniel Kahn Gillmor [Mon, 10 Jun 2019 01:25:26 +0000 (04:25 +0300)]
fix misspelling
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 10 Jun 2019 01:35:03 +0000 (04:35 +0300)]
debian: enable build hardening features
Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise. The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.
See https://wiki.debian.org/Hardening for more details.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Tomi Ollila [Mon, 10 Jun 2019 18:39:23 +0000 (21:39 +0300)]
test: aggregate-results.sh: consistent style. zero forks.
- all variables in $((...)) without leading $
- all comparisons use -gt, -eq or -ne
- no -a nor -o inside [ ... ] expressions
- all indentation levels using one tab
Dropped unnecessary empty string check when reading results files.
Replaced pluralize() which was executed in subshell with
pluralize_s(). pluralize_s sets $s to 's' or '' based on value of
$1. Calls to pluralize_s are done in context of current shell, so
no forks to subshells executed.
David Bremner [Mon, 10 Jun 2019 10:11:50 +0000 (07:11 -0300)]
doc: Don't install emacs docs when they are not built
In 40b025 we stopped building the notmuch-emacs documentation if
HAVE_EMACS=0 (i.e. no emacs was detected by configure). Unfortunately
we continued to try to install the (non-existent) documentation, which
causes build/install failures.
As a bonus, we also avoid installing the documentation if the user
configures --without-emacs.
Thanks to Ralph Seichter for reporting the problem, and testing
previous versions of this fix.
David Bremner [Tue, 11 Jun 2019 00:06:57 +0000 (21:06 -0300)]
doc: don't build notmuch-emacs.info for configure --without-emacs
Since the docstrings are not built in the case of --without-emacs,
even if emacs is detected, don't let sphinx build the emacs docs. This
avoids a large number of error messages due to missing includes. It's
actually a bit surprising sphinx doesn't generate an error for the
missing include files.
Daniel Kahn Gillmor [Thu, 30 May 2019 00:09:44 +0000 (20:09 -0400)]
test: signature verification during decryption (session keys)
When the user knows the signer's key, we want "notmuch show" to be
able to verify the signature of an encrypted and signed message
regardless of whether we are using a stashed session key or not.
I wrote this test because I was surprised to see signature
verification failing when viewing some encrypted messages after
upgrading to GPGME 1.13.0-1 in debian experimental.
The added tests here all pass with GPGME 1.12.0, but the final test
fails with 1.13.0, due to some buggy updates to GPGME upstream: see
https://dev.gnupg.org/T3464 for more details.
While the bug needs to be fixed in GPGME, notmuch's test suite needs
to make sure that GMime is doing what we expect it to do; i was a bit
surprised that it hadn't caught the problem, hence this patch.
I've fixed this bug in debian experimental with gpgme 1.13.0-2, so the
tests should pass on any debian system. I've also fixed it in the
gpgme packages (1.13.0-2~ppa1) in the ubuntu xenial PPA
(ppa:notmuch/notmuch) that notmuch uses for Travis CI.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
William Casarin [Fri, 31 May 2019 18:32:50 +0000 (11:32 -0700)]
perf-tests: #!/bin/bash -> #!/usr/bin/env bash
I couldn't run the performance tests on my machines due to a hardcoded
bash path. Use env for finding bash in weird systems like NixOS.
Signed-off-by: William Casarin <jb55@jb55.com>
David Bremner [Fri, 7 Jun 2019 10:06:22 +0000 (07:06 -0300)]
debian: fix desktop install
Previous version expected full upstream install to be run, and also
caused lintian whine about the the desktop file being in a different
package than the script. I'm not sure they shouldn't both be in
elpa-notmuch, but I can see how they should be together.
David Bremner [Fri, 7 Jun 2019 00:35:28 +0000 (21:35 -0300)]
debian: install desktop file
David Bremner [Fri, 7 Jun 2019 00:29:45 +0000 (21:29 -0300)]
NEWS: set release date for 0.29
David Bremner [Fri, 7 Jun 2019 00:27:35 +0000 (21:27 -0300)]
version: bump to 0.29
David Bremner [Fri, 7 Jun 2019 00:23:29 +0000 (21:23 -0300)]
debian: start changelog for 0.29-1
David Bremner [Fri, 7 Jun 2019 00:14:48 +0000 (21:14 -0300)]
debian: install logo
Thanks to Tim Retout for the patch
David Bremner [Wed, 5 Jun 2019 23:46:01 +0000 (20:46 -0300)]
NEWS: add Emacs front end changes by various people.
These are most of the remaining emacs related chagnes.
Daniel Kahn Gillmor [Wed, 29 May 2019 19:13:21 +0000 (15:13 -0400)]
NEWS: add a note about protected headers
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Mon, 3 Jun 2019 11:10:19 +0000 (08:10 -0300)]
debian: changelog for 0.29~rc1-1
David Bremner [Mon, 3 Jun 2019 11:08:00 +0000 (08:08 -0300)]
version: bump to 0.29~rc1
David Bremner [Sat, 1 Jun 2019 02:24:52 +0000 (23:24 -0300)]
doc: use separate doctrees for distinct builders
It seems our previous attempt with order-only targets was not
sufficient to avoid problems with sphinx-builds doctree cache [0].
Looking around at other people's approaches [1], using separate
doctrees was suggested. I guess there might be a slight loss of
efficiency, but it seems more robust.
[0]: build failures were first noticed in Debian experimental, but I was able to duplicate it in
my usual build environment about 1 in 8 builds.
[1]: in particular
https://salsa.debian.org/mpd-team/mpc/commit/
9e3fc1657d043d75755993846c93f7700b97f907
David Bremner [Fri, 31 May 2019 11:16:34 +0000 (08:16 -0300)]
debian: changelog for 0.29~rc0-1
David Bremner [Fri, 31 May 2019 11:11:12 +0000 (08:11 -0300)]
version: bump to 0.29~rc0
Daniel Kahn Gillmor [Fri, 31 May 2019 01:18:53 +0000 (21:18 -0400)]
mime-node: be clearer about decryption
Part 0 of a multipart/encrypted object is
GMIME_MULTIPART_ENCRYPTED_VERSION; part 1 is
GMIME_MULTIPART_ENCRYPTED_CONTENT. Using the name for what we want
describes our intent more clearly than using a magic number in the
code.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Wed, 29 May 2019 11:40:02 +0000 (08:40 -0300)]
test: update test description.
I missed this fix in dkg's revisions.
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:10 +0000 (18:16 -0400)]
cli/reply: pull proposed subject line from the message, not the index
Protected subject lines were being emitted in reply when the cleartext
of documents was indexed. create_reply_message() was pulling the
subject line from the index, rather than pulling it from the
GMimeMessage object that it already has on hand.
This one-line fix to notmuch-reply.c solves that problem, and doesn't
cause any additional tests to fail.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:09 +0000 (18:16 -0400)]
test: reply (in cli and emacs) should protect indexed sensitive headers
These tests are currently broken! When a protected subject is indexed
in the clear, it leaks in the reply headers :(
For emacs, we set up separate tests for when the protected header is
indexed in the clear and when it is unindexed. neither case should
leak, but the former wasn't tested yet.
We will fix the two broken tests in a subsequent patch.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:08 +0000 (18:16 -0400)]
test: emacs/show: ensure that protected headers appear as expected
This tests notmuch-show; headers appear appropriately based on the
setting of notmuch-crypto-process-mime.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:07 +0000 (18:16 -0400)]
test: ensure that protected headers appear in notmuch-emacs search as expected
We initially test only notmuch-search; tests for other functionality
come in different patchsets later.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:06 +0000 (18:16 -0400)]
test: try indexing nested messages and protected headers
We want to make sure that internally-forwarded messages don't end up
"bubbling up" when they aren't actually the cryptographic payload.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:05 +0000 (18:16 -0400)]
test: after reindexing, only legitimate protected subjects are searchable
This test scans for all the possible protected headers (including
bogus/broken ones) that are present in the protected-headers corpus,
trying to make sure that only the ones that are not broken or
malformed show up in a search after re-indexing.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:04 +0000 (18:16 -0400)]
test: protected headers should work when both encrypted and signed.
Up to this point, we've tested protected headers on messages that have
either been encrypted or signed, but not both.
This adds a couple tests of signed+encrypted messages, one where the
subject line is masked (outside subject line is "Subject Unavailable")
and another where it is not (outside Subject: matches inner Subject:)
See the discussion at
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#protected-headers
for more details about the nuances between signed, stripped, and
stubbed headers.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 27 May 2019 22:40:28 +0000 (18:40 -0400)]
indexing: record protected subject when indexing cleartext
When indexing the cleartext of an encrypted message, record any
protected subject in the database, which should make it findable and
visible in search.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:02 +0000 (18:16 -0400)]
cli/reply: ensure encrypted Subject: line does not leak in the clear
Now that we can decrypt headers, we want to make sure that clients
using "notmuch reply" to prepare a reply don't leak cleartext in their
subject lines. In particular, the ["reply-headers"]["Subject"] should
by default show the external Subject.
A replying MUA that intends to protect the Subject line should show
the user the Subject from ["original"]["headers"]["Subject"] instead
of using ["reply-headers"]["Subject"].
This minor asymmetry with "notmuch show" is intentional. While both
tools always render the cleartext subject line when they know it (in
["headers"]["Subject"] for "notmuch show" and in
["original"]["headers"]["Subject"] for "notmuch reply"), "notmuch
reply" should never leak something that should stay under encrypted
cover in "reply-headers".
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:01 +0000 (18:16 -0400)]
test: show cryptographic envelope information for signed mails
Make sure that we emit the correct cryptographic envelope status for
cleartext signed messages.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:16:00 +0000 (18:16 -0400)]
test: add test for missing external subject
Adding another test to ensure that we handle protected headers
gracefully when no external subject is present.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 27 May 2019 22:14:16 +0000 (18:14 -0400)]
cli/show: add information about which headers were protected
The header-mask member of the per-message crypto object allows a
clever UI frontend to mark whether a header was protected (or not).
And if it was protected, it contains enough information to show useful
detail to an interested user. For example, an MUA could offer a "show
what this message's Subject looked like on the wire" feature in expert
mode.
As before, we only handle Subject for now, but we might be able to
handle other headers in the future.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Amended by db: tweaked schemata notation.
Daniel Kahn Gillmor [Sun, 26 May 2019 22:15:58 +0000 (18:15 -0400)]
cli/show: emit payload subject instead of outside subject
Correctly fix the two outstanding tests so that the protected (hidden)
subject is properly reported.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:15:57 +0000 (18:15 -0400)]
cli/show: add tests for viewing protected headers
Here we add several variant e-mail messages, some of which have
correctly-structured protected headers, and some of which do not. The
goal of the tests is to ensure that the right protected subjects get
reported.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Jameson Graef Rollins [Mon, 27 May 2019 18:35:10 +0000 (18:35 +0000)]
test: new test framework to compare json parts
This makes it easier to write fairly compact, readable tests of json
output, without needing to sanitize away parts that we don't care
about.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:15:55 +0000 (18:15 -0400)]
util/crypto: add information about the payload part
When walking the MIME tree, if we discover that we are at the
cryptographic payload, then we would like to record at least the
Subject header of the current MIME part.
In the future, we might want to record many other headers as well, but
for now we will stick with just the Subject.
See
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope
for more description of the Cryptographic Payload vs. the
Cryptographic Envelope.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Sun, 26 May 2019 22:15:54 +0000 (18:15 -0400)]
cli/show: emit headers after emitting body
This paves the way for emitting protected headers after verification
and decryption, because it means that the headers will only be emitted
after the body has been parsed.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Daniel Kahn Gillmor [Mon, 27 May 2019 23:08:18 +0000 (19:08 -0400)]
NEWS: note parallel test suite
Daniel Kahn Gillmor [Mon, 27 May 2019 23:08:17 +0000 (19:08 -0400)]
NEWS: include information about per-message cryptographic status
David Bremner [Mon, 27 May 2019 10:46:55 +0000 (07:46 -0300)]
NEWS: News for my changes for 0.29
These could be expanded in future commits.
Daniel Kahn Gillmor [Sun, 26 May 2019 15:03:13 +0000 (11:03 -0400)]
test: report summary even when aborting
In certain cases of test suite failure, the summary report was not
being printed. In particular, any failure on the parallel test suite,
and any aborted test in the serialized test suite would end up hiding
the summary.
It's better to always show the summary where we can (while preserving
the return code). If we do abort due to this high-level failure,
though, we should also announce to the user that we're doing so as
close to the end of the process as possible, to make it easier to find
the problem.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Tomi Ollila [Sun, 26 May 2019 13:49:48 +0000 (16:49 +0300)]
NEWS: The minimum supported major version of Emacs is now 24.
Daniel Kahn Gillmor [Sat, 25 May 2019 18:04:06 +0000 (14:04 -0400)]
cli/show: emit new whole-message crypto status output
This allows MUAs that don't want to think about per-mime-part
cryptographic status to have a simple high-level overview of the
message's cryptographic state.
Sensibly structured encrypted and/or signed messages will work fine
with this. The only requirement for the simplest encryption + signing
is that the message have all of its encryption and signing protection
(the "cryptographic envelope") in a contiguous set of MIME layers at
the very outside of the message itself.
This is because messages with some subparts signed or encrypted, but
with other subparts with no cryptographic protection is very difficult
to reason about, and even harder for the user to make sense of or work
with.
For further characterization of the Cryptographic Envelope and some of
the usability tradeoffs, see here:
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html#cryptographic-envelope
Daniel Kahn Gillmor [Sat, 25 May 2019 18:04:05 +0000 (14:04 -0400)]
mime-node: track whole-message crypto state while walking the tree
Deliberately populate the message's cryptographic status while walking
the MIME tree from the CLI.
Note that the additional numchild argument added to _mime_node_create
is a passthrough needed to be able to adequately populate the crypto
state object.
Daniel Kahn Gillmor [Sat, 25 May 2019 18:04:04 +0000 (14:04 -0400)]
cli: expose message-wide crypto status from mime-node
The mime node context (a per-message context) gains a cryptographic
status object, and the mime_node_t object itself can return a view on
that status to an interested party.
The status is not yet populated, and for now we can keep that view
read-only, so that it can only be populated/modified during MIME tree
traversal.
Daniel Kahn Gillmor [Sat, 25 May 2019 18:04:03 +0000 (14:04 -0400)]
util/crypto: _notmuch_message_crypto: tracks message-wide crypto state
E-mail encryption and signatures reported by notmuch are at the MIME
part level. This makes sense in the dirty details, but for users we
need to have a per-message conception of the cryptographic state of
the e-mail. (see
https://dkg.fifthhorseman.net/blog/e-mail-cryptography.html for more
discussion of why this is important).
The object created in this patch is a useful for tracking the
cryptographic state of the underlying message as a whole, based on a
depth-first search of the message's MIME structure.
This object stores a signature list of the message, but we don't
handle it yet. Further patches in this series will make use of the
signature list.
Daniel Kahn Gillmor [Mon, 22 Apr 2019 17:18:14 +0000 (13:18 -0400)]
emacs: Drop content-free "Unknown signature status" button
When we have not been able to evaluate the signature status of a given
MIME part, showing a content-free (and interaction-free) "[ Unknown
signature status ]" button doesn't really help the user at all, and
takes up valuable screen real-estate.
A visual reminder that a given message is *not* signed isn't helpful
unless it is always present, in which case we'd want to see "[ Unknown
signature status ]" buttons on all messages, even ones that don't have
a signing structure, but i don't think we want that.
Amended by db to drop the unused initialization of 'label'
Daniel Kahn Gillmor [Mon, 20 May 2019 23:25:35 +0000 (19:25 -0400)]
test: allow disabling timeout with NOTMUCH_TEST_TIMEOUT=0
To aid in diagnosing test suite tooling that interacts poorly with
coreutils' timeout, it's handy to be able to bypass it entirely.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
David Bremner [Mon, 18 Feb 2019 13:08:48 +0000 (09:08 -0400)]
doc: document user header indexing.
It's a bit odd that the primary documentation is in notmuch-config,
but it is consistent with the "query:" prefix.
David Bremner [Tue, 26 Feb 2019 02:10:29 +0000 (22:10 -0400)]
lib/database: index user headers.
This essentially involves calling _notmuch_message_gen_terms once for
each user defined header.
David Bremner [Tue, 26 Feb 2019 01:57:40 +0000 (21:57 -0400)]
lib: support user prefix names in term generation
This should not change the indexing process yet as nothing calls
_notmuch_message_gen_terms with a user prefix name. On the other hand,
it should not break anything either.
_notmuch_database_prefix does a linear walk of the list of (built-in)
prefixes, followed by a logarithmic time search of the list of user
prefixes. The latter is probably not really noticable.
David Bremner [Sat, 17 Nov 2018 14:09:00 +0000 (10:09 -0400)]
lib: cache user prefixes in database object
This will be used to avoid needing a database access to resolve a db
prefix from the corresponding UI prefix (e.g. when indexing). Arguably
the setup of the separate header map does not belong here, since it is
about indexing rather than querying, but we currently don't have any
other indexing setup to do.
David Bremner [Sat, 17 Nov 2018 14:08:59 +0000 (10:08 -0400)]
lib: setup user headers in query parser
These tests will need to be updated if the Xapian
query print/debug format changes.