--- /dev/null
+Return-Path: <dkg@fifthhorseman.net>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by olra.theworths.org (Postfix) with ESMTP id A301A431FC9\r
+ for <notmuch@notmuchmail.org>; Fri, 23 Jan 2015 10:26:42 -0800 (PST)\r
+X-Virus-Scanned: Debian amavisd-new at olra.theworths.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: 2.438\r
+X-Spam-Level: **\r
+X-Spam-Status: No, score=2.438 tagged_above=-999 required=5\r
+ tests=[DNS_FROM_AHBL_RHSBL=2.438] autolearn=disabled\r
+Received: from olra.theworths.org ([127.0.0.1])\r
+ by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id 5g2P3d-CsXlb for <notmuch@notmuchmail.org>;\r
+ Fri, 23 Jan 2015 10:26:39 -0800 (PST)\r
+Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])\r
+ by olra.theworths.org (Postfix) with ESMTP id 63E34431FBC\r
+ for <notmuch@notmuchmail.org>; Fri, 23 Jan 2015 10:26:39 -0800 (PST)\r
+Received: from fifthhorseman.net (unknown [38.109.115.130])\r
+ by che.mayfirst.org (Postfix) with ESMTPSA id 4BBF4F984\r
+ for <notmuch@notmuchmail.org>; Fri, 23 Jan 2015 13:26:36 -0500 (EST)\r
+Received: by fifthhorseman.net (Postfix, from userid 1000)\r
+ id 9531E2039E; Fri, 23 Jan 2015 13:26:43 -0500 (EST)\r
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>\r
+To: notmuch@notmuchmail.org\r
+Subject: Re: [PATCH] emacs: show: allow user to hide some mime types\r
+ by default.\r
+In-Reply-To: <cun8ugu3qt6.fsf@gargravarr.hh.sledj.net>\r
+References: <1421960852-26424-1-git-send-email-markwalters1009@gmail.com>\r
+ <cun8ugu3qt6.fsf@gargravarr.hh.sledj.net>\r
+User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1\r
+ (x86_64-pc-linux-gnu)\r
+Date: Fri, 23 Jan 2015 13:26:43 -0500\r
+Message-ID: <87ppa5jqu4.fsf@alice.fifthhorseman.net>\r
+MIME-Version: 1.0\r
+Content-Type: text/plain\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.13\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <http://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <http://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Fri, 23 Jan 2015 18:26:42 -0000\r
+\r
+On Fri 2015-01-23 02:21:41 -0500, David Edmondson wrote:\r
+> Whilst I think that having this knob is a good thing, I don't think that\r
+> it's a solution to the 'text/html renderers access the network'\r
+> problem. I can't sensibly (and don't wish to) disable the display of\r
+> text/html parts by default (colleagues generate too many text/html\r
+> messages to make that feasible, and I have rss2imap generate a bunch of\r
+> text/html messages that I want to see in their full glory), but would\r
+> definitely like to choose whether a message can sell me out to\r
+> advertisers.\r
+>\r
+> I'm trying to say that this is good, but let's not get into the habit of\r
+> telling someone that complains about network access that adding\r
+> text/html to `notmuch-show-always-hide-types' is the solution.\r
+\r
+I agree with this sentiment. I had been grousing earlier (off-list)\r
+about rendering html messages in general (i don't like exposing\r
+arbitrary attacker-delivered content to a complicated parser where i can\r
+avoid it), so i see Mark's patch as a useful tool to prevent that\r
+problem, not about remote network access during render.\r
+\r
+preventing network access from html-rendered messages is better handled\r
+in a workaround by (gnus-blocked-images "."), though notmuch should\r
+enforce this setting by default when rendering html parts.\r
+\r
+ --dkg\r
projects / notmuch-archives.git / commitdiff