Re: [PATCH v4 16/16] add "notmuch reindex" subcommand

diff --git a/b2/c52111b769ebac56d0a0738b40b1f5c58eab09 b/b2/c52111b769ebac56d0a0738b40b1f5c58eab09
new file mode 100644 (file)
index 0000000..0cdaa08
--- /dev/null
+++ b/b2/c52111b769ebac56d0a0738b40b1f5c58eab09
@@ -0,0 +1,90 @@
+Return-Path: <olly@survex.com>\r
+X-Original-To: notmuch@notmuchmail.org\r
+Delivered-To: notmuch@notmuchmail.org\r
+Received: from localhost (localhost [127.0.0.1])\r
+ by arlo.cworth.org (Postfix) with ESMTP id A740A6DEB51A\r
+ for <notmuch@notmuchmail.org>; Sun, 14 Aug 2016 17:04:55 -0700 (PDT)\r
+X-Virus-Scanned: Debian amavisd-new at cworth.org\r
+X-Spam-Flag: NO\r
+X-Spam-Score: -2.356\r
+X-Spam-Level: \r
+X-Spam-Status: No, score=-2.356 tagged_above=-999 required=5\r
+ tests=[AWL=-0.055, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001]\r
+ autolearn=disabled\r
+Received: from arlo.cworth.org ([127.0.0.1])\r
+ by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)\r
+ with ESMTP id 5cUgz7WEmCPT for <notmuch@notmuchmail.org>;\r
+ Sun, 14 Aug 2016 17:04:46 -0700 (PDT)\r
+X-Greylist: delayed 1284 seconds by postgrey-1.35 at arlo;\r
+ Sun, 14 Aug 2016 17:03:13 PDT\r
+Received: from atreus.tartarus.org (atreus.tartarus.org [80.252.125.10])\r
+ by arlo.cworth.org (Postfix) with ESMTPS id 67C536DEA05E\r
+ for <notmuch@notmuchmail.org>; Sun, 14 Aug 2016 17:03:13 -0700 (PDT)\r
+Received: from olly by atreus.tartarus.org with local (Exim 4.69)\r
+ (envelope-from <olly@survex.com>)\r
+ id 1bZ521-0005HY-Fy; Mon, 15 Aug 2016 00:41:29 +0100\r
+Date: Mon, 15 Aug 2016 00:41:29 +0100\r
+From: Olly Betts <olly@survex.com>\r
+To: David Bremner <david@tethera.net>\r
+Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,\r
+ Notmuch Mail <notmuch@notmuchmail.org>\r
+Subject: Re: [PATCH v4 16/16] add "notmuch reindex" subcommand\r
+Message-ID: <20160814234129.GG14865@survex.com>\r
+References: <1467970047-8013-1-git-send-email-dkg@fifthhorseman.net>\r
+ <1467970047-8013-17-git-send-email-dkg@fifthhorseman.net>\r
+ <87h9an3rc0.fsf@maritornes.cs.unb.ca>\r
+MIME-Version: 1.0\r
+Content-Type: text/plain; charset=us-ascii\r
+Content-Disposition: inline\r
+In-Reply-To: <87h9an3rc0.fsf@maritornes.cs.unb.ca>\r
+User-Agent: Mutt/1.5.21 (2010-09-15)\r
+X-BeenThere: notmuch@notmuchmail.org\r
+X-Mailman-Version: 2.1.20\r
+Precedence: list\r
+List-Id: "Use and development of the notmuch mail system."\r
+ <notmuch.notmuchmail.org>\r
+List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>\r
+List-Archive: <http://notmuchmail.org/pipermail/notmuch/>\r
+List-Post: <mailto:notmuch@notmuchmail.org>\r
+List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>\r
+List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,\r
+ <mailto:notmuch-request@notmuchmail.org?subject=subscribe>\r
+X-List-Received-Date: Mon, 15 Aug 2016 00:04:56 -0000\r
+\r
+On Mon, Aug 15, 2016 at 07:42:39AM +0900, David Bremner wrote:\r
+> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:\r
+> > +Supported options for **reindex** include\r
+> > +\r
+> > +    ``--try-decrypt``\r
+> > +\r
+> > +        For each message, if it is encrypted, try to decrypt it while\r
+> > +        indexing.  If decryption is successful, index the cleartext\r
+> > +        itself.  Be aware that the index is likely sufficient to\r
+> > +        reconstruct the cleartext of the message itself, so please\r
+> > +        ensure that the notmuch message index is adequately\r
+> > +        protected. DO NOT USE THIS FLAG without considering the\r
+> > +        security of your index.\r
+> \r
+> What can we say about re-indexing without the flag, when the user has\r
+> previously indexed cleartext? I guess this is at least partly a question\r
+> for Olly: if we delete terms from a xapian document, how recoverable are\r
+> those terms and  positions? I suppose it might depend on backend, but\r
+> does deleting terms provide at least same level of security as deleting\r
+> files in modern file systems\r
+\r
+That seems a fair assessment.  Probably the main extra security you'd\r
+get is that there are less likely to be existing tools to get at the\r
+data, and that it's spread over more places so it's harder to locate it\r
+all so you can reconstruct the plain text (whereas if a deleted file\r
+contained the plain text, it would be fairly easy to locate if you can\r
+guess part of it, or at least write a bit of code to recognise likely\r
+candidates).\r
+\r
+> (i.e. not much against determined state level actors, but good enough\r
+> to defeat most older brothers)\r
+\r
+"Good enough against big brother, but not Big Brother"\r
+\r
+Cheers,\r
+    Olly\r