Commit graph

97 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
f6430bc06d doc: Examples of notmuch-reindex use and crypto policy
Currently, notmuch has the levers needed to set coherent crypto policy
around how cleartext is indexed, which also has an impact on how
messages are rendered.  But we don't have a lot of documentation about
how to do sensible things.  This is an initial attempt to address
that.

The first example shows a way to selectively index specific messages.

The next two examples are about aligning the existing database with
crypto indexing policy

The default crypto policy is to not index cleartext, and to only
decrypt messages on display when explicitly requested.

The other sensible crypto policy is to index cleartext while stashing
session keys. messages indexed in this way will be searchable, and
will be decrypted on display automatically unless the user explicitly
asks for it to *not* be decrypted.

The policy for indexing *new* messages is stored in the database as
the config variable index.decrypt.

But setting policy for new messages doesn't retroactively affect
already indexed messages.

This patch attempts to document ways that someone can efficiently
align their pre-existing database with their new policy.

I'm not sure this is the right place to document these examples, but i
do want them to be user-facing and relatively easy to find.  I'm happy
to entertain suggestions for where else we should put them.
2018-03-24 20:08:27 -03:00
Daniel Kahn Gillmor
b6e3efde05 cli/insert: add --world-readable flag
In some cases (e.g. when building a publicly-visible e-mail archive)
it doesn't make any sense to restrict visibility of the message to the
current user account.

This adds a --world-readable boolean option for "notmuch insert", so
that those who want to archive their mail publicly can feed their
archiver with:

    notmuch insert --world-readable

Other local delivery agents (postfix's local, and dovecot's lda) all
default to delivery in mode 0600 rather than relying on the user's
umask, so this fix doesn't change the default.

Also, this does not override the user's umask.  if the umask is
already set tight, it will not become looser as the result of passing
--world-readable.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-03-24 20:08:11 -03:00
Daniel Kahn Gillmor
54982e520c fix typos 2018-01-04 20:35:58 -04:00
David Bremner
d0dffdae31 doc/{reply, show}: match indentation
This is essentially a conflict resolution Jani's normalization and
Daniel's doc changes, but it's easier to do as a second commit.
2017-12-31 09:34:28 -04:00
David Bremner
99407db25c Merge branch 'release'
Conflicts:
        doc/man1/notmuch-reply.rst
	doc/man1/notmuch-show.rst

Conflicts taken from release (dkg's doc changes)
2017-12-31 09:26:13 -04:00
Jani Nikula
e5e252de55 doc: unify definition list usage across man pages
Make all parameter descriptions etc. use reStructuredText definition
lists with uniform style and indentation. Remove redundant indentation
from around the lists. Remove blank lines between term lines and
definition blocks. Use four spaces for indentation.

This is almost completely whitespace and paragraph reflow changes.
2017-12-31 09:06:11 -04:00
Daniel Kahn Gillmor
af8255fb71 cli/reply: make --decrypt take a keyword
This brings the --decrypt argument to "notmuch reply" into line with
the other --decrypt arguments (in "show", "new", "insert", and
"reindex").  This patch is really just about bringing consistency to
the user interface.

We also use the recommended form in the emacs MUA when replying, and
update test T350 to match.
2017-12-29 16:45:55 -04:00
Daniel Kahn Gillmor
8ea4a99d74 cli/show: make --decrypt take a keyword.
We also expand tab completion for it, update the emacs bindings, and
update T350, T357, and T450 to match.

Make use of the bool-to-keyword backward-compatibility feature.
2017-12-29 16:45:46 -04:00
Jani Nikula
f2a6790583 cli/new: support /<regex>/ in new.ignore
Add support for using /<regex>/ style regular expressions in
new.ignore, mixed with the old style verbatim file and directory
basenames. The regex is matched against the relative path from the
database path.
2017-12-15 07:54:33 -04:00
Jani Nikula
f3fc97c000 cli: add support for only printing the addresses in notmuch address
The notmuch address output is much more useful for scripts with just
the addresses printed. Support this using the --output=address option.
2017-12-14 21:28:50 -04:00
Daniel Kahn Gillmor
be555b9d27 docs: clean up documentation about decryption policies
Now that the range of sensible decryption policies has come into full
view, we take a bit of space to document the distinctions.

Most people will use either "auto" or "true" -- but we provide "false"
and "nostash" to handle use cases that might reasonably be requested.

Note also that these can be combined in sensible ways.  Like, if your
mail comes in regularly to a service that doesn't have access to your
secret keys, but does have access to your index, and you feel
comfortable adding selected encrypted messages to the index after
you've read them, you could stay in "auto" normally, and then when you
find yourself reading an indexable message (e.g. one you want to be
able to search for in the future, and that you don't mind exposing to
whatever entities have access to your inde), you can do:

    notmuch reindex --decrypt=true id:whatever@example.biz

That leaves your default the same (still "auto") but you get the
cleartext index and stashed session key benefits for that particular
message.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
fccebbaeef crypto: add --decrypt=nostash to avoid stashing session keys
Here's the configuration choice for people who want a cleartext index,
but don't want stashed session keys.

Interestingly, this "nostash" decryption policy is actually the same
policy that should be used by "notmuch show" and "notmuch reply",
since they never modify the index or database when they are invoked
with --decrypt.

We take advantage of this parallel to tune the behavior of those
programs so that we're not requesting session keys from GnuPG during
"show" and "reply" that we would then otherwise just throw away.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
6a9626a2fd cli/reindex: destroy stashed session keys when --decrypt=false
There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
076f86025d cli/new, insert, reindex: change index.decrypt to "auto" by default
The new "auto" decryption policy is not only good for "notmuch show"
and "notmuch reindex".  It's also useful for indexing messages --
there's no good reason to not try to go ahead and index the cleartext
of a message that we have a stashed session key for.

This change updates the defaults and tunes the test suite to make sure
that they have taken effect.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
181d4091c4 cli/new, insert, reindex: update documentation for --decrypt=auto
we also include --decrypt=auto in the tab completion.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
a1260896f6 cli/show: use decryption policy "auto" by default.
When showing a message, if the user doesn't specify --decrypt= at all,
but a stashed session key is known to notmuch, notmuch should just go
ahead and try to decrypt the message with the session key (without
bothering the user for access to their asymmetric secret key).

The user can disable this at the command line with --decrypt=false if
they really don't want to look at the e-mail that they've asked
notmuch to show them.

and of course, "notmuch show --decrypt" still works for accessing the
user's secret keys if necessary.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
6802b333eb cli/reply: use decryption policy "auto" by default.
If the user doesn't specify --decrypt= at all, but a stashed session
key is known to notmuch, when replying to an encrypted message,
notmuch should just go ahead and decrypt.

The user can disable this at the command line with --decrypt=false,
though it's not clear why they would ever want to do that.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
d3964e81ac indexing: Change from try_decrypt to decrypt
the command-line interface for indexing (reindex, new, insert) used
--try-decrypt; and the configuration records used index.try_decrypt.
But by comparison with "show" and "reply", there doesn't seem to be
any reason for the "try" prefix.

This changeset adjusts the command-line interface and the
configuration interface.

For the moment, i've left indexopts_{set,get}_try_decrypt alone.  The
subsequent changeset will address those.
2017-12-08 08:05:53 -04:00
Jani Nikula
733ccfabca cli: allow empty strings for notmuch insert --folder argument
Now that it's easy to add argument specific modifiers in opt
descriptions, add a new .allow_empty field to allow empty strings for
individual string arguments while retaining strict checks
elsewhere. Use this for notmuch insert --folder, where the empty
string means top level folder.
2017-11-08 09:46:44 -05:00
Daniel Kahn Gillmor
8116891744 cli/reindex: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-run basis
when invoking "notmuch reindex".  This allows the possibility of (for
example) an emacs keybinding that adds the cleartext of the currently
shown decrypted message to the index, making it searchable in the
future.

It also enables one-time indexing of all messages matching some query,
like so:

    notmuch reindex tag:encrypted and\
       not property:index.decryption=success and\
       from:alice@example.org

We also update the documentation and tab completion, and add a few
more tests.
2017-10-21 19:58:52 -03:00
Daniel Kahn Gillmor
c5356b9ed5 cli/insert: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting on a per-message
basis when invoking "notmuch insert".

We also update the documentation and tab completion, and add more tests.
2017-10-21 19:58:43 -03:00
Daniel Kahn Gillmor
35456d4b0c cli/new: add --try-decrypt=(true|false)
Enable override of the index.try_decrypt setting during "notmuch new"
on a per-invocation basis.

We update the documentation and tab completion, and also add a test.
2017-10-21 19:58:32 -03:00
Daniel Kahn Gillmor
d0da7a0a1c config: define new option index.try_decrypt
By default, notmuch won't try to decrypt on indexing.  With this
patch, we make it possible to indicate a per-database preference using
the config variable "index.try_decrypt", which by default will be
false.

At indexing time, the database needs some way to know its internal
defaults for how to index encrypted parts.  It shouldn't be contingent
on an external config file (since that can't be retrieved from the
database object itself), so we store it in the database.

This behaves similarly to the query.* configurations, which are also
stored in the database itself, so we're not introducing any new
dependencies by requiring that it be stored in the database.
2017-10-21 19:54:33 -03:00
Daniel Kahn Gillmor
886c0b1666 config: test whether an item is stored in the database by name
QUERY_STRING was only used in two places, both to test whether a
variable should be stored in (or retrieved from) the database.

Since other configuration variables might be stored in the database in
the future, consolidate that test into a single function.

We also document that these configuration options should not be placed
in the config file.
2017-10-21 19:54:24 -03:00
Daniel Kahn Gillmor
6575b7eb31 doc: add notmuch-properties(7)
We will want a user-facing place to record details about the use of
notmuch properties shortly.  This establishes a new manual page for
that purpose.
2017-10-21 19:52:55 -03:00
Daniel Kahn Gillmor
6499fce391 doc: make SEE ALSO references one-per-line
This will make future diffs cleaner, make it easier to keep them
alphabetical, and make it easier to scan and search the documentation
sources.
2017-10-18 22:36:39 -03:00
Daniel Kahn Gillmor
5fb0f5f113 doc: fix documentation typos and copy/paste-os 2017-10-18 22:36:09 -03:00
Daniel Kahn Gillmor
e5beec39d6 add "notmuch reindex" subcommand
This new subcommand takes a set of search terms, and re-indexes the
list of matching messages.
2017-08-01 21:17:47 -04:00
David Bremner
ed4a9082c0 cli/search: print total number of files matched in summary output.
The structured output formats already have all of the filenames. This
is an easy bit of UI change to make the multiple files visible.
2017-08-01 21:17:47 -04:00
Daniel Kahn Gillmor
87bdfbc91f Fix orthography 2017-07-18 06:50:44 -03:00
Daniel Kahn Gillmor
e142de643d config: deprecate/drop crypto.gpg_path under gmime 2.6/3.0
gmime 3.0 no longer offers a means to set the path for gpg.

Users can set $PATH anyway if they want to pick a
differently-installed gpg (e.g. /usr/local/bin/gpg), so this isn't
much of a reduction in functionality.

The one main difference is for people who have tried to use "gpg2" to
make use of gpg 2.1, but that isn't usefully co-installable anyway.
2017-07-14 21:23:52 -03:00
David Bremner
a32dd81a55 cli: add space separator for keyword, string, and int arguments
Defer the complication of optional boolean arguments for later (never?).
2017-07-12 17:46:29 -03:00
David Bremner
d47e184118 cli/dump: bump dump format version to 3
No changes to the format of the body, but the header format was
fixed, and version 2 headers probably shouldn't be relied on.
2017-04-01 09:10:15 -03:00
Jani Nikula
02421015fd man: document external subcommand handling in notmuch(1)
The documentation for this was overlooked when adding the subcommand
handling. This seems like the proper place for it.
2017-03-07 09:05:50 -04:00
David Bremner
5de84d0752 Merge branch 'release'
Add back in no-display parameter by hand.
2016-12-15 21:57:10 +09:00
David Bremner
3d312e2577 cli/insert: document the use of EX_TEMPFAIL 2016-12-15 20:21:02 +09:00
Tomi Ollila
ef763a9e8b doc: whitespace cleanup
In most part, our .rst documents are indented with 8 spaces instead
of tabs. Bring the rest of the lines to the same format.
Also, on one (supposedly empty) line, trailing spaces were removed.
2016-11-28 21:58:17 -04:00
David Bremner
c970de6dc5 Merge branch 'release'
Add Jani's fix for notmuch-new
2016-11-26 08:43:31 -04:00
Jani Nikula
a5df39c276 notmuch-emacs-mua: add --hello parameter
If the --hello parameter is given, display the notmuch hello buffer
instead of the message composition buffer if no message composition
parameters are given.

Signed-off-by: Jani Nikula <jani@nikula.org>
2016-11-26 08:15:11 -04:00
Jani Nikula
caa9dcb707 man: advertize notmuch-emacs-mua as notmuch emacs-mua subcommand
With subcommand handling for external commands we can now hide the
implementation detail of emacs-mua being a separate notmuch-emacs-mua
script.
2016-11-26 08:09:58 -04:00
David Bremner
0ca7900727 cli/new: document new exit code
It seems important to give the numeric return code for people writing
scripts. Hopefully deviations from this convention are rare.
2016-11-25 22:44:05 -04:00
Jani Nikula
cbeb0685c7 notmuch-emacs-mua: add support for mailto: URL handling
Add support for composing an email in the Notmuch Emacs UI using a
mailto: URL. The mailto: URL mode is mutually exclusive with
specifying other message modifying parameters and positional
arguments.
2016-11-02 07:40:33 -03:00
David Bremner
651da30c09 cli: optionally restore message properties from dump file
This somewhat mimics the config line parsing, except there can be
arbitrarily many key value pairs, so one more level of looping is
required.
2016-09-21 18:14:25 -03:00
David Bremner
b7345d277e CLI: add properties to dump output
Part of providing extensibility via properties is to make sure that user
data is not lost. Thus we need to be able to dump and restore
properties.
2016-09-21 18:14:25 -03:00
Daniel Kahn Gillmor
89c8d27948 clean up spelling 2016-09-12 08:16:35 -03:00
David Bremner
3ba1b938b5 doc: update cross references for notmuch.1
In particular add notmuch-compact(1) (Debian bug #825884)
2016-08-23 20:53:52 -03:00
David Bremner
d9d2d535b3 doc: document notmuch-dump header line
This was introduced with the libconfig changes, but not documented then.
2016-06-07 07:52:34 -03:00
Daniel Kahn Gillmor
6a833a6e83 Use https instead of http where possible
Many of the external links found in the notmuch source can be resolved
using https instead of http.  This changeset addresses as many as i
could find, without touching the e-mail corpus or expected outputs
found in tests.
2016-06-05 08:32:17 -03:00