Commit graph

6895 commits

Author SHA1 Message Date
Floris Bruynooghe
1e072204cd Move from _add_message to _index_file API
This moves away from the deprecated notmuch_database_add_message API
and instead uses the notmuch_database_index_file API.  This means
instroducing a class to manage the index options and bumping the
library version requirement to 5.1.
2019-12-03 08:12:30 -04:00
Floris Bruynooghe
e2df30f7a9 Rename package to notmuch2
This is based on a previous discussion on the list where this was more
or less seen as the least-bad option.
2019-12-03 08:12:30 -04:00
Floris Bruynooghe
a950aa2844 Show which notmuch command and version is being used
This add the notmuch version and absolute path of the binary used
in the pytest header.  This is nice when running the tests
interactively as you get confirmation you're testing the version you
thought you were testing.
2019-12-03 08:12:30 -04:00
David Bremner
fbb8e1f430 debian: add python3 dependencies for the new python bindings
These should generally match those in .travis.yml
2019-12-03 08:12:30 -04:00
David Bremner
a48ccb5ef8 switch travis to bionic
This should solve the problem with pytest versions. Drop the notmuch
PPA, as (hopefully) we don't need those packages in bionic
2019-12-03 08:12:30 -04:00
David Bremner
af8c069194 travis: add python3-{cffi,pytest,setuptools}, libpython3-all-dev
These are needed for building and testing the new python bindings.
2019-12-03 08:12:30 -04:00
David Bremner
85adc756c9 tests: run python-cffi tests
The entire python-cffi test suite is considered as a single test at
the level of the notmuch test suite. This might or might not be ideal,
but it gets them run.
2019-12-03 08:12:30 -04:00
David Bremner
46e9615621 build: optionally build python-cffi bindings
Put the build product (and tests) in a well known location so that we
can find them e.g. from the tests.
2019-12-03 08:12:30 -04:00
David Bremner
3aaa8cfe94 configure: check for python cffi and pytest modules
This is needed to build the new python bindings, and run their tests.
2019-12-03 08:12:30 -04:00
David Bremner
e8cb7c7f60 bindings/python-cffi: preserve environment for tests
We'll need this e.g. to pass PATH to the pytest tests

Based on the suggested approach in id:87d0eljggj.fsf@powell.devork.be
2019-12-03 08:12:30 -04:00
Floris Bruynooghe
83c2d15898 Introduce CFFI-based python bindings
This introduces CFFI-based Python3-only bindings.
The bindings aim at:
- Better performance on pypy
- Easier to use Python-C interface
- More "pythonic"
  - The API should not allow invalid operations
  - Use native object protocol where possible
- Memory safety; whatever you do from python, it should not coredump.
2019-12-03 08:12:30 -04:00
William Casarin
5f9ea4d290 emacs: bind M-RET to notmuch-tree-from-search-thread
This is an unbound function that is quite useful. It opens a selected
thread in notmuch-tree from the current search query.

Signed-off-by: William Casarin <jb55@jb55.com>
2019-12-03 07:43:36 -04:00
David Edmondson
a1139fb5ec emacs: A prefix argument kills rather than browsing URLs
In `notmuch-show', the "B" key (notmuch-show-browse-urls) will kill
the URL if called with a prefix argument rather than browsing
directly.
2019-12-03 07:41:38 -04:00
David Bremner
dc2b5a031b notmuch release 0.29.3-1 for unstable (sid) [dgit]
[dgit distro=debian no-split --quilt=linear]
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAl3eb60ACgkQA0U5G1Wq
 FSE1Ug//Wxc7AYeHc9ErjBOkK/oQjagGOI6cKsovHfyHDRqVULsDfGt/at7wBuS2
 7V1sfU5zttoNmltmamkao4T+f/dH70D5UJxWXu1vM0QDnKz+1U4g5jTGV9sDbqwA
 34XtewzZ4508GjmmhhCHLkwQN1zplI1phGfhkwDCWrWc5er8Yat9EroHvgJ2GYcA
 fvMe13hODPC4/R5jPyKHKERyFrcj5oeZPOAV6pnaNKq1qeNgOpKm1usldl73rqe5
 ehrqF5ZgMr7wVjrnK/9wV4x4FTUKTgjweLzwQ3pWkYj3tzDx5KBBM47IrIKwoLh1
 /IS4PY9znohi/Nyl8IScmIeDAVj6PYITj0lqaDCL8x0vTkuZ5f8sFiJORZcmderk
 CylvJUahr/shdV1YolBsh1TfavP4eKIz77MkfO77uTyZACPIyZF0iHlV+me8ixIJ
 IDi2BJ0Sp+pky6/211iJtbf43CUnXATfr3COraLtT/xEKfENA63lvJRL4y+6ahmr
 BrGNfUZTvnY1+K9ym8dm3wfLe49TThMM+zbkY+2b25puO6u7cIFXgjBhhIwC4rdY
 bCd3RewBngge8NzvHw//k5+fd4s7b2BfA/6rLGWlEm4g6eik2IALtDU9Qm3L1twS
 RVr1yLoXICoJNLX7hZlgaF3iv+LzMrWkyKgjaLKiZ8HYnDwKXJg=
 =qUN/
 -----END PGP SIGNATURE-----

Merge tag 'debian/0.29.3-1'

notmuch release 0.29.3-1 for unstable (sid) [dgit]

[dgit distro=debian no-split --quilt=linear]
2019-11-27 08:45:43 -04:00
David Bremner
a59ef7d02c debian: changelog for 0.29.3 2019-11-27 08:20:54 -04:00
David Bremner
e5437dc4c2 mention python 2 changes 2019-11-27 08:20:54 -04:00
David Bremner
3efa2ad72c version: bump to 0.29.3 2019-11-27 08:20:54 -04:00
David Bremner
9024b2f5f6 NEWS for 0.29.3 2019-11-27 08:20:54 -04:00
Ralph Seichter
a11b2f0f2d notmuch-dump.c: Fix output file being closed twice
Fixed: If the output file for a dump was non-writeable, gzclose_w()
was called twice on the output file handle, resulting in SIGABRT.

(cherry picked from commit 17806ecc95)
2019-11-27 08:00:00 -04:00
David Bremner
8e22514842 lib: fix memory error in notmuch_config_list_value
The documentation for notmuch_config_list_key warns that that the
returned value will be destroyed by the next call to
notmuch_config_list_key, but it neglected to mention that calling
notmuch_config_list_value would also destroy it (by calling
notmuch_config_list_key). This is surprising, and caused a use after
free bug in _setup_user_query_fields (first noticed by an OpenBSD
porter, so kudos to the OpenBSD malloc implementation).  This change
fixes that use-after-free bug.
2019-11-27 07:58:09 -04:00
Jakub Wilk
bb843f63fc python: make some docstrings raw
Fixes:

    notmuch/message.py:57: DeprecationWarning: invalid escape sequence \s
    notmuch/query.py:155: DeprecationWarning: invalid escape sequence \.
    notmuch/messages.py:89: DeprecationWarning: invalid escape sequence \s

with Python >= 3.6.
2019-11-20 21:08:15 -04:00
David Bremner
7ad7cfbff2 notmuch release 0.29.2-2 for experimental (experimental) [dgit]
[dgit distro=debian no-split --quilt=linear]
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAl299QoACgkQA0U5G1Wq
 FSGeIRAAhVCm1IHVorsfGxf2f+ZLSg/2mqIZCwDRATMjK/lw1pLmJYcyWTAqSWQa
 liIW03ffms63Ry4Y5y6UJAoXALX0VfGqYkPCTiX2W0Qw2gSd/NWWP6nNDMsE+t++
 sYWraR6o6Blepc6odzFU17uib7uutGwng2H2eIWslxJTvR5bly55pybe/fluv7VT
 3kta8fExgVPPC1FpT9TBBykHtcd+Uv7CDHXk2pcw+ELBdKBPwS4Wn0GIU8VJ9mtU
 uHixTuNIjGEJa+n9dCUcHqDHrdgqsoR4RNFAIbQR+1M8zWDC8HFAvaeDe4desPX4
 slVTxzDuEoh8+F+uPNaKy/qAPrFPUP/ruJLAIuHLNo1QVGAFJuBUk5jzTF9nRjTJ
 +Uy2vRGo0REmgmyGc3qOCUn8E6ed3JnA/QpzSUiZNRKZZJgVWAivU0/Kb8ksW1PE
 fzbhkitw5kx3AMTUa4hefKun4vqUlzHBTHWnkUuf91sz0xN6NDFSoWNMnMCQ2i6O
 8ZWhsaUY9wh5JY1izM4LzhcgldKxZ7z0LdhBQG3vET/PZz2wsxQ+LAUQ7ziUHEOC
 pqtDqTO+eGK1w4bhCkIMlK2kU8ScoIHk0vuFgzx5mmYbv2kHhWkG3RsA7z1EE6Ad
 RG7FfRTGTmyQxN36mAsfV5lJvgQ3DFURtCX+zqTnHzb/NtW9Fu0=
 =13/r
 -----END PGP SIGNATURE-----

Merge tag 'debian/0.29.2-2'

notmuch release 0.29.2-2 for experimental (experimental) [dgit]

[dgit distro=debian no-split --quilt=linear]
2019-11-03 08:09:13 -04:00
David Bremner
2a003f0f50 debian upload 0.29.2-2: goodbye python2 support
Convert to pybuild while we are at it.
2019-11-02 18:21:25 -03:00
David Bremner
60ddce8a16 notmuch 0.29.2 release
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEkiyHYXwaY0SiY6fqA0U5G1WqFSEFAl2rJ5UACgkQA0U5G1Wq
 FSHLDhAAnV6BGnmT/CBa1FTJQIzsb0QoQZPAMieMoyLfc2ORU71fjaJ+fOo+S9pz
 e0WUocRf9eFFBAiN6AWI3N0UtzGalZzB7mPE+MHlG0SGW8g+7rjWuEaByUyuEDa7
 08AudVHq3KL0eO82P8Bzi0GFhFBP9tKn0hwYUky8A0eGlAVILrUgiMhQbYolB7GN
 a6IlBgFxsbRomzgMO1LBZDv1xCpzWWns8wyv6OUgCPtw6R4miMsym8k3I3+NaGTR
 X/fZRC6bxlpBBYpJzOJg6PD9IXv5aOw9hmhV7eqS3GfYJg+9F2cYdjUzOm4vsAsr
 HTO1i0jsUqy0QOV1KvVs03UG0x2MtCv3BK90nf1XWfA2DCyb8n5uRStwgFzWLWCh
 gXZ6t9dNkU4zk5x5za25Y2j8KMuoXZBbco6krjIRrbKQiEu/ZWDtg5n++z4otJ6q
 TgWjmRN/vQHUvI0mXEEHwuR1s5LUFTXQirOWJv75wedLH6gqfMrtOHqtxhB0Kom2
 9J81KAZ9CEIrio8+Lc3T4hQKta/HSvHf4dJjoPY01uObNadPJ90SLsgTZMRAH5PT
 kt8DBEqQc16e5Cz0UdwsgX5xKCfzYC2SkkFTI5rU3VA+G0cR8X8b0XgOlXYBP5xi
 x8/wjvSnmJbaGL+xBn8quC70SxSNBjZIvRilQdAG7aRKjMbF+bA=
 =zbMW
 -----END PGP SIGNATURE-----

Merge tag '0.29.2'

notmuch 0.29.2 release
2019-10-19 22:25:24 -03:00
David Bremner
1c8d9e172e update NEWS for 0.29.2 2019-10-19 07:37:37 -03:00
David Bremner
75328e4fec Changelog stanza for 0.29.2-1 2019-10-19 07:24:08 -03:00
David Bremner
449e77761e bump version 2019-10-19 07:21:53 -03:00
Daniel Kahn Gillmor
7eb9615b30 Drop devel/printmimestructure (it is in mailscripts 0.11)
mailscripts 0.11 now ships a derivative of devel/printmimestructure
called email-print-mime-structure.  Maintenance for that utility will
happen in mailscripts from now on, so we should not track an
independent copy of it in notmuch's source tree.

See https://bugs.debian.org/939993 for more details about the
adoption.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-10-13 09:31:50 -03:00
David Bremner
1979145b91 Merge branch 'release' 2019-10-13 09:24:48 -03:00
David Bremner
49621ea8d5 util: whitespace cleanup for 4c5b17b1
Oops. This should make the merge back to master smoother.
2019-10-13 09:18:24 -03:00
David Bremner
4c5b17b10b util: unreference objects referenced by the returned stream obj
We want freeing the returned stream to also free these underlying
objects. Compare tests/test-filters.c in the gmime 3.2.x source, which
uses this same idiom.

Thanks to James Troup for the report and the fix.
2019-10-12 08:45:55 -03:00
David Bremner
2cf38f8e1c test: known broken test file descriptor leak in gzip file open
James Troup reported this bug in id:87pnjsf9q5.fsf@canonical.com
2019-10-12 08:43:39 -03:00
David Bremner
74a1b5ac65 Merge branch 'release' 2019-09-23 21:36:01 -03:00
David Bremner
1ee5bdcc1d remove stray ` from NEWS 2019-09-23 21:34:38 -03:00
Daniel Kahn Gillmor
23bcd00363 cli/{show,reply}: use repaired form of "Mixed Up" mangled messages
When showing or replying to a message that has been mangled in transit
by an MTA in the "Mixed up" way, notmuch should instead use the
repaired form of the message.

Tracking the repaired GMimeObject for the lifetime of the mime_node so
that it is cleaned up properly is probably the trickiest part of this
patch, but the choices here are based on the idea that the
mime_node_context is the memory manager for the whole mime_node tree
in the first place, so new GMimeObject tree created on-the-fly during
message parsing should be disposed of in the same place.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:07:06 -04:00
Daniel Kahn Gillmor
4b1a8fd183 index: repair "Mixed Up" messages before indexing.
When encountering a message that has been mangled in the "mixed up"
way by an intermediate MTA, notmuch should instead repair it and index
the repaired form.

When it does this, it also associates the index.repaired=mixedup
property with the message.  If a problem is found with this repair
process, or an improved repair process is proposed later, this should
make it easy for people to reindex the relevant message.  The property
will also hopefully make it easier to diagnose this particular problem
in the future.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:07:06 -04:00
Daniel Kahn Gillmor
67666538b3 util/repair: identify and repair "Mixed Up" mangled messages
Implement a functional identification and repair process for "Mixed
Up" MIME messages as described in
https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling-00#section-4.1

The detection test is not entirely complete, in that it does not
verify the contents of the latter two message subparts, but this is
probably safe to skip, because those two parts are unlikely to be
readable anyway, and the only part we are effectively omitting (the
first subpart) is guaranteed to be empty anyway, so its removal can be
reversed if you want to do so.  I've left FIXMEs in the code so that
anyone excited about adding these additional checks can see where to
put them in.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 19:06:31 -04:00
Daniel Kahn Gillmor
cb522fb06e test: add test for "Mixed-Up Mime" message mangling
Some MTAs mangle e-mail messages in transit in ways that are
repairable.

Microsoft Exchange (in particular, the version running today on
Office365's mailservers) appears to mangle multipart/encrypted
messages in a way that makes them undecryptable by the recipient.

I've documented this in section 4.1 "Mixed-up encryption" of draft -00
of
https://tools.ietf.org/html/draft-dkg-openpgp-pgpmime-message-mangling

Fortunately, it's possible to repair such a message, and notmuch can
do that so that a user who receives an encrypted message from a user
of office365.com can still decrypt the message.

Enigmail already knows about this particular kind of mangling.  It
describes it as "broken PGP email format probably caused by an old
Exchange server", and it tries to repair by directly changing the
message held by the user.  if this kind of repair goes wrong, the
repair process can cause data loss
(https://sourceforge.net/p/enigmail/bugs/987/, yikes).

The tests introduced here are currently broken.  In subsequent
patches, i'll introduce a non-destructive form of repair for notmuch
so that notmuch users can read mail that has been mangled in this way,
and the tests will succeed.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-15 01:20:03 -04:00
Tomi Ollila
e0e55c5b6f configure: disallow whitespace in paths, extend checks to $PWD
Whitespace in $NOTMUCH_SRCDIR (and $PWD) may work in builds,
but definitely will not work in tests. It would be difficult
to make tests support whitespace in test filename paths -- and
fragile to maintain if done.

So it is just easier and safer to disallow whitespace there.

In case of out of tree build $NOTMUCH_SRCDIR differs from $PWD
(current directory). Extend this whitespace, and also previously
made unsafe characters check to $PWD too.
2019-09-11 18:51:23 -03:00
Daniel Kahn Gillmor
9829533e92 index: avoid indexing legacy-display parts
When we notice a legacy-display part during indexing, it makes more
sense to avoid indexing it as part of the message body.

Given that the protected subject will already be indexed, there is no
need to index this part at all, so we skip over it.

If this happens during indexing, we set a property on the message:
index.repaired=skip-protected-headers-legacy-display

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:45:30 -03:00
Daniel Kahn Gillmor
c61e22d5cb cli/{show,reply}: skip over legacy-display parts
Make use of the previous changes to fast-forward past any
legacy-display parts during "notmuch show" and "notmuch reply".

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:44:17 -03:00
Daniel Kahn Gillmor
ff3d873f0b util/repair: add _notmuch_repair_crypto_payload_skip_legacy_display
This is a utility function designed to make it easier to
"fast-forward" past a legacy-display part associated with a
cryptographic envelope, and show the user the intended message body.

The bulk of the ugliness in here is in the test function
_notmuch_crypto_payload_has_legacy_display, which tests all of the
things we'd expect to be true in a a cryptographic payload that
contains a legacy display part.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:40:33 -03:00
Daniel Kahn Gillmor
ab0ae8b1c0 util/crypto: _n_m_crypto_potential_payload returns whether part is the payload
Our _notmuch_message_crypto_potential_payload implementation could
only return a failure if bad arguments were passed to it.  It is an
internal function, so if that happens it's an entirely internal bug
for notmuch.

It will be more useful for this function to return whether or not the
part is in fact a cryptographic payload, so we dispense with the
status return.

If some future change suggests adding a status return back, there are
only a handful of call sites, and no pressure to retain a stable API,
so it could be changed easily. But for now, go with the simpler
function.

We will use this return value in future patches, to make different
decisions based on whether a part is the cryptographic payload or not.
But for now, we just leave the places where it gets invoked marked
with (void) to show that the result is ignored.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:38:11 -03:00
Daniel Kahn Gillmor
8b25643d08 util/crypto: _n_m_crypto_potential_payload: rename "payload" arg to "part"
_notmuch_message_crypto_potential_payload is called on a GMimeObject
while walking the MIME tree of a message to determine whether that
object is the payload.  It doesn't make sense to name the argument
"payload" if it might not be the payload, so we rename it to "part"
for clarity.

This is a non-functional change, just semantic cleanup.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:36:12 -03:00
Daniel Kahn Gillmor
27b25e45dc test: avoid showing legacy-display parts
Enigmail generates a "legacy-display" part when it sends encrypted
mail with a protected Subject: header.  This part is intended to
display the Subject for mail user agents that are capable of
decryption, but do not know how to deal with embedded protected
headers.

This part is the first child of a two-part multipart/mixed
cryptographic payload within a cryptographic envelope that includes
encryption (that is, it is not just a cleartext signed message).  It
uses Content-Type: text/rfc822-headers.

That is:

A └┬╴multipart/encrypted
B  ├─╴application/pgp-encrypted
C  └┬╴application/octet-stream
*   ╤ <decryption>
D   └┬╴multipart/mixed; protected-headers=v1 (cryptographic payload)
E    ├─╴text/rfc822-headers; protected-headers=v1 (legacy-display part)
F    └─╴… (actual message body)

In discussions with jrollins, i've come to the conclusion that a
legacy-display part should be stripped entirely from "notmuch show"
and "notmuch reply" now that these tools can understand and interpret
protected headers.

You can tell when a message part is a protected header part this way:

 * is the payload (D) multipart/mixed with exactly two children?
 * is its first child (E) Content-Type: text/rfc822-headers?
 * does the first child (E) have the property protected-headers=v1?
 * do all the headers in the body of the first child (E) match
   the protected headers in the payload part (D) itself?

If this is the case, and we already know how to deal with the
protected header, then there is no reason to try to render the
legacy-display part itself for the user.

Furthermore, when indexing, if we are indexing properly, we should
avoid indexing the text in E as part of the message body.

'notmuch reply' is an interesting case: the standard use of 'notmuch
reply' will end up omitting all mention of protected Subject:.

The right fix is for the replying MUA to be able to protect its
headers, and for it to set them appropriately based on headers found
in the original message.

If a replying MUA is unable to protect headers, but still wants the
user to be able to see the original header, a replying MUA that
notices that the original message's subject differs from the proposed
reply subject may choose to include the original's subject in the
quoted/attributed text. (this would be a stopgap measure; it's not
even clear that there is user demand for it)

This test suite change indicates what we want to happen for this case
(the tests are currently broken), and includes three additional TODO
suggestions of subtle cases for anyone who wants to flesh out the test
suite even further.  (i believe all these cases should be already
fixed by the rest of this series, but haven't had time to write the
tests for the unusual cases)

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:32:56 -03:00
Daniel Kahn Gillmor
1b29822cf5 repair: set up codebase for repair functionality
This adds no functionality directly, but is a useful starting point
for adding new repair functionality.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:20:25 -03:00
Daniel Kahn Gillmor
dcfa2fc996 mime-node: split out _mime_node_set_up_part
This is a code reorganization that should have no functional effect,
but will make future changes simpler, because a future commit will
reuse the _mime_node_set_up_part functionality without touching
_mime_node_create.

In the course of splitting out this function, I noticed a comment in
the codebase that referred to an older name of _mime_node_create
(message_part_create), where this functionality originally resided.
I've fixed that comment to refer to the new function instead.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-09-01 08:17:00 -03:00
Tomi Ollila
e13862f127 configure: fix out of tree build; check unsafe characters in srcdir
While check for GMime session key extraction support... was made
out of tree build compatible, related (and some unrelated) unsafe
characters are now checked in notmuch source directory path.

The known unsafe characters in NOTMUCH_SRCDIR are:

- Single quote (') -- NOTMUCH_SRCDIR='${NOTMUCH_SRCDIR}'
  is written to sh.config in configure line 1328.

- Double quote (") -- configure line 521 *now* writes "$srcdir"
  into generated c source file ($NOTMUCH_SRCDIR includes $srcdir).

- Backslash (\) could also be problematic in configure line 521.

- The added $ and ` are potentially unsafe -- inside double quotes
  in shell script those have special meaning.

  Other characters don't expand inside double quoted strings.
2019-08-29 14:32:54 -03:00
Ralph Seichter
17806ecc95 notmuch-dump.c: Fix output file being closed twice
Fixed: If the output file for a dump was non-writeable, gzclose_w()
was called twice on the output file handle, resulting in SIGABRT.
2019-07-23 19:20:18 -03:00
David Bremner
8de9498167 Merge branch 'release'
Debian upload 0.29.1-2
2019-07-21 16:15:19 -03:00