Commit graph

5761 commits

Author SHA1 Message Date
Daniel Kahn Gillmor
68e753a21f NEWS: document notmuch reindex
Describe the introduction of the "reindex" subcommand.  This blurb
acknowledges Subject: instability under reindexing when multiple
copies exist (suggesting that this is something that needn't
necessarily hold up a release).
2017-12-24 09:54:01 -04:00
Daniel Kahn Gillmor
6aec7a76b9 python: add decrypt_policy argument to Database.index_file()
We adopt a pythonic idiom here with an optional argument, rather than
exposing the user to the C indexopts object directly.

This now includes a simple test to ensure that the decrypt_policy
argument works as expected.
2017-12-24 09:47:35 -04:00
l-m-h@web.de
e0ac149955 python: Fix method name in docs
Fix a method rename in the docs that was overlooked in
3444c731d2.
2017-12-24 09:17:06 -04:00
Daniel Kahn Gillmor
b1de8e885d test: final named query test works regardless of Xapian FieldProcessor
This test passes with older versions of Xapian as well, because
neither query returns any results.

This should resolve the travis build failure at
https://travis-ci.org/notmuch/notmuch/builds/318571658

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-12-21 09:35:20 -04:00
David Bremner
7cfa1c6961 lib: return "" rather than NULL from notmuch_thread_get_authors
The current behaviour is at best under-documented. The modified test in
T470-missing-headers.sh previously relied on printf doing the right
thing with NULL, which seems icky.

The use of talloc_strdup here is probably overkill, but it avoids
having to enforce that thread->authors is never mutated outside
_resolve_thread_authors_string.
2017-12-21 09:22:30 -04:00
Daniel Kahn Gillmor
8e1c3fa5bb test: retrying lock tests are broken when built against older Xapian
If we're building against a version of Xapian that doesn't offer
retrying the lock, we should be honest and describe the tests as
broken, rather than marking them as missing a test prerequisite.

missing test prerequisites should be for specific components of the
test harness that are missing, not for the backend library notmuch
uses.
2017-12-19 07:14:13 -04:00
Daniel Kahn Gillmor
bace15c275 test: named query tests are broken when missing Xapian FieldProcessor
Named queries don't work without Xapian FieldProcessor.  Rather than
silently skipping them, we should explictly mark them as broken when
building against an older version of Xapian.
2017-12-19 07:14:07 -04:00
Daniel Kahn Gillmor
776a2982ae test: searching by absolute date is broken without Xapian FieldProcessor
Previously, the test suite had simply silently skipped the absolute
date test if we're using an archaic version of Xapian.  For
correctness, we should instead mark the test as broken.

This also changes from string to numeric comparison when checking
NOMTUCH_HAVE_XAPIAN_FIELD_PROCESSOR for consistency with other tests.
2017-12-19 07:14:03 -04:00
l-m-h@web.de
660f1a5a33 test: Add test to unset config items with the python bindings 2017-12-19 06:42:50 -04:00
l-m-h@web.de
3444c731d2 python: Rename get_config_list to get_configs
The old name has a bit of a feeling of hungarian notation.  Also many
generators in the core are named with the suffix "s" to indicate
iterables: dict.items, dict.keys for example.
2017-12-19 06:42:11 -04:00
l-m-h@web.de
7a07fd8625 test: Add tests for new python bindings
The tests where adopted from the tests for the corresponding C functions
in test/T590-libconfig.sh.
2017-12-19 06:41:23 -04:00
l-m-h@web.de
e745857c4a python: turn get_config_list into a generator
This mimics the behaviour of the underlying C function more closely as
it also does not store all values in memory.
2017-12-19 06:40:47 -04:00
l-m-h@web.de
c536de3afb python: add default arg to get_config_list
It makes the function a little more intuitive to use and does not
diverge much from the original function signature.

Also an example is added to the docstring.
2017-12-19 06:39:32 -04:00
l-m-h@web.de
6c6b0f13ff python: add bindings to access config
The C functions notmuch_database_get_config,
notmuch_database_get_config_list and notmuch_database_set_config are
part of the official C bindings.  So there should also be some python
bindings for them.

Also they are the only way to access the named queries introduced in
b9bf3f44.

The interface of the python functions is designed to be close to the C
functions.
2017-12-19 06:36:30 -04:00
W. Trevor King
572259885a nmbug: Only error for invalid diff lines in tags/
Avoid:

  Traceback (most recent call last):
    File "/home/nmbug/bin/nmbug", line 834, in <module>
      args.func(**kwargs)
    File "/home/nmbug/bin/nmbug", line 385, in checkout
      status = get_status()
    File "/home/nmbug/bin/nmbug", line 580, in get_status
      maybe_deleted = _diff_index(index=index, filter='D')
    File "/home/nmbug/bin/nmbug", line 658, in _diff_index
      for id, tag in _unpack_diff_lines(stream=p.stdout):
    File "/home/nmbug/bin/nmbug", line 678, in _unpack_diff_lines
      'Invalid line in diff: {!r}'.format(line.strip()))
  ValueError: Invalid line in diff: u'.mailmap'

With this commit, folks can commit READMEs, .mailmap, etc. to their
nmbug repositories, and 'nmbug diff' and 'status' won't choke on them.
If you want to check for this sort of thing, you can set --log-level
to info or greater.  nmbug will still error if the unrecognized path
is under tags/, since that's more likely to be a user error.
2017-12-16 08:20:13 -04:00
Jani Nikula
7354d6d8f6 test: test regexp based new.ignore
Just some basics.
2017-12-15 07:55:02 -04:00
Jani Nikula
f2a6790583 cli/new: support /<regex>/ in new.ignore
Add support for using /<regex>/ style regular expressions in
new.ignore, mixed with the old style verbatim file and directory
basenames. The regex is matched against the relative path from the
database path.
2017-12-15 07:54:33 -04:00
Jani Nikula
89f651a403 doc: arrange search prefix documentation in a definition list
Having first a list of prefixes followed by detailed descriptions was
viable when we didn't have all that many prefixes. Now, arranging the
prefix descriptions in a definition list makes more sense.

While at it, include all the supported prefix forms, especially some
missing regex ones.
2017-12-14 21:41:39 -04:00
Jani Nikula
f3fc97c000 cli: add support for only printing the addresses in notmuch address
The notmuch address output is much more useful for scripts with just
the addresses printed. Support this using the --output=address option.
2017-12-14 21:28:50 -04:00
Jani Nikula
ab4b033c70 test: expand argument parsing sanity checks
Test the various boolean formats and --no- prefixed boolean and
keyword flag arguments.
2017-12-13 08:31:03 -04:00
Jani Nikula
e29ec5f0e9 cli: use the negating boolean support for new and insert --no-hooks
This lets us use the positive hooks variable in code, increasing
clarity.
2017-12-13 08:28:37 -04:00
Jani Nikula
39abd3b522 cli: add support for --no- prefixed boolean and keyword flag arguments
Add transparent support for negating boolean and keyword flag
arguments using --no-argument style on the command line. That is, if
the option description contains a boolean or a keyword flag argument
named "argument", --no-argument will match and negate it.

For boolean arguments this obviously means the logical NOT. For
keyword flag arguments this means bitwise AND of the bitwise NOT,
i.e. masking out the specified bits instead of OR'ing them in.

For example, you can use --no-exclude instead of --exclude=false in
notmuch show. If we had keyword flag arguments with some flags
defaulting to on, say --include=tags in notmuch dump/restore, this
would allow --no-include=tags to switch that off while not affecting
other flags.

As a curiosity, you should be able to warp your brain using
--no-exclude=true meaning false and --no-exclude=false meaning true if
you wish.

Specifying both "argument" and "no-argument" style arguments in the
same option description should be avoided. In this case, --no-argument
would match whichever is specified first, and --argument would only
match "argument".
2017-12-13 08:21:13 -04:00
Daniel Kahn Gillmor
1c2de79a1d Standards-Version: bumped to 4.1.2 (no changes needed) 2017-12-12 08:30:18 -04:00
Daniel Kahn Gillmor
94dc81a91b cli/help,completion: added pointers to notmuch-properties(7) 2017-12-11 09:11:19 -04:00
W. Trevor King
7ef3b65376 nmbug: Auto-checkout in clone if it wouldn't clobber
We currently auto-checkout after pull and merge to make those more
convenient.  They're guarded against data-loss with a leading
_insist_committed().  This commit adds the same convenience to clone,
since in most cases users will have no NMBPREFIX-prefixed tags in
their database when they clone.  Users that *do* have
NMBPREFIX-prefixed tags will get a warning (and I've bumped the
default log level to warning so folks who don't set --log-level will
see it) like:

  $ nmbug clone http://nmbug.notmuchmail.org/git/nmbug-tags.git
  Cloning into '/tmp/nmbug-clone.g9dvd0tv'...
  Checking connectivity: 16674, done.
  Branch config set up to track remote branch config from origin.
  Not checking out to avoid clobbering existing tags: notmuch::0.25, ...
2017-12-11 09:07:09 -04:00
W. Trevor King
0a1558471f nmbug: Accept failures to unset core.worktree in clone
Since 6311cfaf (init: do not set unnecessary core.worktree,
2016-09-25, 2.11.0 [1]), Git has no longer set core.worktree when
--separate-git-dir is used.  This broke clone with:

  $ nmbug clone http://nmbug.notmuchmail.org/git/nmbug-tags.git
  Cloning into '/tmp/nmbug-clone.33gg442e'...
  Checking connectivity: 16674, done.
  ['git', '--git-dir', '/home/wking/.nmbug', 'config', '--unset', 'core.worktree'] exited with 5
  $ echo $?
  1

The initial discussion that lead to the Git change is in [2], and
there is some more discussion around this specific change in [3].
There is some useful background on working trees in this 2009 message
[4].  There is also a git-worktree(1) since df0b6cfb (worktree: new
place for "git prune --worktrees", 2015-06-29, 2.5.0 [5]) which grew
the ability to add new worktrees in 799767cc (Merge branch
'es/worktree-add', 2015-07-13, 2.5.0 [6]).  Folks relying on
core.worktree in the --separate-git-dir case fall into the "former
case" in [4], and as Junio pointed out in that message, Git
operations like 'add' don't really work there.

In nmbug we don't want core.worktree, because our effective working
tree is the notmuch database.  By accepting failed core.worktree
unsets, clone will work with Gits older and younger than 2.11.0.

[1]: 6311cfaf93
[2]: https://public-inbox.org/git/CALqjkKZO_y0DNcRJjooyZ7Eso7yBMGhvZ6fE92oO4Su7JeCeng@mail.gmail.com/
[3]: https://public-inbox.org/git/87h94d8cwi.fsf@kyleam.com/
[4]: https://public-inbox.org/git/7viqbsw2vn.fsf@alter.siamese.dyndns.org/
[5]: df0b6cfbda
[6]: 799767cc98

Reported-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-12-11 09:06:47 -04:00
W. Trevor King
e263c5b1f9 nmbug: Respect 'expect' in _spawn(..., wait=True)
Fixing a bug from 7f2cb3be (nmbug: Translate to Python, 2014-10-03).
The bug had no direct impact though, because none of the wait=True
callers were setting expect.

Also add expected codes to the debug messages, to help log readers
understand why nonzero exits are occasionally accepted.
2017-12-11 09:06:30 -04:00
David Bremner
040c3236af Merge branch 'release'
Conflicts:
        NEWS

Add in NEWS from point release
2017-12-08 22:19:06 -04:00
David Bremner
ae55a86639 debian: add changelog stanza for 0.25.3-1 2017-12-08 21:08:21 -04:00
David Bremner
8520bfb9f4 debian: disable gdb on alpha
gdb seems to be broken on more architectures than it works :(.
2017-12-08 21:05:25 -04:00
David Bremner
8e69663a8b INSTALL: suggest gmime-3.x
Since we deprecated support for GMime 2.6...
2017-12-08 21:01:17 -04:00
David Bremner
7a1d1912e7 debian: add versioned depends on libgmime 2017-12-08 20:59:45 -04:00
David Bremner
000bbc73ff NEWS: news for 0.25.3 2017-12-08 20:57:28 -04:00
David Bremner
ecb5668178 version: bump to 0.25.3 2017-12-08 20:47:25 -04:00
David Bremner
151b2c3747 test/emacs: add exploit mitigation test
This test will pass if either the notmuch show mitigation code is
working correctly, or upstream emacs mime handling code has it's own
fix for https://bugs.gnu.org/28350.
2017-12-08 20:36:20 -04:00
Tomi Ollila
f55e9a3bda emacs: letf enriched-decode-display-prop for text/enriched display
Dynamically bind enriched-decode-display-prop when inserting
text/enriched part. This complements commit 9b05823838 for
emacs versions before 24.4 which do not have advice-add
functionality.

Since emacs 25.3 this particular bug is fixed.
2017-12-08 20:35:41 -04:00
Daniel Kahn Gillmor
cb855d8a9d crypto: signature verification reports valid User IDs
When i'm trying to understand a message signature, i care that i know
who it came from (the "validity" of the identity associated with the
key), *not* whether i'm willing to accept the keyholder's other
identity assertions (the "trust" associated with the certificate).

We've been reporting User ID information based on the "trust"
associated with the certificate, because GMime didn't clearly expose
the validity of the User IDs.

This change relies on fixes made in GMime 3.0.3 and later which
include https://github.com/jstedfast/gmime/pull/18.
2017-12-08 20:35:18 -04:00
Daniel Kahn Gillmor
be555b9d27 docs: clean up documentation about decryption policies
Now that the range of sensible decryption policies has come into full
view, we take a bit of space to document the distinctions.

Most people will use either "auto" or "true" -- but we provide "false"
and "nostash" to handle use cases that might reasonably be requested.

Note also that these can be combined in sensible ways.  Like, if your
mail comes in regularly to a service that doesn't have access to your
secret keys, but does have access to your index, and you feel
comfortable adding selected encrypted messages to the index after
you've read them, you could stay in "auto" normally, and then when you
find yourself reading an indexable message (e.g. one you want to be
able to search for in the future, and that you don't mind exposing to
whatever entities have access to your inde), you can do:

    notmuch reindex --decrypt=true id:whatever@example.biz

That leaves your default the same (still "auto") but you get the
cleartext index and stashed session key benefits for that particular
message.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
fccebbaeef crypto: add --decrypt=nostash to avoid stashing session keys
Here's the configuration choice for people who want a cleartext index,
but don't want stashed session keys.

Interestingly, this "nostash" decryption policy is actually the same
policy that should be used by "notmuch show" and "notmuch reply",
since they never modify the index or database when they are invoked
with --decrypt.

We take advantage of this parallel to tune the behavior of those
programs so that we're not requesting session keys from GnuPG during
"show" and "reply" that we would then otherwise just throw away.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
29648a137c crypto: actually stash session keys when decrypt=true
If you're going to store the cleartext index of an encrypted message,
in most situations you might just as well store the session key.
Doing this storage has efficiency and recoverability advantages.

Combined with a schedule of regular OpenPGP subkey rotation and
destruction, this can also offer security benefits, like "deletable
e-mail", which is the store-and-forward analog to "forward secrecy".

But wait, i hear you saying, i have a special need to store cleartext
indexes but it's really bad for me to store session keys!  Maybe
(let's imagine) i get lots of e-mails with incriminating photos
attached, and i want to be able to search for them by the text in the
e-mail, but i don't want someone with access to the index to be
actually able to see the photos themselves.

Fret not, the next patch in this series will support your wacky
uncommon use case.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
6a9626a2fd cli/reindex: destroy stashed session keys when --decrypt=false
There are some situations where the user wants to get rid of the
cleartext index of a message.  For example, if they're indexing
encrypted messages normally, but suddenly they run across a message
that they really don't want any trace of in their index.

In that case, the natural thing to do is:

   notmuch reindex --decrypt=false id:whatever@example.biz

But of course, clearing the cleartext index without clearing the
stashed session key is just silly.  So we do the expected thing and
also destroy any stashed session keys while we're destroying the index
of the cleartext.

Note that stashed session keys are stored in the xapian database, but
xapian does not currently allow safe deletion (see
https://trac.xapian.org/ticket/742).

As a workaround, after removing session keys and cleartext material
from the database, the user probably should do something like "notmuch
compact" to try to purge whatever recoverable data is left in the
xapian freelist.  This problem really needs to be addressed within
xapian, though, if we want it fixed right.
2017-12-08 08:08:47 -04:00
Daniel Kahn Gillmor
076f86025d cli/new, insert, reindex: change index.decrypt to "auto" by default
The new "auto" decryption policy is not only good for "notmuch show"
and "notmuch reindex".  It's also useful for indexing messages --
there's no good reason to not try to go ahead and index the cleartext
of a message that we have a stashed session key for.

This change updates the defaults and tunes the test suite to make sure
that they have taken effect.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
d137170b23 crypto: record whether an actual decryption attempt happened
In our consolidation of _notmuch_crypto_decrypt, the callers lost
track a little bit of whether any actual decryption was attempted.

Now that we have the more-subtle "auto" policy, it's possible that
_notmuch_crypto_decrypt could be called without having any actual
decryption take place.

This change lets the callers be a little bit smarter about whether or
not any decryption was actually attempted.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
181d4091c4 cli/new, insert, reindex: update documentation for --decrypt=auto
we also include --decrypt=auto in the tab completion.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
f845fb2a51 cli/show, reply: document use of stashed session keys in notmuch-properties
The stashed session keys are stored internally as notmuch properties.
So a user or developer who is reading about those properties might
want to understand how they fit into the bigger picture.

Note here that decrypting with a stored session key no longer needs
-decrypt for "notmuch show" and "notmuch reply".
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
a1260896f6 cli/show: use decryption policy "auto" by default.
When showing a message, if the user doesn't specify --decrypt= at all,
but a stashed session key is known to notmuch, notmuch should just go
ahead and try to decrypt the message with the session key (without
bothering the user for access to their asymmetric secret key).

The user can disable this at the command line with --decrypt=false if
they really don't want to look at the e-mail that they've asked
notmuch to show them.

and of course, "notmuch show --decrypt" still works for accessing the
user's secret keys if necessary.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
6802b333eb cli/reply: use decryption policy "auto" by default.
If the user doesn't specify --decrypt= at all, but a stashed session
key is known to notmuch, when replying to an encrypted message,
notmuch should just go ahead and decrypt.

The user can disable this at the command line with --decrypt=false,
though it's not clear why they would ever want to do that.
2017-12-08 08:08:46 -04:00
Daniel Kahn Gillmor
e4890b5bf9 crypto: new decryption policy "auto"
This new automatic decryption policy should make it possible to
decrypt messages that we have stashed session keys for, without
incurring a call to the user's asymmetric keys.
2017-12-08 08:07:53 -04:00
Daniel Kahn Gillmor
798aa789b5 lib: convert notmuch decryption policy to an enum
Future patches in this series will introduce new policies; this merely
readies the way for them.

We also convert --try-decrypt to a keyword argument instead of a boolean.
2017-12-08 08:07:02 -04:00
Daniel Kahn Gillmor
b62045a186 indexopts: change _try_decrypt to _decrypt_policy
This terminology makes it clearer what's going on at the API layer,
and paves the way for future changesets that offer more nuanced
decryption policy.
2017-12-08 08:06:03 -04:00