Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs

From: Bob Carragher
Subject: Re: [nmh-workers] post 1.71 ug: "long line"/single newline paragraphs
Date: Sun, 27 May 2018 08:24:02 -0700

I'm definitely in favor of, by default, disabling anything that
causes automatic external data fetches to sites I might be
unaware of!


On Sun, 27 May 2018 10:15:29 -0400 Ken Hornstein <address@hidden> sez:

> >> I don't know.  History, probably.
> >> We used to assume everyone played nice.
> >
> >nmh-access-{ftp,url} were added less than 4 years ago.  Ken,
> >should we revisit?  I don't have strong feelings, the only
> >messages I've received that use it are from you and Ralph.
> So, I read Anthony's email, and while I don't agree with all of
> his concerns I do understand where he is coming from.
> My reading of the historical MH code is that it would always
> try to fetch external-body content.  But ... the assumption in
> MH 6.8 was that MIME content was rare and presumably a human
> would look at it before they would run "mhn".  The
> external-body methods supported in MH 6.8 were "afs",
> "anon-ftp", "ftp", "local-file", and "mail-server".  I think
> "ftp", "anon-ftp", and "mail-server" probably were at a similar
> level of danger to "url" today.
> Thinking about the history ... along the way we moved towards
> always parsing MIME messages (because most messages nowadays
> are), which meant that external-body content would always be
> displayed (BTW, "turns out "mhn-access-ftp" was supported even
> back in MH 6.8).  I added the URL support and my motivation
> there was really just updating the MIME support to more modern
> stuff, I went along with how the ftp support worked and didn't
> think about the larger concerns.
> I think maybe the smartest thing to do would be to default to
> NOT displaying any external content in nmh when viewing content
> with show(1)/mhshow(1), but instead just show the MIME
> paramters to the user.  Then a user could chose to display that
> with -showexternal (or whatever).  A more trusting user could
> add -showexternal to their profile.  That might have to wait a
> while, though.  Thoughts?
> --Ken
