On Fri, Apr 17, 2020 at 07:59:01PM -0500, Derek wrote in
<20200418005901.gb19...@bladeshadow.org>:
This is utterly pointless. This may come off as harsh but please
understand that's not intended. I just want to be completely clear
hee so there is no misunderstanding or equivocation.
Well, pointless to you maybe. Feel free to ignore looking at the patch,
but:
None of the information you just listed is sensitive, and almost all
of it is already REQUIRED to be present in the message:
- The date and time will be in at least one, probably multiple
headers, guaranteed; and quite possibly the message body, depending
on the user's habits. REQUIRED.
This is why I have left this part untouched.
- The "hostname" is usually the sender's domain, not their actual
hostname, unless left unconfigured in Mutt. Regardless of which
thing it is, it's going to be all over the message headers for the
vast majority of Mutt users. In those cases when it won't, the
user's IP address will be in them at least once (and might be
anyway, depending on how the user emits mail into the SMTP ether
and who it is talking to). REQUIRED.
This is why I have left this part untouched.
- the PID is the only thing that could possibly be vaguely useful to
an attacker, but only if they're already able to get onto the
user's system, in which case finding out the PID will be trivial
anyway. POINTLESS.
I would argue including the PID in the message ID is equally or even more
pointless. It has no value in there, so why even include it?
- From the sequential letter portion, you can only determine that the
modulo 26 of the number of messages sent, not the number of
messages. That's not useful information for anything, and I doubt
the actual number of messages sent in a given mutt session reveals
anything useful either, even if it were available--you still have
no idea if the session has been running for 10 minutes or 10 years.
MEANINGLESS.
Also meaningless to include this then.
I haven't reviewed the patch, but it does nothing useful, so my main
objection is that taking the time to review it, let alone apply it, is
a waste of anyone's time.
I think a lot more time was wasted not looking at the patch and writing
your reply than having had a quick glance at it.
And yes, we've had this conversation before. In 2001:
https://marc.info/?l=mutt-dev&m=100428813825414&w=2
My apologies for not having looked to see if this has been discussed
before. I am looking forward to waiting another 18 or 19 years and bring
this up again. For what it is worth, I do think the discussion of 2001
brought up points of interest and see no reason not to apply that or my
patch. If the maintainers disagree, there won't be any hurt feelings on my
side, I just thought this patch would be a simple solution to potential
(and I agree: minor) concerns about the information that gets included in
the message-ID.
