Re: [PATCH v2 2/3] git-send-email: die on invalid smtp_encryption

From: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
To: Drew DeVault <sir@cmpwn.com>
Cc: git@vger.kernel.org
Subject: Re: [PATCH v2 2/3] git-send-email: die on invalid smtp_encryption
Date: Sun, 11 Apr 2021 21:56:02 +0200	[thread overview]
Message-ID: <87zgy4egtp.fsf@evledraar.gmail.com> (raw)
In-Reply-To: <CAKZTYI6U0WY.36DC3N1E4R7D2@taiga>

On Sun, Apr 11 2021, Drew DeVault wrote:

> On Sun Apr 11, 2021 at 11:06 AM EDT, Ævar Arnfjörð Bjarmason wrote:
>> 3. While I'm very much leaning to #1 being a good idea, I'm very much
>> leaning towards introducing this "starttls" alias being a bad idea
>> for the same reason.
>>     
>> i.e. let's not create a new 'starttls' if we can avoid it explicitly
>> because we used to have the long-standing "anything unrecognized is
>> empty == no encryption" behavior.
>>
>> A lot of users read documentation for the latest version online, but
>> may have an older version installed.
>
> I feel quite strongly that the options here are a grave failure of
> usability, and that it needs to be corrected. I help people troubleshoot
> git send-email problems quite often, and this is a recurring error.
> However, you make a good point in that someone might see some online
> documentation which does not match their git version and end up with a
> surprisingly unencrypted connection.
>
> As a compromise, let's consider making this a gradual change. We can
> start by clarifying the docs and forbiding the use of any value other
> than 'ssl' or 'tls'. If an unknown value is set, the user is not getting
> the encryption they expected anyway, and this should cause an error.
>
> Then we can leave the issue aside for some agreed upon period of time to
> allow the change to proliferate in the ecosystem, and then revisit this
> at some point in the future to rename the options to make more sense.
>
> Does this seem like a reasonable compromise?

I suggest we don't compromise and just go with whatever you're OK with
:)

I really don't care enough about #1 and #3 in my E-Mail to in any way
push for it, sorry if it came off that way.

I just wanted to check your assumptions when reviewing the series. I do
think that it would make sense to more prominently note something to the
effect of "this was documented to do X all along, now we do Y, but
that's OK because ABC", and to note why the new starttls = plaintext on
older versions is OK, maybe it's just fine. I really don't know.

Isn't it pretty common in any case that SMTP servers in the wild just
refuse plaintext these days when dealing with auth'd connections? I
don't know.

I do think it makes sense to fixup for my suggested #2, i.e. not leaking
the internal detail of the "empty string".