On Sat, Apr 18, 2020 at 08:26:56AM -0400, Remco Rijnders wrote: > > - the PID is the only thing that could possibly be vaguely useful to > > an attacker, but only if they're already able to get onto the > > user's system, in which case finding out the PID will be trivial > > anyway. POINTLESS. > > I would argue including the PID in the message ID is equally or even more > pointless. It has no value in there, so why even include it?
Because it deterministically provides uniqueness. At the time it was created, it is not possible for there to be two processes with that PID. > > - From the sequential letter portion, you can only determine that the > > modulo 26 of the number of messages sent, not the number of > > messages. That's not useful information for anything, and I doubt > > the actual number of messages sent in a given mutt session reveals > > anything useful either, even if it were available--you still have > > no idea if the session has been running for 10 minutes or 10 years. > > MEANINGLESS. > > Also meaningless to include this then. Probably, but it provides additional uniqueness. It's extremely unlikely you'll be able to create more than 26 messages in one second. MOST IMPORTANTLY: note that by replacing this info with a randomly generated number, you are REMOVING the guarantee of uniqueness. While it is IMPROBABLE that the randomly generated number will repeat, it is not impossible. The existing method does not have this flaw. > > I haven't reviewed the patch, but it does nothing useful, so my main > > objection is that taking the time to review it, let alone apply it, is > > a waste of anyone's time. > > I think a lot more time was wasted not looking at the patch and writing your > reply than having had a quick glance at it. It was not wasted if anyone learned anything. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
signature.asc
Description: PGP signature
