[Bug 1517446] [NEW] Please add multipart/signed to DEFAULT_PASS_MIME_TYPES

Public bug reported:
Mailman tarballs contain a Defaults.py file with this configuration:
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed','multipart/alternative','text/plain']
NOTE: I don't know how this file is generated, I found it on the tarballs but not on the repository
So, when someone enables filtering on a mailing list by mime-type, the default is to filter all emails not matching any of those 3 mime-types.
This list of default mime types allowed misses to include "multipart/signed".
Therefore, this is unfortunately filtering any "multipart/signed" emails.
"multipart/signed" is defined on RFC 3156 https://tools.ietf.org/html/rfc3156 and is the recommended way of signing mails with GPG. See http://wiki.gnupg.org/SignatureHandling
The proposed change is to modify that default configuration to:
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]
This default causes trouble to people that signs their mails with GPG. I already had problems due to this default on the Alioth Debian mailing lists and on the WebKit mailing lists because the admin enabled filtering by mime-type and didn't changed the default.
Please, change this default by adding at least 'multipart/signed' to the list of types allowed.
** Affects: mailman Importance: Undecided Status: New

The proposed change is to modify that default configuration to:
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]
I mean:
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain' ]

The tarballs we distribute do not contain Mailman/Defaults.py. They and the lp:mailman/2.1 branch contain only Mailman/Defaults.py.in. Mailman/Defaults.py is generated by configure by applying various configure options and defaults to Mailman/Defaults.py.in.
Also, in Python,
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain', ]
and
DEFAULT_PASS_MIME_TYPES = ['multipart/mixed', 'multipart/alternative', 'multipart/signed', 'text/plain' ]
(without the last comma) are equivalent.
Now, as far as the actual bug is concerned, I am unsure as to the best default for pass_mime_types. I agree that various multipart subtypes such as multipart/related and multipart/signed should be accepted so their text/plain sub-parts will be accepted. To this end, I think at a minimum we should have
DEFAULT_PASS_MIME_TYPES = ['multipart', 'text/plain']
to accept any text/plain subparts of any multipart type, but this brings up other questions. Namely, should we accept message/rfc822 parts to ultimately accept text/plain parts from attached (forwarded or ?) messages, and if we are accepting multipart/signed, should we also accept the actual signature.
For the former, I think the answer is yes. The latter is more complicated because application/pkcs7-signature parts are binary so in the spirit of only accepting text/plain, perhaps we should only accept application/pgp-signature signature parts. I'm tending towards
DEFAULT_PASS_MIME_TYPES = ['multipart', 'message/rfc822', 'text/plain', 'application/pgp-signature']
but I'm continuing to think about it.
** Changed in: mailman Importance: Undecided => Low
** Changed in: mailman Status: New => In Progress
** Changed in: mailman Milestone: None => 2.1.21
** Changed in: mailman Assignee: (unassigned) => Mark Sapiro (msapiro)

** Branch linked: lp:mailman/2.1

** Changed in: mailman Status: In Progress => Fix Committed

** Changed in: mailman Status: Fix Committed => Fix Released
participants (3)
-
carloslp
-
Launchpad Bug Tracker
-
Mark Sapiro