bug#34145: 27.0.50; Writing .authinfo needs better confirmation

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Michael Albinus]

A Tramp user has reported recently, that writing a password into
.authinfo happened too easily, without proper confirmation
request. Granted, there was a `y-or-no-p' style question, but obviously
he has accepted w/o thinking too much. See
<http://lists.gnu.org/archive/html/help-gnu-emacs/2019-01/msg00054.html>.

Since this is sensible data, he proposes to make it harder to
confirm. `auth-source-netrc-saver' should offer an alternative
confirmation prompt, more like `yes-or-no-p'. Which prompt to apply
should be configurable.


In GNU Emacs 27.0.50 (build 1, x86_64-pc-linux-gnu, GTK+ Version 3.24.1)
 of 2019-01-10 built on detlef
Repository revision: a2e78046f6b52e0a433ae6e1b9e6e5015f415412
Repository branch: master
Windowing system distributor 'The X.Org Foundation', version 11.0.12001000
System Description: Ubuntu 18.10

Recent messages:
Composing main Info directory...done
Info-search: Search failed: "auth-source" [3 times]
Info-search: Search failed: "(auth)" [4 times]
No more unseen articles
Mark set
uncompressing 26476.gz...done
Parsing /home/albinus/.mailrc... done
Mark set [2 times]
Auto-saving...done
Mark set

Configured features:
XPM JPEG TIFF GIF PNG RSVG IMAGEMAGICK SOUND GPM DBUS GSETTINGS GLIB
NOTIFY INOTIFY ACL LIBSELINUX GNUTLS LIBXML2 FREETYPE M17N_FLT LIBOTF
XFT ZLIB TOOLKIT_SCROLL_BARS GTK3 X11 XDBE XIM THREADS LCMS2 GMP

Important settings:
  value of $LANG: en_US.UTF-8
  value of $XMODIFIERS: @im=none
  locale-coding-system: utf-8

Major mode: Message

Minor modes in effect:
  gnus-message-citation-mode: t
  mml-mode: t
  diff-auto-refine-mode: t
  erc-notify-mode: t
  erc-notifications-mode: t
  display-time-mode: t
  shell-dirtrack-mode: t
  delete-selection-mode: t
  icomplete-mode: t
  show-paren-mode: t
  tooltip-mode: t
  global-eldoc-mode: t
  electric-indent-mode: t
  mouse-wheel-mode: t
  menu-bar-mode: t
  file-name-shadow-mode: t
  global-font-lock-mode: t
  font-lock-mode: t
  blink-cursor-mode: t
  auto-composition-mode: t
  auto-encryption-mode: t
  auto-compression-mode: t
  column-number-mode: t
  line-number-mode: t
  auto-fill-function: message-do-auto-fill
  transient-mark-mode: t
  abbrev-mode: t

Load-path shadows:
/home/albinus/src/elpa/packages/debbugs/debbugs-org hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs-org
/home/albinus/src/elpa/packages/debbugs/debbugs-gnu hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs-gnu
/home/albinus/src/elpa/packages/debbugs/debbugs hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs
/home/albinus/src/elpa/packages/debbugs/debbugs-autoloads hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs-autoloads
/home/albinus/src/elpa/packages/debbugs/debbugs-pkg hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs-pkg
/home/albinus/src/elpa/packages/debbugs/debbugs-browse hides /home/albinus/.emacs.d/elpa/debbugs-0.16/debbugs-browse
~/lisp/telepathy hides /home/albinus/.emacs.d/elpa/telepathy-20131209.1258/telepathy
/home/albinus/src/elpa/packages/tramp-theme/tramp-theme hides /home/albinus/.emacs.d/elpa/tramp-theme-0.2/tramp-theme
/home/albinus/src/elpa/packages/tramp-theme/tramp-theme-autoloads hides /home/albinus/.emacs.d/elpa/tramp-theme-0.2/tramp-theme-autoloads
/home/albinus/src/elpa/packages/tramp-theme/tramp-theme-pkg hides /home/albinus/.emacs.d/elpa/tramp-theme-0.2/tramp-theme-pkg
/home/albinus/src/tramp/lisp/tramp-smb hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-smb
/home/albinus/src/tramp/lisp/tramp-sudoedit hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-sudoedit
/home/albinus/src/tramp/lisp/tramp-uu hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-uu
/home/albinus/src/tramp/lisp/tramp-adb hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-adb
/home/albinus/src/tramp/lisp/tramp-compat hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-compat
/home/albinus/src/tramp/lisp/tramp-archive hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-archive
/home/albinus/src/tramp/lisp/tramp hides /usr/local/share/emacs/27.0.50/lisp/net/tramp
/home/albinus/src/tramp/lisp/trampver hides /usr/local/share/emacs/27.0.50/lisp/net/trampver
/home/albinus/src/tramp/lisp/tramp-rclone hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-rclone
/home/albinus/src/tramp/lisp/tramp-ftp hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-ftp
/home/albinus/src/tramp/lisp/tramp-cmds hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-cmds
/home/albinus/src/tramp/lisp/tramp-gvfs hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-gvfs
/home/albinus/src/tramp/lisp/tramp-loaddefs hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-loaddefs
~/lisp/dbus hides /usr/local/share/emacs/27.0.50/lisp/net/dbus
/home/albinus/src/tramp/lisp/tramp-sh hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-sh
/home/albinus/src/tramp/lisp/tramp-cache hides /usr/local/share/emacs/27.0.50/lisp/net/tramp-cache

Features:
(shadow warnings emacsbug nnir sort gnus-cite smiley url-util shr-color
color shr text-property-search svg dom browse-url mm-archive mail-extr
qp gnus-async gnus-bcklg cl-extra help-mode gnus-ml pop3 utf-7 nndraft
nnmh nnml gnutls network-stream nsm gnus-agent gnus-srvr gnus-score
score-mode nnvirtual gnus-msg gnus-art mm-uu mml2015 mm-view mml-smime
smime dig mailcap gnus-cache gnus-sum nnnil smtpmail sendmail gnus-demon
nntp gnus-group gnus-undo gnus-start gnus-cloud nnimap nnmail
mail-source utf7 netrc nnoo gnus-spec gnus-int gnus-range message rmc
puny rfc822 mml mml-sec epa derived epg mm-decode mm-bodies mm-encode
mail-parse rfc2231 mailabbrev gmm-utils mailheader gnus-win gnus
nnheader gnus-util rmail rmail-loaddefs rfc2047 rfc2045 ietf-drums
time-date mail-utils mm-util mail-prsvr wid-edit vc-git diff-mode
easy-mmode find-dired time-stamp misearch multi-isearch elec-pair vc
vc-dispatcher erc-notify erc-networks erc-desktop-notifications
erc-match notifications dbus xml erc-goodies erc erc-backend erc-compat
thingatpt pp erc-loaddefs cperl-mode time tramp-sh kubernetes-tramp
lxc-tramp lxd-tramp subr-x docker-tramp tramp-cache vagrant-tramp dash
term disp-table ehelp tramp tramp-loaddefs trampver tramp-compat
ucs-normalize shell pcomplete comint ansi-color ring parse-time
format-spec advice delsel ido jka-compr icomplete paren dired
dired-loaddefs mule-util edmacro kmacro rx slime-autoloads info
finder-inf package easymenu epg-config url-handlers url-parse
auth-source cl-seq eieio eieio-core cl-macs eieio-loaddefs
password-cache json map url-vars seq byte-opt gv bytecomp byte-compile
cconv cl-loaddefs cl-lib tooltip eldoc electric uniquify ediff-hook
vc-hooks lisp-float-type mwheel term/x-win x-win term/common-win x-dnd
tool-bar dnd fontset image regexp-opt fringe tabulated-list replace
newcomment text-mode elisp-mode lisp-mode prog-mode register page
menu-bar rfn-eshadow isearch timer select scroll-bar mouse jit-lock
font-lock syntax facemenu font-core term/tty-colors frame cl-generic
cham georgian utf-8-lang misc-lang vietnamese tibetan thai tai-viet lao
korean japanese eucjp-ms cp51932 hebrew greek romanian slovak czech
european ethiopic indian cyrillic chinese composite charscript charprop
case-table epa-hook jka-cmpr-hook help simple abbrev obarray minibuffer
cl-preloaded nadvice loaddefs button faces cus-face macroexp files
text-properties overlay sha1 md5 base64 format env code-pages mule
custom widget hashtable-print-readable backquote threads dbusbind
inotify lcms2 dynamic-setting system-font-setting font-render-setting
move-toolbar gtk x-toolkit x multi-tty make-network-process emacs)

Memory information:
((conses 16 451386 45305)
 (symbols 48 38694 2)
 (strings 32 100995 15379)
 (string-bytes 1 3109604)
 (vectors 16 58151)
 (vector-slots 8 1009896 35382)
 (floats 8 427 302)
 (intervals 56 7248 270)
 (buffers 992 33))

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Lars Ingebrigtsen]

Michael Albinus <michael.albinus@gmx.de> writes:

> A Tramp user has reported recently, that writing a password into
> .authinfo happened too easily, without proper confirmation
> request. Granted, there was a `y-or-no-p' style question, but obviously
> he has accepted w/o thinking too much. See
> <http://lists.gnu.org/archive/html/help-gnu-emacs/2019-01/msg00054.html>.
>
> Since this is sensible data, he proposes to make it harder to
> confirm. `auth-source-netrc-saver' should offer an alternative
> confirmation prompt, more like `yes-or-no-p'. Which prompt to apply
> should be configurable.

It's a multiple-choice thing:

                       (concat "(y)es, save\n"
                               "(n)o but use the info\n"
                               "(N)o and don't ask to save again\n"
                               "(e)dit the line\n"
                               "(?) for help as you can see.\n"))

So I don't think a yes-or-no-p-like action here is practical.

Anybody got an opinion?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Michael Albinus]

Lars Ingebrigtsen <larsi@gnus.org> writes:

>> A Tramp user has reported recently, that writing a password into
>> .authinfo happened too easily, without proper confirmation
>> request. Granted, there was a `y-or-no-p' style question, but obviously
>> he has accepted w/o thinking too much. See
>> <http://lists.gnu.org/archive/html/help-gnu-emacs/2019-01/msg00054.html>.
>>
>> Since this is sensible data, he proposes to make it harder to
>> confirm. `auth-source-netrc-saver' should offer an alternative
>> confirmation prompt, more like `yes-or-no-p'. Which prompt to apply
>> should be configurable.
>
> It's a multiple-choice thing:
>
>                        (concat "(y)es, save\n"
>                                "(n)o but use the info\n"
>                                "(N)o and don't ask to save again\n"
>                                "(e)dit the line\n"
>                                "(?) for help as you can see.\n"))
>
> So I don't think a yes-or-no-p-like action here is practical.
>
> Anybody got an opinion?

Honestly, I'm undecided. The major idea of this request was to make it
harder to save a password string somewhere. Just a single ky is too easy.

To my taste, yes/no is sufficient. This choice does not need to ask,
whether the entered password shall be applied. It is obvious that it should.

Best regards, Michael.

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Lars Ingebrigtsen]

Michael Albinus <michael.albinus@gmx.de> writes:

>> It's a multiple-choice thing:
>>
>>                        (concat "(y)es, save\n"
>>                                "(n)o but use the info\n"
>>                                "(N)o and don't ask to save again\n"
>>                                "(e)dit the line\n"
>>                                "(?) for help as you can see.\n"))
>>
>> So I don't think a yes-or-no-p-like action here is practical.
>>
>> Anybody got an opinion?
>
> Honestly, I'm undecided. The major idea of this request was to make it
> harder to save a password string somewhere. Just a single ky is too easy.
>
> To my taste, yes/no is sufficient. This choice does not need to ask,
> whether the entered password shall be applied. It is obvious that it should.

The password is always applied (i.e., used), but it can be saved, not
saved and don't ask again.  And in addition you can edit the .authinfo
line.  So I don't see yes-or-no-p working here.

It could add another "really save?" after you've answered "y", though,
but I think that sounds kinda obnoxious.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Michael Albinus]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> The password is always applied (i.e., used), but it can be saved, not
> saved and don't ask again.  And in addition you can edit the .authinfo
> line.  So I don't see yes-or-no-p working here.

Ahh, you're right. So I don't have a better proposal.

Best regards, Michael.

bug#34145: 27.0.50; Writing .authinfo needs better confirmation

[Lars Ingebrigtsen]

Michael Albinus <michael.albinus@gmx.de> writes:

>> The password is always applied (i.e., used), but it can be saved, not
>> saved and don't ask again.  And in addition you can edit the .authinfo
>> line.  So I don't see yes-or-no-p working here.
>
> Ahh, you're right. So I don't have a better proposal.

OK; closing.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no