From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials
Date: Mon, 15 Jun 2009 09:40:53 -0500 [thread overview]
Message-ID: <87eitlef0q.fsf@lifelogs.com> (raw)
In-Reply-To: 877hze1fpg.fsf@sandpframing.com
On Sun, 14 Jun 2009 20:52:11 -0400 MON KEY <monkey@sandpframing.com> wrote:
MK> Ted Zlatanov <tzz@lifelogs.com> writes:
>>
MK> Please see my post elsewhere on this thread vis a vis imap.el
>>
>> I don't think it's necessary to have the debugging facilities of
>> imap.el, because auth-source.el does not have so much external
MK> The langauge of those two defcustom forms is quite communicative re:
MK> logging/debugging and do well to extend clarity when informing the user just
MK> how much rope he has been given. IIWM I would adopt the same or similar
MK> tone with any such revisions/additions made to auth-sources defcustom
MK> related docs.
You mean something like this, perhaps:
"If non-nil, log the authentication tokens obtained by auth-source
into `*Messages*'.
Note that username, passwords and other privacy sensitive information
may be stored in the *Messages* buffer. It is not written to disk, but
it is visible to all Emacs code and some other attacks (depending on
your OS). Do not enable this variable unless you are comfortable with
that. Also see `auth-source-hide-passwords'."
(BTW, auth-source-hide-passwords defaults to t and does what you'd
expect)
I think more information should be in the documentation (auth.texi) and
not in the variable docstrings, but a more verbose explanation is
definitely a good thing.
>> interaction that needs to be debugged. There's just three places where
>> messages are emitted right now. Just auth-source-debug as a boolean,
MK> Its not the amount (or lack thereof), but rather the manner in which
MK> the logging/debugging occurs and _how_ the user is made aware of bot
MK> the existence of such facilities and the potential pitfalls of their
MK> use.
auth-source.el is only relevant if the user has configured
`auth-sources' explicitly or has an ~/.authinfo.gpg file (AFAIK this
file is not a convention for any other package within or outside Emacs).
I think this mitigates the security risk significantly, because the user
has to be aware of auth-source.el in order to use it. Note also my
patch disables auth-source.el logging by default.
Ted
next prev parent reply other threads:[~2009-06-15 14:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-11 23:44 authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials MON KEY
2009-06-12 18:25 ` Ted Zlatanov
2009-06-12 21:05 ` MON KEY
2009-06-13 12:55 ` Ted Zlatanov
2009-06-15 0:52 ` MON KEY
2009-06-15 14:40 ` Ted Zlatanov [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-06-12 6:28 MON KEY
2009-06-10 3:49 MON KEY
2009-06-10 21:18 ` Ted Zlatanov
2009-06-10 20:43 ` MON KEY
2009-06-11 14:39 ` Ted Zlatanov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eitlef0q.fsf@lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).