unofficial mirror of emacs-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Tim Cross <theophilusx@gmail.com>
To: Richard Stallman <rms@gnu.org>
Cc: Tomas Hlavaty <tom@logand.com>,
	fitzsim@fitzsim.org, jostein@kjonigsen.net, emacs-devel@gnu.org
Subject: Re: gmail+imap+smtp (oauth2)
Date: Sat, 07 May 2022 13:22:33 +1000	[thread overview]
Message-ID: <87wneyc6zu.fsf@gmail.com> (raw)
In-Reply-To: <E1nn7DF-0001P1-3J@fencepost.gnu.org>


Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > but as pointed out, the real issue is not so much on the client side
>   > but on the server side
>
> Since the issue is whether we can use free software to make GNUS talk
> with Gmail, naturally the issue has a "server side".  
> Would you please identify more precisely what "real issue" you mean?
> For instance, quote the text that described this issue?
>
> There have been so many messages about this that I can't identify one
> of them based on a generally description of what it said.

Your looking for a clear concise short explaination for a larger complex
set of problems. There are multiple issues. 

Big Question: Can you use gmail only using libre software. Anser NO. 

Subsequent questions: Can you minimise the use of non-libre software
Yes. 

At this stage, I do not know of any way to create/register a google
account which does not require Javascript and the status of that
javascript is unknown, but can be expected to be non-free. Once you have
created an account, the only way to access your account 'settings' page
is to login to the Google site, again requiring use of non-free
javascript. 

Google login authentication supports a number of different 2FA schemes.
Some are non-free (SMS, Google Authenticator). Some are free
(keyPassXC). It is up to the user to select which scheme is used. 

Until recently, once your account was registered, you could use libre
tools to access your messages and send new ones via IMAP and SMTP.
However, you do have to use the non-free account settings page to turn
these services on and you must not enable 2FA. Once they are enabled,
you don't need to use the non-free login/settings pages again (unless
you want to change your password or other settings).

Google has started enforcing 2FA (now mandatory on all new accounts). If
you have 2FA, you cannot use your 'normal' Google username/password with
IMAP and SMTP. At this point you have 2 choices. This is where the main
issue for this thread started. The choices are -

1. Use application passwords. These are a 'special' password you create
using your google settings page (running non-free software). Once you
have the applicaiton password, you can use IMAP/SMTP with libre clients,
using the application password in place of your 'normal' password. At
this point, your retrieval and sending of messages can be done using
only libre software. 

2. Use a Google oauth2 compliant client to obtain an oath2 access token
which you then use as your password in your libre IMAP/SMTP client.
However, at this time, there doesn't seem to be any libre Google oauth2
client we can use. If there was, it would be theoretically possible to
access your emails and send new ones using only libre software and avoid
needing to login to the non-free settings page to setup application
passwords. 

The issue with having a libre oauth2 client is that the client needs to
be approved by Google and issued with an application ID which is
supplied as part of the client authorisation request. The Google T&C
state that this value must be kept secret. If we put this ID into the
source code, it won't be secret and therefore not compliant with
Google's T&C. 

It has been argued that the interpretation of the T&C is misleading or
ambiguous and the applicaiton ID does not need to be kept secret (or
does not need to be 'as secret' as something like a password). Other
projects, like thunderbird, appear to be adopting this position and have
incorporated oauth2 authentication, eliminating the need for applicaiton
passwords or the need for users to use the non-free Google login page in
order to access IMAP/SMTP. The risk for them is that if Google decides
their application has not complied with the T&c, they will cancel the
application ID and thunderbird will stop working with Google. 

Personally, I think the thunderbird position is the right one. It
minimises the need to use non-free software and I think it is unlikely
Google will cancel their application ID. Even if they do, all the user
then needs to do is setup application passwords and use them. 

What might be good is if the FSF could get clarification from Google
regarding the T&C requirements for application ID. I suspect Google's
intention with the T&C is that developers should not publicise the
application ID i.e. having it embedded in source code is OK, having it
referenced on the web site homepage is not. As Stefan pointed out, even
with closed source software, an embedded ID of this type can still be
extracted by anyone with sufficient patience and knowledge on how to use
a debugger. 

There are some risks associated with requesting clarification. If google
comes back and categorically states the application ID cannot be
embedded in an open source program and we then go ahead and do it, I
guess Google could use that as a pretext for more serious legal action.
It would not be possible to argue it was an error and would likely be
seen as a deliberate breach of their T&C. A situation FSF lawyers would
probably find unacceptable. 



  reply	other threads:[~2022-05-07  3:22 UTC|newest]

Thread overview: 150+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-03  5:59 gmail+imap+smtp (oauth2) Uwe Brauer
2022-05-03  6:27 ` Jostein Kjønigsen
2022-05-03 20:44   ` Uwe Brauer
2022-05-04  7:22     ` Robert Pluim
2022-05-04  8:43     ` Tim Cross
2022-05-05 12:57       ` Uwe Brauer
2022-05-05 13:48         ` Robert Pluim
2022-05-08 14:36           ` Uwe Brauer
2022-05-08 16:00             ` Robert Pluim
2022-05-08 16:40               ` Uwe Brauer
2022-05-09  8:38                 ` Robert Pluim
2022-05-10  6:29                   ` Uwe Brauer
2022-05-10  8:13                     ` Robert Pluim
2022-06-02 15:15                       ` [app password does not work (at the moment)] (was: gmail+imap+smtp (oauth2)) Uwe Brauer
2022-06-02 15:37                         ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Uwe Brauer
2022-06-03 14:04                           ` [SOLVED (magic?)] Robert Pluim
2022-06-06  6:49                             ` Uwe Brauer
2022-06-06  7:47                               ` Robert Pluim
2022-06-06 18:55                           ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Tomas Hlavaty
2022-06-06 19:07                             ` tomas
2022-06-06 19:37                               ` Tomas Hlavaty
2022-06-07  4:35                                 ` tomas
2022-06-07  5:52                                   ` Tomas Hlavaty
2022-06-07  7:09                                     ` [Clarification] (was: [SOLVED (magic?)]) Uwe Brauer
2022-06-07 10:02                                       ` Yuri Khan
2022-06-07 16:24                                         ` [Clarification] Uwe Brauer
2022-06-07  7:15                                     ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) tomas
2022-06-09 22:30                                   ` Richard Stallman
2022-06-07  5:44                               ` [SOLVED (magic?)] Byung-Hee HWANG
2022-06-07  6:04                                 ` Tomas Hlavaty
2022-06-07  7:14                                   ` tomas
2022-06-09 22:29                                     ` Richard Stallman
2022-06-10  7:43                                       ` Eli Zaretskii
2022-06-12  0:44                                         ` Richard Stallman
2022-06-12  5:02                                           ` tomas
2022-06-15 10:05                                             ` Richard Stallman
2022-06-09 22:30                                 ` Richard Stallman
2022-06-07 23:18                               ` [SOLVED (magic?)] (was: [app password does not work (at the moment)]) Richard Stallman
2022-05-05 13:56         ` gmail+imap+smtp (oauth2) Tim Cross
2022-05-05 13:58         ` Filipp Gunbin
2022-05-05 20:13           ` Jorge A. Alfaro-Murillo
2022-05-05 21:44             ` Thomas Fitzsimmons
2022-05-06  0:43             ` Tim Cross
2022-05-06  8:01               ` Tomas Hlavaty
2022-05-06  9:04                 ` Tim Cross
2022-05-06 11:38                   ` Stefan Monnier
2022-05-06 12:02                     ` tomas
2022-05-06 12:06                       ` Lars Ingebrigtsen
2022-05-06 12:46                       ` Stefan Monnier
2022-05-06 13:05                         ` Tim Cross
2022-05-11  9:01                         ` Richard Stallman
2022-05-11  9:01                         ` gmail+imap+smtp (davmail) Richard Stallman
2022-05-11  9:43                           ` Eric S Fraga
2022-05-13 15:08                             ` Richard Stallman
2022-05-06 12:49                       ` gmail+imap+smtp (oauth2) Tim Cross
2022-05-06 13:23                         ` Eric S Fraga
2022-05-06 13:40                         ` tomas
2022-05-06 12:34                     ` Tim Cross
2022-05-06 16:49                       ` Tomas Hlavaty
2022-05-06 12:34                     ` Tim Cross
2022-05-06 16:41                     ` Tomas Hlavaty
2022-05-06 16:38                   ` Tomas Hlavaty
2022-05-06 18:55                     ` Tim Cross
2022-05-06 19:57                       ` Stefan Monnier
2022-05-08 23:36                       ` Richard Stallman
2022-05-09  0:26                         ` Tim Cross
2022-05-10  6:53                         ` Tomas Hlavaty
2022-05-11  9:04                           ` Richard Stallman
2022-05-11 23:38                             ` Tomas Hlavaty
2022-05-12  9:16                               ` Tomas Hlavaty
2022-05-12 16:51                               ` Thomas Fitzsimmons
2022-05-15 23:37                                 ` Richard Stallman
2022-05-12  7:10                       ` Tomas Hlavaty
2022-05-12  9:03                         ` Tomas Hlavaty
2022-05-06 23:18               ` Richard Stallman
2022-05-06 10:30             ` Eric S Fraga
2022-05-08 23:37               ` Richard Stallman
2022-05-09  5:13                 ` tomas
2022-05-09 12:25                 ` Eric S Fraga
2022-05-09 23:20                   ` Richard Stallman
2022-05-11  9:47                     ` Eric S Fraga
2022-05-13 15:08                       ` Richard Stallman
2022-05-12 10:36                   ` Richard Stallman
2022-05-13  6:58                     ` Eric S Fraga
2022-05-16 23:25                       ` Richard Stallman
2022-05-12 14:12               ` Jorge A. Alfaro-Murillo
2022-05-13  8:57                 ` Eric S Fraga
2022-05-13 18:49                   ` Roland Winkler
2022-05-14  9:57                     ` Eric S Fraga
2022-05-05 18:37       ` Richard Stallman
2022-05-05 19:13         ` Stefan Monnier
2022-05-05 19:52           ` Stefan Monnier
2022-05-05 20:10             ` Uwe Brauer
2022-05-06  0:32               ` Tim Cross
2022-05-06 23:18           ` Richard Stallman
2022-05-06 23:42             ` Brian Cully via Emacs development discussions.
2022-05-06  1:46         ` Ihor Radchenko
2022-05-06 23:18           ` Richard Stallman
2022-05-03 23:40   ` Richard Stallman
2022-05-04  2:05     ` Tim Cross
2022-05-04  5:13       ` tomas
2022-05-04 13:34       ` Thomas Fitzsimmons
2022-05-04 14:38         ` Stefan Monnier
2022-05-04 14:58           ` Robert Pluim
2022-05-04 14:48         ` Tim Cross
2022-05-04 15:41           ` Thomas Fitzsimmons
2022-05-05 18:37             ` Richard Stallman
2022-05-06  8:34             ` Tomas Hlavaty
2022-05-06 23:18               ` Richard Stallman
2022-05-07  3:22                 ` Tim Cross [this message]
2022-05-08 23:35                   ` Richard Stallman
2022-05-09  0:01                     ` Tim Cross
2022-05-10  7:11                       ` Tomas Hlavaty
2022-05-10  7:51                         ` Tim Cross
2022-05-10 11:44                           ` Tomas Hlavaty
2022-05-10 12:39                             ` Tim Cross
2022-05-11  9:52                           ` Eric S Fraga
2022-05-11  9:01                       ` Richard Stallman
2022-05-11  9:01                       ` Richard Stallman
2022-05-11 12:03                         ` Tim Cross
2022-05-13 15:10                           ` Richard Stallman
2022-05-11  9:01                       ` Richard Stallman
2022-05-11 12:33                         ` Tim Cross
2022-05-11 14:08                           ` Tim Cross
2022-05-14 14:12                             ` Richard Stallman
2022-05-13 15:10                           ` Richard Stallman
2022-05-14 10:02                             ` Eric S Fraga
2022-05-16 23:25                               ` Richard Stallman
2022-05-14 21:43                   ` chad
2022-05-15  5:04                     ` tomas
2022-05-05 18:36         ` Richard Stallman
2022-05-06  0:37           ` Tim Cross
2022-05-04 15:35       ` Óscar Fuentes
2022-05-04 15:48         ` Robert Pluim
2022-05-04 16:01           ` Óscar Fuentes
2022-05-04 16:48             ` Tim Cross
2022-05-05 18:36             ` Richard Stallman
2022-05-05 21:34               ` Brian Cully via Emacs development discussions.
2022-05-05 22:13                 ` Stefan Monnier
2022-05-06 23:18                   ` Richard Stallman
2022-05-06  0:54                 ` Tim Cross
2022-05-06  2:21                   ` Brian Cully via Emacs development discussions.
2022-05-06 23:18                   ` Richard Stallman
2022-05-06 23:19                 ` Richard Stallman
2022-05-06 23:47                   ` Brian Cully via Emacs development discussions.
2022-05-04 16:45           ` Tim Cross
2022-05-04 16:33         ` Tim Cross
2022-05-06 23:17           ` Richard Stallman
2022-05-04 17:01 ` Cesar Crusius
2022-05-05  1:57   ` Tim Cross

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wneyc6zu.fsf@gmail.com \
    --to=theophilusx@gmail.com \
    --cc=emacs-devel@gnu.org \
    --cc=fitzsim@fitzsim.org \
    --cc=jostein@kjonigsen.net \
    --cc=rms@gnu.org \
    --cc=tom@logand.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/emacs.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).