From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Thibaut Verron Newsgroups: gmane.emacs.devel Subject: Re: Proposal for an Emacs User Survey Date: Sat, 17 Oct 2020 08:42:16 +0200 Message-ID: References: <20201016142436.187b8210@argon> <20201016152523.6fdfef65@argon> <6142a27f-c53b-35bf-1038-5f047395e868@yandex.ru> <20201016204531.77fab05b@argon> <725aa7c4-321f-4483-5a21-a148ff7f119b@yandex.ru> <20201016213312.603595fe@argon> <20201017054446.GW11061@protected.rcdrun.com> Reply-To: thibaut.verron@gmail.com Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27992"; mail-complaints-to="usenet@ciao.gmane.io" Cc: mve1@runbox.com, Dmitry Gutov , Richard Stallman , emacs-devel To: Jean Louis Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 17 08:43:25 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kTfw4-00078d-5V for ged-emacs-devel@m.gmane-mx.org; Sat, 17 Oct 2020 08:43:24 +0200 Original-Received: from localhost ([::1]:45850 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kTfw3-0002AT-7Q for ged-emacs-devel@m.gmane-mx.org; Sat, 17 Oct 2020 02:43:23 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:33216) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kTfvE-0001jE-VJ for emacs-devel@gnu.org; Sat, 17 Oct 2020 02:42:32 -0400 Original-Received: from mail-yb1-xb36.google.com ([2607:f8b0:4864:20::b36]:32920) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kTfvC-0001q0-7N; Sat, 17 Oct 2020 02:42:32 -0400 Original-Received: by mail-yb1-xb36.google.com with SMTP id c3so3838667ybl.0; Fri, 16 Oct 2020 23:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=cuqq91u541zFlIYfIL3G0FLTi4F+Q+B8g3riHMDj2r0=; b=VNRcgf/Max5KwT1UsgBiZigvj8MGnoxg8rqHm9RE8gUQIwuY+YGFGyLwRKW1W1/CdF mDV1ij0Y9y7af+PEjKF865Dw6iRgByjkN/GWQ1GN0GIYJJNR18u6FNViqnvu9P/G8rZU DD5St/f09Z9nlWzK1b7sJNtA/iw9qVXxUey61lIuIH6V2IQgaMqZHnGXgZqrDdaiysZB WHwByNOHskYA8pJASkL5n0yMaSniMRjeVNFCMw0XJTcnOL1bTdYrqPk7qrBNjpr/+rqr 1W/Zbxu4rZj8w2iweiDko/cuePD2KsQNx4gNhE9qZ8KNL/bLc858or5X7s5QbHCGaFOb jnXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=cuqq91u541zFlIYfIL3G0FLTi4F+Q+B8g3riHMDj2r0=; b=nPqRt0d/XsGn6kbHbOl/exZ2/BhijgJJFoFfGurbDg+oup7DLwccIM/sSRi2fGps+g S4zqkQI+qc427RMe5XC2nNVBoemAqlVRCxSaT+r7BTGRGkXK5aLnLhM+dalhLfFPi5pk wt087sOpmVLxatwmRLmgY/s57ZycPU6WedXBIhpRwjnUY3uBoxpkk3jXb8klz36aaK/d wQKQrg+ECbrp9MP5N1ump+0HLYPWsg+iPqb2xBMpUpoc4X4T6m6O9WLyT8Y1o6TRYMvd RvRDoq0EDfcZj2m8iar8WOjevjueq2D5/yyPGSo9+w+G/9YVmAxaXVBVJKeJrN/RxNPz VTqA== X-Gm-Message-State: AOAM531MavamxiCZcatg0/hEczVGRRlwAAMCjzn/i/XVnVHSjXXe49D1 r+9lA/3T75eh75KQE5deV9QdbV49yf4dBjNAZsc= X-Google-Smtp-Source: ABdhPJy+JZFFyPd5rnQUaDkUZTR+DX8QN+AdfF2VT/LCYJ5CWHfO795xaD73zm4VINW7hddwsP6DmuxVauV169UlTTE= X-Received: by 2002:a25:4e46:: with SMTP id c67mr8807897ybb.87.1602916947583; Fri, 16 Oct 2020 23:42:27 -0700 (PDT) In-Reply-To: <20201017054446.GW11061@protected.rcdrun.com> Received-SPF: pass client-ip=2607:f8b0:4864:20::b36; envelope-from=thibaut.verron@gmail.com; helo=mail-yb1-xb36.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:257921 Archived-At: Le sam. 17 oct. 2020 =C3=A0 07:44, Jean Louis a =C3=A9cr= it : > > * Thibaut Verron [2020-10-17 07:50]: > > I gave my reasons above. It's not just about "helping users", it's > > about helping them move more of their activities to the free world. > > Those packages (helm-lastpass, lastpass) are helping users who already > > use lastpass at the moment do exactly that. > > > > > Nonfree > > > software is an injustice -- nonfree software subjugates users. > > > Our goal is to _eradicate it_. > > > > Again, the same question: by arranging for links to such software to > > be removed everywhere? Or by offering free alternatives? > > > > Incidentally, I see a lot of effort so far discussing how evil > > helm-lastpass and lastpass are, and how to get them moved to obscure > > parts of the internet. What I don't see is efforts discussing free > > alternatives. > > There are many password managers in any GNU/Linux system, including, I > am sure, and there are cross platform free software password managers > such as keepass, then there are packages that can manage passwords > with Emacs only, those may not be well integrated, then both KDE/Gnome > have their password managers, each browser has it password managers. Can you use Keepass with Emacs? Can you use Keepass on a phone? Can you use it on a computer without root access? > both KDE/Gnome have their password managers Can you use them with Emacs? Can you use them on a phone? > each browser has it password managers. I don't know what Edge does, and Chrome and Chromium use Google services for their password manager. Firefox offers Lockwise and Opera also has its in-house method, which at least work on phones (afaik). But then they require storage in the cloud in the same way as Lastpass. And can you use them with Emacs? I mentioned it before, but as far as I know, the only free software offering for a service similar to Lastpass is Bitwarden: free software for both the client and the server with the possibility to self-host, same features as Lastpass (including measuring the overall safety of your passwords, which I don't think those other password managers do) and same compatibility list. Focusing efforts towards evaluating the freedom (freeness?) of Bitwarden, and if applicable, extending the support for Bitwarden to the level of that of emacs-lastpass would make it a lot easier to convince users to abandon that bit of non-free software. > > Especially when we are talking about subject of password management, > advising GNU Emacs users to keep their passwords online in a cloud, > managed by proprietary software is very wrong. > > (...) > > From Wikipedia: > https://en.wikipedia.org/wiki/LastPass > > https://en.wikipedia.org/wiki/LastPass#2011_security_incident > https://en.wikipedia.org/wiki/LastPass#2015_security_breach > https://en.wikipedia.org/wiki/LastPass#2016_security_incidents > https://en.wikipedia.org/wiki/LastPass#2017_security_incidents > https://en.wikipedia.org/wiki/LastPass#2019_security_incidents > > Those are only publicly announced security incidents. How many there > are not announced? > > In that sense, knowing the background of the insecurities at the > company producing proprietary software, the package lastpass for Emacs > and helm-lastpass is only helping that company subjugates users to > keep their passwords online and sooner or later abuse Emacs users. > > (...) > > At MELPA bug tracking, or Github issue tracker, the issue is closed, > there was no question if the package "lastpass" is driving users to > insecurities, issue was simply closed, without possibility to publish > this exact information. Yes yes, but that's still about the availability of and the problems behind lastpass and the emacs packages. My question is about alternatives. Or, what would you tell users who currently use lastpass and emacs-lastpass, after you tell them they should stop using lastpass? Surely you don't want to convince them to use an inferior product just for purity of software? I would keep the issue of security incidents separate. Security flaws are regularly found in both free and non-free software. Lastpass makes it a policy to announce such breaches. And 5 incidents in 9 years does not make Lastpass "known for security incidents", not any more than OpenSSL would be known for security incidents (even though in the same period, 6 flaws were found and patched in OpenSSL). > My system of keeping passwords is the file .passwords which is stored > on encrypted partition. It is appendable only file by using chattr +a, > and Emacs asks me for host name, username, email, etc. and it > generates password which is appeneded to a file. Other simple function > is grepping and finding list of passwords. Do you use it across devices? On devices where you don't have root access? On phones? > It would be disaster to keep my 4362 passwords online Assuming that sufficiently strong encryption is used, why exactly? > Especially when we are talking about subject of password management, > advising GNU Emacs users to keep their passwords online in a cloud, > managed by proprietary software is very wrong. > > Thus there is no alternative to free software. I don't see what it has to do with the question, but it is factually wrong. There are plenty of alternatives to free software.