From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gregory Heytings via "Emacs development discussions." Newsgroups: gmane.emacs.devel Subject: Re: Making GNUS continue to work with Gmail Date: Tue, 18 Aug 2020 09:15:12 +0000 Message-ID: References: <878sf9c69y.fsf@gnus.org> <871rkw62t3.fsf@gnus.org> <87bljki71n.fsf@mat.ucm.es> <87364wxlec.fsf@gnus.org> <87imdsgmlw.fsf@mat.ucm.es> <871rkfhkhc.fsf@mat.ucm.es> <875z9p5hnc.fsf@mat.ucm.es> <87364pbkn0.fsf@gnus.org> <87lfihe0zf.fsf@mat.ucm.es> <874kp55l8t.fsf@gnus.org> Reply-To: emacs-devel@gnu.org, Gregory Heytings Mime-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="23211"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Alpine 2.21 (NEB 202 2017-01-01) Cc: Richard Stallman To: emacs-devel@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Aug 18 11:15:56 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k7xim-0005wP-2K for ged-emacs-devel@m.gmane-mx.org; Tue, 18 Aug 2020 11:15:56 +0200 Original-Received: from localhost ([::1]:45498 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k7xil-0002IA-1h for ged-emacs-devel@m.gmane-mx.org; Tue, 18 Aug 2020 05:15:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57034) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k7xiH-0001qH-AF for emacs-devel@gnu.org; Tue, 18 Aug 2020 05:15:25 -0400 Original-Received: from mx.sdf.org ([205.166.94.24]:57917) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k7xiE-0008H0-UE; Tue, 18 Aug 2020 05:15:25 -0400 Original-Received: from sdf.org (IDENT:ghe@faeroes.freeshell.org [205.166.94.9]) by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 07I9FFbY019485 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO); Tue, 18 Aug 2020 09:15:15 GMT Original-Received: (from ghe@localhost) by sdf.org (8.15.2/8.12.8/Submit) id 07I9FFT9019863; Tue, 18 Aug 2020 09:15:15 GMT In-Reply-To: Received-SPF: pass client-ip=205.166.94.24; envelope-from=ghe@sdf.org; helo=mx.sdf.org X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/18 04:17:07 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:253934 Archived-At: > > > "will have to run _that same_ nonfree software to start": no. For > > solution (1), it is necessary to use > > https://console.developers.google.com to "create" an app > > We are miscommunicaing here. I am talking about option (2), where the > user only has to log in and permit access to per account via the > already-existing app. (Or at least, that's what I think you said.) > > I'm not talking about option (1) since it is totally unacceptable. > It was not clear at all until now that option (1) was totally unacceptable. > > What we avoid on principle is the situation where use of our software > depends on running nonfree software. For one person to run nonfree > software once, to make it unnecessary for others to run it, is the sort > of situation which we consider a legitimate exception. > Okay, I was not aware of that subtlety. > > Also, I am not convinced it has to be done by "someone from [the GNU > Project], or on behalf of [the GNU Project]". > Well, this is what happened for Kmail, Thunderbird and others. The person who applies to have an app approved by Google becomes legally responsible of the use of the OAuth credentials received at the end of the process. In the case of an app that is used by many people around the world, this should be a legal person, not an individual. Moreover one of the (possible) steps in having Google approve an app is to have the code of the app reviewed by security experts, and it is the person who applies to have an app approved who has to pay for this. Again this cannot be an individual. Writing the privacy policy is also something that an individual cannot do, and that is required by Google. > > It could be anyone who wants to keep using GNUS with Gmail (and is > willing to sometimes run Gmail's nonfree JS code). If someone does this > and sends us some data, we can use it. > Yes, if they agree to take the legal responsibility of the use of these credentials, and if they pay if Google wants to have the code of the program reviewed by security experts. > > This brings me to another issue that may be harder to work around. What > conditions would someone have to agree to when requesting Google's > approval for an app? There could be something morally unacceptable in > that. Though it does matter who would have to agree to it. > I gave some indications above. But I'm not a lawyer. > > Here's an idea. Is it possible to modify Kmail so that it does the > necessary low-level access, and nothing else? Delete the code for > displaying an editing mail. This drastically modified version of Kmail > would satisfy Kmail's license. GNUS and Rmail could use it, much as > they used to use movemail. > It's an idea indeed, but I fear it is not a good one. It means at least that: (1) The KDE foundation would become legally responsible of the use of the OAuth credentials by people outside of the KDE project. They would most likely officially ask you to stop using their credentials. If you did not agree, the risk for them is that their credentials would be revoked by Google. (2) During the OAuth grant process (when a user adds an account to their email client), the OAuth credentials are used to identify the app. In other words, with your idea the Gnus user would be presented with a screen which says "The app Kmail wants to access your email. Approve?". A Gnus user would not know what "Kmail" is, or at least would be reluctant to click on "Approve". Gregory