From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Thomas Fitzsimmons Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Wed, 04 May 2022 09:34:20 -0400 Message-ID: References: <871qxbdulc.fsf@mat.ucm.es> <877d72nf3h.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="1755"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) Cc: Richard Stallman , jostein@kjonigsen.net, emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed May 04 15:35:07 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmF9m-0000IV-KR for ged-emacs-devel@m.gmane-mx.org; Wed, 04 May 2022 15:35:06 +0200 Original-Received: from localhost ([::1]:58354 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nmF9l-00035p-9t for ged-emacs-devel@m.gmane-mx.org; Wed, 04 May 2022 09:35:05 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57204) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nmF98-0002LG-S1 for emacs-devel@gnu.org; Wed, 04 May 2022 09:34:26 -0400 Original-Received: from mail-qt1-x82c.google.com ([2607:f8b0:4864:20::82c]:34622) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nmF96-0007sM-Fm for emacs-devel@gnu.org; Wed, 04 May 2022 09:34:26 -0400 Original-Received: by mail-qt1-x82c.google.com with SMTP id k2so828810qtp.1 for ; Wed, 04 May 2022 06:34:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fitzsim-org.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=Trw+0D1GrKk7ZQhUv3viF+mjzZBOtMc3M1WmVi7qruQ=; b=M/XaT36R3AGVhS3lhNmpgg8hhaiUXeVLMGURDko89VFbWT3H/VI+lZi78JnJb2nkXg ryvssdzcXCaAc+Bi8wnN2alPT/he954PgQ7Scv78upmUmFfDFSjiCrr+L9X0kFdPpMhk C38yy80WjR+nOtrF5Jd0XlUqu3+7cizJD4UJYXPnOGYWsDol04hZPiRSLvuSHn/4O/lb nd312gsU6tRaHyDST+DKukq1sUIkKPz5hOrc2d+vTMVJdYFdTz7elT+cnvDnJPu3ev+u vPIyhdW6T78c6SQWVCjcMI/m62xZD5PsKjXelcDVkN4am08l/cQk06v3ues/Ep3JacQG O97g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=Trw+0D1GrKk7ZQhUv3viF+mjzZBOtMc3M1WmVi7qruQ=; b=ou//Gf9ZF1KKWSU/ANf3RwRTCsHvBv7hsx2W63h2vByz5FnBj6FMsht8DoOWlCpm73 it/RasjwAFjOxVmt3MyL/AfIOk/1Q8YNucUa+ti4lKkobql1kmioqkSyWbxjRjDcpx1Z WsrvB8n3KQe/5/82rx9aMb/h2jMRelrZtfKjem/6cWTduZkq5aCPxoebMDJkRiEO33Pq uusBFz+ef6TfY25zwyCdbZIPP4dX9q9ECockq/M8xdg4dTnh/7SFg8Uf/CMoQpKnI2AH RqkEy5J+X7+PWXvBaanIKM4wczZGi/BMvKK6932DY43pbTSgrzXcgB+w+lcWE4UviAZm hRLQ== X-Gm-Message-State: AOAM5339iCsVZzMBxLnrqxU8/5O7r0Q83d4XS7Cl0WxOT/M5JB2DVQSR AieRMelLyDf5TnvXHqK6xfJ8U/1bJeVeiRlp X-Google-Smtp-Source: ABdhPJw0iMiMWdJeTCLSKPyeA54V1Mbk36Y6pO7WEA9kcZMYVK52W8IvhfFEofOmiTHBfyNWfEPskw== X-Received: by 2002:a05:622a:1646:b0:2f3:a610:9d99 with SMTP id y6-20020a05622a164600b002f3a6109d99mr13026901qtj.55.1651671262684; Wed, 04 May 2022 06:34:22 -0700 (PDT) Original-Received: from localhost.localdomain (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id s15-20020a05620a030f00b0069fc13ce254sm7230426qkm.133.2022.05.04.06.34.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 May 2022 06:34:21 -0700 (PDT) In-Reply-To: <877d72nf3h.fsf@gmail.com> (Tim Cross's message of "Wed, 04 May 2022 12:05:37 +1000") Received-SPF: pass client-ip=2607:f8b0:4864:20::82c; envelope-from=fitzsim@fitzsim.org; helo=mail-qt1-x82c.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289173 Archived-At: Hi Tim, Tim Cross writes: > Richard Stallman writes: > >> [[[ To any NSA and FBI agents reading my email: please consider ]]] >> [[[ whether defending the US Constitution against all enemies, ]]] >> [[[ foreign or domestic, requires you to follow Snowden's example. ]]] >> >> > I landed on the conclusion that SMTP >> > and IMAP should keep working as long as you use app-passwords for >> > logging in to your account. >> >> Can you explain what "app-passwords" are? I have never used Gmail, >> and I don't need to know technical details, but I have to think >> about the ethical implications of this. [...] > I don't think there are any significant ethical considerations > associated with app passwords (in addition to those associated with > using Google/Gmail that is). It is likely that setting the app password > via the Google account settings page involves non-free Javascript, but I > think that boat sailed when you initially sign up for a gmail account > anyway. One issue with OAuth2 schemes is that they periodically force the user through a web-browser-only authentication process that requires non-free JavaScript, in order to get a refresh token. (I'm hoping someone can prove me wrong, and point me to a command-line procedure using only free software that allows me to get a refresh token when required. We're told OAuth2 is a modern standard, right? So there should be a modern, standard way of doing the same things as the JavaScript authentication blobs... right?) There are two issues, which I think should be considered separately: One-time registration requiring non-free JavaScript (1). Subsequently requiring non-free JavaScript for authentication to use IMAP or SMTP protocols (2). See the discussion in this bug report, closed wontfix: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=41386 I'm hoping the FSF will study and comment on the issue in general, given that gmail.com, such a large email provider, is making this OAuth2 change. To me, issue (2) seems like a high priority one for Free Software. Keep in mind that avoiding issue (1) isn't always optional, from an employee/student perspective. Thomas