From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Thomas Fitzsimmons Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Wed, 04 May 2022 11:41:29 -0400 Message-ID: References: <871qxbdulc.fsf@mat.ucm.es> <877d72nf3h.fsf@gmail.com> <87v8ul4ad4.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="2783"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) Cc: Richard Stallman , jostein@kjonigsen.net, emacs-devel@gnu.org To: Tim Cross Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed May 04 17:42:48 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmH9L-0000XF-Sd for ged-emacs-devel@m.gmane-mx.org; Wed, 04 May 2022 17:42:47 +0200 Original-Received: from localhost ([::1]:38254 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nmH9K-0006fc-O7 for ged-emacs-devel@m.gmane-mx.org; Wed, 04 May 2022 11:42:46 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:36190) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nmH8D-0005Mw-22 for emacs-devel@gnu.org; Wed, 04 May 2022 11:41:37 -0400 Original-Received: from mail-io1-xd29.google.com ([2607:f8b0:4864:20::d29]:47075) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nmH8A-000189-Iy for emacs-devel@gnu.org; Wed, 04 May 2022 11:41:36 -0400 Original-Received: by mail-io1-xd29.google.com with SMTP id g21so1868204iom.13 for ; Wed, 04 May 2022 08:41:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fitzsim-org.20210112.gappssmtp.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=NRyQuOOAbHT8gBIE3FCrClQsfdo50dCHyZFmjcomErE=; b=t7BkrOb+4de4FdFhmTykkGIsohfJ3YkFAi5TY1XpJPO6//gSEUY5AlbPal5QJbo0y0 89c+VECQWfqKS7C7e4mObalYv71apJZ/Lk/FzoEBVHqati5M8H25rKUQJZhqEU4E117S lNSpqTRiKO9DkrvRKM6iIlyW5+GJs6sgVVoQufkM6sCenj7J4ZIwpXjY7xpJg7jQDyaG Pt9GblsL/citEwab8xd+XN2b85Dih9tcUqwyjbGjOjDO6pBWBVICXOruaSV225hvTwgp iWuDUqsGLiiOfPbURBBkAYI/jCwKuRrgj0KXvOksKjm190D/vGnf5xGAAx6Zgb8TEuKr IQUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=NRyQuOOAbHT8gBIE3FCrClQsfdo50dCHyZFmjcomErE=; b=ISeLyjmmRRaXgFsL0CUi52FuQRQrkO7m0S8srhT0enYqtih/CaMfQxiwOxVx92OV7N PLT3y8TCcbO8YihSdYzBX/UvfjcYA/lcjRc3qwQMZW7Hcuoe+0pUdij2CteFMUdCHwvk DmL2Y0ogHClbRLU7gEGj8hWeLWRPVSoBFf74Myl9b9zF+/SXFm8T7Q8tQuMPt8Ym9QA9 Lc7CFoWaoBiQhroT8bOhp7wrP3mDencXW0QpyT4KgAkCjwsE4jnCqsCzMVsjeTrNI+qr CZJJiWDpOAqecMPqeulxb+GDQwbjMzn9/NoFitFoQsiJrZ+0aXRRoNqeK0QSyreW1n9s as9g== X-Gm-Message-State: AOAM5320xfVZE5SNf5JM63nAUqkgOWJPdEntfdhOOlTBS7uNSPxZLT9k IqusCEvWpdeDbDgRLSFQXkJEYQc3v25uTZ68 X-Google-Smtp-Source: ABdhPJzw97qMn/GOalE1/5NQYNmSNiXvDpl0MZjg6Iu7yRe7swGNVUBOBVfzbQnpTWf9E5hMP4v3WQ== X-Received: by 2002:a05:6638:3723:b0:32b:6683:ac20 with SMTP id k35-20020a056638372300b0032b6683ac20mr6607551jav.299.1651678892124; Wed, 04 May 2022 08:41:32 -0700 (PDT) Original-Received: from localhost.localdomain (69-165-165-189.dsl.teksavvy.com. [69.165.165.189]) by smtp.gmail.com with ESMTPSA id a4-20020a027a04000000b0032b3a781754sm4740509jac.24.2022.05.04.08.41.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 May 2022 08:41:31 -0700 (PDT) In-Reply-To: <87v8ul4ad4.fsf@gmail.com> (Tim Cross's message of "Thu, 05 May 2022 00:48:35 +1000") Received-SPF: pass client-ip=2607:f8b0:4864:20::d29; envelope-from=fitzsim@fitzsim.org; helo=mail-io1-xd29.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289187 Archived-At: Hi Tim, Tim Cross writes: > Thomas Fitzsimmons writes: [...] >> Tim Cross writes: >> >>> Richard Stallman writes: >>> >>>> [[[ To any NSA and FBI agents reading my email: please consider ]]] >>>> [[[ whether defending the US Constitution against all enemies, ]]] >>>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]] >>>> >>>> > I landed on the conclusion that SMTP >>>> > and IMAP should keep working as long as you use app-passwords for >>>> > logging in to your account. >>>> >>>> Can you explain what "app-passwords" are? I have never used Gmail, >>>> and I don't need to know technical details, but I have to think >>>> about the ethical implications of this. >> >> [...] >> >>> I don't think there are any significant ethical considerations >>> associated with app passwords (in addition to those associated with >>> using Google/Gmail that is). It is likely that setting the app password >>> via the Google account settings page involves non-free Javascript, but I >>> think that boat sailed when you initially sign up for a gmail account >>> anyway. >> >> One issue with OAuth2 schemes is that they periodically force the user >> through a web-browser-only authentication process that requires non-free >> JavaScript, in order to get a refresh token. >> >> (I'm hoping someone can prove me wrong, and point me to a command-line >> procedure using only free software that allows me to get a refresh token >> when required. We're told OAuth2 is a modern standard, right? So there >> should be a modern, standard way of doing the same things as the >> JavaScript authentication blobs... right?) >> >> There are two issues, which I think should be considered separately: >> >> One-time registration requiring non-free JavaScript (1). >> >> Subsequently requiring non-free JavaScript for authentication to use >> IMAP or SMTP protocols (2). >> >> See the discussion in this bug report, closed wontfix: >> >> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=41386 >> >> I'm hoping the FSF will study and comment on the issue in general, given >> that gmail.com, such a large email provider, is making this OAuth2 >> change. To me, issue (2) seems like a high priority one for Free >> Software. Keep in mind that avoiding issue (1) isn't always optional, >> from an employee/student perspective. >> > > I think your confusing oauth2 as an authn/authz framework/standard and > its implementation as done by Google. Are you aware of any email provider that advertises "OAuth 2.0" but that does not require non-free JavaScript blobs for authentication? > There is nothing which requires oauth2 be implemented in Javascript or > that requies it to use non-free software. So can you describe how to get an OAuth 2.0 gmail.com refresh token without the use of non-free JavaScript? Thanks, Thomas