[Patch] Avoid recording chars when reading passwords

[Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

[-- Attachment #1: Type: text/plain, Size: 81 bytes --]

Hi,

With this patch, passwords won't appear in the lossage or the dribble
file.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Avoid-recording-chars-when-reading-passwords.patch --]
[-- Type: text/x-patch, Size: 2635 bytes --]

From a15d43e2cd80307e2597f7888a4920d73fa58362 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Wed, 8 Jun 2022 15:39:39 +0200
Subject: [PATCH] Avoid recording chars when reading passwords

* lisp/subr.el (read-passwd): inhibit char recording when reading
a password.
* src/keyboard.c (syms_of_keyboard, read_char): introduce
`do-not-record-char' to inhibit char recording.
---
 lisp/subr.el   |  1 +
 src/keyboard.c | 18 +++++++++++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/lisp/subr.el b/lisp/subr.el
index 50ae357a13..1007237fb6 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -3048,6 +3048,7 @@ read-passwd
             (use-local-map read-passwd-map)
             (setq-local inhibit-modification-hooks nil) ;bug#15501.
 	    (setq-local show-paren-mode nil)		;bug#16091.
+            (setq-local do-not-record-char t)
             (add-hook 'post-command-hook #'read-password--hide-password nil t))
         (unwind-protect
             (let ((enable-recursive-minibuffers t)
diff --git a/src/keyboard.c b/src/keyboard.c
index 55d710ed62..a628c2d2df 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -3046,10 +3046,13 @@ read_char (int commandflag, Lisp_Object map,
 
   /* Store these characters into recent_keys, the dribble file if any,
      and the keyboard macro being defined, if any.  */
-  record_char (c);
-  recorded = true;
-  if (! NILP (also_record))
-    record_char (also_record);
+  if (!do_not_record_char)
+    {
+      record_char (c);
+      recorded = true;
+      if (! NILP (also_record))
+	record_char (also_record);
+    }
 
   /* Wipe the echo area.
      But first, if we are about to use an input method,
@@ -3172,7 +3175,7 @@ read_char (int commandflag, Lisp_Object map,
   /* When we consume events from the various unread-*-events lists, we
      bypass the code that records input, so record these events now if
      they were not recorded already.  */
-  if (!recorded)
+  if (!recorded && !do_not_record_char)
     {
       record_char (c);
       recorded = true;
@@ -12561,6 +12564,11 @@ syms_of_keyboard (void)
 \(Even if the operating system has support for stopping a process.)  */);
   cannot_suspend = false;
 
+  DEFVAR_BOOL ("do-not-record-char", do_not_record_char,
+	       doc: /* Non-nil means to not record chars.
+Those chars would not appear in the dribble file or in `view-lossage'.  */);
+  do_not_record_char = false;
+
   DEFVAR_BOOL ("menu-prompting", menu_prompting,
 	       doc: /* Non-nil means prompt with menus when appropriate.
 This is done when reading from a keymap that has a prompt string,
-- 
2.36.0


[-- Attachment #3: Type: text/plain, Size: 18 bytes --]

-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Manuel Giraud <manuel@ledu-giraud.fr>
> Date: Wed, 08 Jun 2022 15:46:19 +0200
> 
> With this patch, passwords won't appear in the lossage or the dribble
> file.

We already have a facility for this, see 'no-record' in the
description of unread-command-events in the ELisp manual.  Please see
if you can use that instead.

And if you must have a variable, I'd prefer to un-obsolete
inhibit--record-char, which was once used for this purpose, but no
longer is, and restore the code in keyboard.c which supported it.

Thanks.

Re: [Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Manuel Giraud <manuel@ledu-giraud.fr>
>> Date: Wed, 08 Jun 2022 15:46:19 +0200
>> 
>> With this patch, passwords won't appear in the lossage or the dribble
>> file.
>
> We already have a facility for this, see 'no-record' in the
> description of unread-command-events in the ELisp manual.  Please see
> if you can use that instead.

Ok but I don't quite understand how unread-command-events works. For
instance, if I put this code into `read-passwd':

--8<---------------cut here---------------start------------->8---
(setq-local unread-command-events
            (mapcar #'(lambda (x) (cons 'no-record x))
                    (listify-key-sequence "mypassword")))
--8<---------------cut here---------------end--------------->8---

It will prefilled (and not recorded) at prompt with "mypassord" but I'd
like to be able to type the real password that I don't know in
advance. In `read-passwd', the password is read with `read-string' that
is C code… Anyway, can someone explain what is the purpose (and usage)
of unread-command-events?

> And if you must have a variable, I'd prefer to un-obsolete
> inhibit--record-char, which was once used for this purpose, but no
> longer is, and restore the code in keyboard.c which supported it.

I was not aware of this code. But yes, maybe we should do that.

Thanks.
-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

[-- Attachment #1: Type: text/plain, Size: 597 bytes --]

Hi,

So I digged into the log and found that `inhibit--record-char' was
obsoleted in bd5c740419.

The reason seems to be that "quail.el" was the last user of this
variable and use it to inhibit a second recording after the first
one. AFAIU, quail.el now have function (quail-add-unread-command-events)
that put a copy of those events with 'no-record into
unread-command-events to have this behaviour.

I was not able to do the same when reading password (there is just one
read_char involved), so as Eli suggested, I choose to un-obsolete
`inhibit--record-char' and use it in `read-passwd' only.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Avoid-recording-passwords-chars.patch --]
[-- Type: text/x-patch, Size: 2416 bytes --]

From 8bfbc312ef7cb1f8f2cfd4ea8feda99af86e48a3 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Tue, 14 Jun 2022 11:14:02 +0200
Subject: [PATCH] Avoid recording passwords' chars

* src/keyboard.c (syms_of_keyboard): un-obsolete
`inhibit--record-char'.
* lisp/subr.el (read-passwd): use `inhibit--record-char' to
inhibit passwords recording.
---
 lisp/subr.el   |  7 +------
 src/keyboard.c | 12 ++++++++++++
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lisp/subr.el b/lisp/subr.el
index 50ae357a13..29f9706c39 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -1883,12 +1883,6 @@ 'inhibit-nul-byte-detection
 (make-obsolete-variable 'load-dangerous-libraries
                         "no longer used." "27.1")
 
-(defvar inhibit--record-char nil
-  "Obsolete variable.
-This was used internally by quail.el and keyboard.c in Emacs 27.
-It does nothing in Emacs 28.")
-(make-obsolete-variable 'inhibit--record-char nil "28.1")
-
 (define-obsolete-function-alias 'compare-window-configurations
   #'window-configuration-equal-p "29.1")
 
@@ -3048,6 +3042,7 @@ read-passwd
             (use-local-map read-passwd-map)
             (setq-local inhibit-modification-hooks nil) ;bug#15501.
 	    (setq-local show-paren-mode nil)		;bug#16091.
+            (setq-local inhibit--record-char t)
             (add-hook 'post-command-hook #'read-password--hide-password nil t))
         (unwind-protect
             (let ((enable-recursive-minibuffers t)
diff --git a/src/keyboard.c b/src/keyboard.c
index 55d710ed62..fbdc0e9107 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -3307,6 +3307,10 @@ help_char_p (Lisp_Object c)
 static void
 record_char (Lisp_Object c)
 {
+  /* subr.el/read-passwd binds this to avoid recording passwords.  */
+  if (inhibit_record_char)
+    return;
+
   int recorded = 0;
 
   if (CONSP (c) && (EQ (XCAR (c), Qhelp_echo) || EQ (XCAR (c), Qmouse_movement)))
@@ -12992,6 +12996,14 @@ syms_of_keyboard (void)
 changed.  */);
   Vdisplay_monitors_changed_functions = Qnil;
 
+  DEFVAR_BOOL ("inhibit--record-char",
+	       inhibit_record_char,
+	       doc: /* If non-nil, don't record input events.
+This inhibits recording input events for the purposes of keyboard
+macros, dribble file, and `recent-keys'.
+Internal use only.  */);
+  inhibit_record_char = false;
+
   pdumper_do_now_and_after_load (syms_of_keyboard_for_pdumper);
 }
 
-- 
2.36.1


[-- Attachment #3: Type: text/plain, Size: 18 bytes --]

-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Manuel Giraud <manuel@ledu-giraud.fr>
> Cc: emacs-devel@gnu.org
> Date: Tue, 14 Jun 2022 11:38:00 +0200
> 
> So I digged into the log and found that `inhibit--record-char' was
> obsoleted in bd5c740419.
> 
> The reason seems to be that "quail.el" was the last user of this
> variable and use it to inhibit a second recording after the first
> one. AFAIU, quail.el now have function (quail-add-unread-command-events)
> that put a copy of those events with 'no-record into
> unread-command-events to have this behaviour.
> 
> I was not able to do the same when reading password (there is just one
> read_char involved), so as Eli suggested, I choose to un-obsolete
> `inhibit--record-char' and use it in `read-passwd' only.

Thanks.

Stefan, do you see any way of producing (no-record . CH) from "normal"
input APIs, for reading input that shouldn't be echoed or recorded?

If not, we will resurrect that variable and use it instead.

Re: [Patch] Avoid recording chars when reading passwords

[Stefan Monnier]

Eli Zaretskii [2022-06-14 14:35:37] wrote:
> Stefan, do you see any way of producing (no-record . CH) from "normal"
> input APIs, for reading input that shouldn't be echoed or recorded?

No: the (no-record . CH) is specific to `unread-command-events`, i.e. to
events that are "synthesized" (typically from previously read events)
whereas those events that come from the keyboard get added directly to
the lossage buffer before we have a chance to do anything about it.

> If not, we will resurrect that variable and use it instead.

Sounds good to me.


        Stefan

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: Manuel Giraud <manuel@ledu-giraud.fr>,  emacs-devel@gnu.org
> Date: Tue, 14 Jun 2022 08:34:22 -0400
> 
> > If not, we will resurrect that variable and use it instead.
> 
> Sounds good to me.

OK, thanks.

The next question is: do we want to enable this by default and in a
way that users cannot have the previous behavior back?

In any case, this needs a NEWS entry, I think.

Re: [Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Stefan Monnier <monnier@iro.umontreal.ca>
>> Cc: Manuel Giraud <manuel@ledu-giraud.fr>,  emacs-devel@gnu.org
>> Date: Tue, 14 Jun 2022 08:34:22 -0400
>> 
>> > If not, we will resurrect that variable and use it instead.
>> 
>> Sounds good to me.
>
> OK, thanks.
>
> The next question is: do we want to enable this by default and in a
> way that users cannot have the previous behavior back?

I think that having this as a default is a good thing™ (no more clear
password in lossage).  About being able to revert this behaviour, I know
I won't use it but maybe it has some use case with the dribble file: do
people use the dribble file as some automation tool for example?

> In any case, this needs a NEWS entry, I think.

Ok, I'd one to this patch when we have decide the default and if it
needs a user option.
-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Manuel Giraud <manuel@ledu-giraud.fr>
> Cc: Stefan Monnier <monnier@iro.umontreal.ca>,  emacs-devel@gnu.org
> Date: Wed, 15 Jun 2022 09:59:31 +0200
> 
> Eli Zaretskii <eliz@gnu.org> writes:
> 
> > The next question is: do we want to enable this by default and in a
> > way that users cannot have the previous behavior back?
> 
> I think that having this as a default is a good thing™ (no more clear
> password in lossage).  About being able to revert this behaviour, I know
> I won't use it but maybe it has some use case with the dribble file: do
> people use the dribble file as some automation tool for example?
> 
> > In any case, this needs a NEWS entry, I think.
> 
> Ok, I'd one to this patch when we have decide the default and if it
> needs a user option.

Sounds like having this on by default is what people want.  But we
need a knob to revert to the previous behavior, and we need a NEWS
entry.  Could you please prepare an updated patch with those two
additions?

Thanks.

Re: [Patch] Avoid recording chars when reading passwords

[Akib Azmain Turja]

[-- Attachment #1: Type: text/plain, Size: 1370 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Manuel Giraud <manuel@ledu-giraud.fr>
>> Cc: Stefan Monnier <monnier@iro.umontreal.ca>,  emacs-devel@gnu.org
>> Date: Wed, 15 Jun 2022 09:59:31 +0200
>> 
>> Eli Zaretskii <eliz@gnu.org> writes:
>> 
>> > The next question is: do we want to enable this by default and in a
>> > way that users cannot have the previous behavior back?
>> 
>> I think that having this as a default is a good thing™ (no more clear
>> password in lossage).  About being able to revert this behaviour, I know
>> I won't use it but maybe it has some use case with the dribble file: do
>> people use the dribble file as some automation tool for example?
>> 
>> > In any case, this needs a NEWS entry, I think.
>> 
>> Ok, I'd one to this patch when we have decide the default and if it
>> needs a user option.
>
> Sounds like having this on by default is what people want.  But we
> need a knob to revert to the previous behavior, and we need a NEWS
> entry.  Could you please prepare an updated patch with those two
> additions?
>
> Thanks.
>

Yes, there should be an option to revert it, otherwise it'll break my
"workflow"[1].

[1]: https://xkcd.com/1172/

-- 
Akib Azmain Turja

This message is signed by me with my GnuPG key.  It's fingerprint is:

    7001 8CE5 819F 17A3 BBA6  66AF E74F 0EFA 922A E7F5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [Patch] Avoid recording chars when reading passwords

[Akib Azmain Turja]

[-- Attachment #1: Type: text/plain, Size: 1774 bytes --]

Akib Azmain Turja <akib@disroot.org> writes:

> Eli Zaretskii <eliz@gnu.org> writes:
>
>>> From: Manuel Giraud <manuel@ledu-giraud.fr>
>>> Cc: Stefan Monnier <monnier@iro.umontreal.ca>,  emacs-devel@gnu.org
>>> Date: Wed, 15 Jun 2022 09:59:31 +0200
>>> 
>>> Eli Zaretskii <eliz@gnu.org> writes:
>>> 
>>> > The next question is: do we want to enable this by default and in a
>>> > way that users cannot have the previous behavior back?
>>> 
>>> I think that having this as a default is a good thing™ (no more clear
>>> password in lossage).  About being able to revert this behaviour, I know
>>> I won't use it but maybe it has some use case with the dribble file: do
>>> people use the dribble file as some automation tool for example?
>>> 
>>> > In any case, this needs a NEWS entry, I think.
>>> 
>>> Ok, I'd one to this patch when we have decide the default and if it
>>> needs a user option.
>>
>> Sounds like having this on by default is what people want.  But we
>> need a knob to revert to the previous behavior, and we need a NEWS
>> entry.  Could you please prepare an updated patch with those two
>> additions?
>>
>> Thanks.
>>
>
> Yes, there should be an option to revert it, otherwise it'll break my
> "workflow"[1].
>
> [1]: https://xkcd.com/1172/
>
> -- 
> Akib Azmain Turja
>
> This message is signed by me with my GnuPG key.  It's fingerprint is:
>
>     7001 8CE5 819F 17A3 BBA6  66AF E74F 0EFA 922A E7F5

And I think it would be useful to record non self-insert keys (like
"M-x") while typing password, since those key aren't related to the
password.

-- 
Akib Azmain Turja

This message is signed by me with my GnuPG key.  It's fingerprint is:

    7001 8CE5 819F 17A3 BBA6  66AF E74F 0EFA 922A E7F5

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: [Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

Akib Azmain Turja <akib@disroot.org> writes:

[...]

> And I think it would be useful to record non self-insert keys (like
> "M-x") while typing password, since those key aren't related to the
> password.

Hi,

I've just tried and this patch does just that: you can "M-x something"
in the middle of entering a password and the execute-extended-command
will be recorded but not the password.

Eli, Stefan, should I try to have a custom to revert this back?  What
would be the name of such custom?  record-password?
-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Manuel Giraud <manuel@ledu-giraud.fr>
> Cc: Eli Zaretskii <eliz@gnu.org>,  monnier@iro.umontreal.ca,
>  emacs-devel@gnu.org
> Date: Mon, 20 Jun 2022 11:58:30 +0200
> 
> Eli, Stefan, should I try to have a custom to revert this back?

Yes.  And a NEWS entry, please.

> What would be the name of such custom?  record-password?

I think it would be better to have a more general name, in case we
would want to exempt more stuff from being recorded.  Something like
record-all-keys, perhaps (with an explanation in the doc string that
currently it only affects password entry)?

Re: [Patch] Avoid recording chars when reading passwords

[Manuel Giraud]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Eli Zaretskii <eliz@gnu.org> writes:

[...]

> I think it would be better to have a more general name, in case we
> would want to exempt more stuff from being recorded.  Something like
> record-all-keys, perhaps (with an explanation in the doc string that
> currently it only affects password entry)?

Ok. Here is an updated version of the patch.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-Avoid-recording-passwords-chars.patch --]
[-- Type: text/x-patch, Size: 3909 bytes --]

From 06ead0deb3faa0b2cb9124c2c68966d9d3e3d015 Mon Sep 17 00:00:00 2001
From: Manuel Giraud <manuel@ledu-giraud.fr>
Date: Tue, 14 Jun 2022 11:14:02 +0200
Subject: [PATCH] Avoid recording passwords' chars

* lisp/cus-start.el (standard): New user custom `record-all-keys'.
* src/keyboard.c (syms_of_keyboard): Un-obsolete
`inhibit--record-char'.
* lisp/subr.el (read-passwd): Use `inhibit--record-char' to
inhibit passwords recording.
---
 etc/NEWS          |  6 ++++++
 lisp/cus-start.el |  1 +
 lisp/subr.el      |  7 +------
 src/keyboard.c    | 18 ++++++++++++++++++
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/etc/NEWS b/etc/NEWS
index 1b8560a923..bee92b62f8 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -365,6 +365,12 @@ This inhibits putting empty strings onto the kill ring.
 These options allow adjusting point and scrolling a window when
 dragging items from another program.
 
++++
+** New user option 'record-all-keys'.
+If non-nil, this option will force recording of all input keys
+including in passwords prompt (this was the previous behaviour).  It
+now defaults to NIL and inhibits recording of passwords.
+
 +++
 ** New function 'command-query'.
 This function makes its argument command prompt the user for
diff --git a/lisp/cus-start.el b/lisp/cus-start.el
index d8c4b48035..ca2fca4eb7 100644
--- a/lisp/cus-start.el
+++ b/lisp/cus-start.el
@@ -398,6 +398,7 @@ minibuffer-prompt-properties--setter
 	     ;;    			(const :tag " current dir" nil)
 	     ;;    			(directory :format "%v"))))
 	     (load-prefer-newer lisp boolean "24.4")
+             (record-all-keys keyboard boolean)
 	     ;; minibuf.c
 	     (minibuffer-follows-selected-frame
               minibuffer (choice (const :tag "Always" t)
diff --git a/lisp/subr.el b/lisp/subr.el
index 50ae357a13..29f9706c39 100644
--- a/lisp/subr.el
+++ b/lisp/subr.el
@@ -1883,12 +1883,6 @@ 'inhibit-nul-byte-detection
 (make-obsolete-variable 'load-dangerous-libraries
                         "no longer used." "27.1")
 
-(defvar inhibit--record-char nil
-  "Obsolete variable.
-This was used internally by quail.el and keyboard.c in Emacs 27.
-It does nothing in Emacs 28.")
-(make-obsolete-variable 'inhibit--record-char nil "28.1")
-
 (define-obsolete-function-alias 'compare-window-configurations
   #'window-configuration-equal-p "29.1")
 
@@ -3048,6 +3042,7 @@ read-passwd
             (use-local-map read-passwd-map)
             (setq-local inhibit-modification-hooks nil) ;bug#15501.
 	    (setq-local show-paren-mode nil)		;bug#16091.
+            (setq-local inhibit--record-char t)
             (add-hook 'post-command-hook #'read-password--hide-password nil t))
         (unwind-protect
             (let ((enable-recursive-minibuffers t)
diff --git a/src/keyboard.c b/src/keyboard.c
index 55d710ed62..51a424e61f 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -3307,6 +3307,11 @@ help_char_p (Lisp_Object c)
 static void
 record_char (Lisp_Object c)
 {
+  /* subr.el/read-passwd binds inhibit_record_char to avoid recording
+     passwords.  */
+  if (!record_all_keys && inhibit_record_char)
+    return;
+
   int recorded = 0;
 
   if (CONSP (c) && (EQ (XCAR (c), Qhelp_echo) || EQ (XCAR (c), Qmouse_movement)))
@@ -12992,6 +12997,19 @@ syms_of_keyboard (void)
 changed.  */);
   Vdisplay_monitors_changed_functions = Qnil;
 
+  DEFVAR_BOOL ("inhibit--record-char",
+	       inhibit_record_char,
+	       doc: /* If non-nil, don't record input events.
+This inhibits recording input events for the purposes of keyboard
+macros, dribble file, and `recent-keys'.
+Internal use only.  */);
+  inhibit_record_char = false;
+
+  DEFVAR_BOOL ("record-all-keys", record_all_keys,
+	       doc: /* Non-nil means to record all typed keys.  When
+nil, only passwords' keys are not recorded.  */);
+  record_all_keys = false;
+
   pdumper_do_now_and_after_load (syms_of_keyboard_for_pdumper);
 }
 
-- 
2.36.1


[-- Attachment #3: Type: text/plain, Size: 18 bytes --]

-- 
Manuel Giraud

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Manuel Giraud <manuel@ledu-giraud.fr>
> Cc: akib@disroot.org,  monnier@iro.umontreal.ca,  emacs-devel@gnu.org
> Date: Mon, 20 Jun 2022 17:28:05 +0200
> 
> Ok. Here is an updated version of the patch.

Thanks.  Two minor nits (but you don't have to submit another patch,
this will be fixed when installing):

> +** New user option 'record-all-keys'.
> +If non-nil, this option will force recording of all input keys
> +including in passwords prompt (this was the previous behaviour).  It
> +now defaults to NIL and inhibits recording of passwords.
                   ^^^
We use 'nil' (lower-case, without the quotes).  Also, the "now" part
is redundant.

> +  DEFVAR_BOOL ("record-all-keys", record_all_keys,
> +	       doc: /* Non-nil means to record all typed keys.  When
> +nil, only passwords' keys are not recorded.  */);

The first line of a doc string should be a single complete sentence
(for the benefit of help commands, like 'apropos', which only show the
first lines).

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> Date: Mon, 20 Jun 2022 18:52:17 +0300
> From: Eli Zaretskii <eliz@gnu.org>
> Cc: akib@disroot.org, monnier@iro.umontreal.ca, emacs-devel@gnu.org
> 
> > From: Manuel Giraud <manuel@ledu-giraud.fr>
> > Cc: akib@disroot.org,  monnier@iro.umontreal.ca,  emacs-devel@gnu.org
> > Date: Mon, 20 Jun 2022 17:28:05 +0200
> > 
> > Ok. Here is an updated version of the patch.
> 
> Thanks.  Two minor nits (but you don't have to submit another patch,
> this will be fixed when installing):

Now installed on master, thanks.

Re: [Patch] Avoid recording chars when reading passwords

[Stefan Monnier]

> The next question is: do we want to enable this by default

I'm strongly in favor of it being enabled by default, yes.
I think most people expect that their passwords aren't trivially
available in clear from the lossage.

> and in a way that users cannot have the previous behavior back?

I'd think being able to redefine `read-password` is sufficient, because
it should really be extremely uncommon to need your password to appear
in lossage and/or a dribble file.


        Stefan

Re: [Patch] Avoid recording chars when reading passwords

[Eli Zaretskii]

> From: Stefan Monnier <monnier@iro.umontreal.ca>
> Cc: manuel@ledu-giraud.fr,  emacs-devel@gnu.org
> Date: Wed, 15 Jun 2022 08:27:51 -0400
> 
> > and in a way that users cannot have the previous behavior back?
> 
> I'd think being able to redefine `read-password` is sufficient, because
> it should really be extremely uncommon to need your password to appear
> in lossage and/or a dribble file.

Dribble file is a debug facility, and quite an important one at that.
Lossage is also a troubleshooting facility, at least in some of its
uses.

So asking that people redefine functions for that is too harsh,
IMNSHO.  What's the harm from having a variable that people could flip
if they need it?