Richard Stallman writes: >> It looks like this approach keeps popping up as a "possible >> solution," so I'll just point out again that this is _already >> implemented_ in the package above, and is being used by various people >> to make Gnus work with Gmail and XOAuth2. The discussion here is about >> how to _avoid_ having to do that. > > What IS "this approach"? Does it get a key that GNUS can use for everyone? > Does it have each user get a key from Google? Others already replied, but in any case: the approach I and Lars were replying to and was quoted in my message, namely >>> Yeah, we could just use that and tell the users to "just" register their >>> own developer accounts at Google and then put the keys somewhere. It's >>> a really really horrid experience to go through, though, and Google will >>> sic an API compliancy review at the users at random. ... so each user gets a key from Google. The procedure for doing so is documented in the auth-source-xoauth2 package. The only difference between this and the "one key GNUS can use for everyone" approach is that the latter requires (a) an official, Google-approved, GNUS/Emacs app registered from which keys can be shared, and (b) a key sharing mechanism. From what I've seen from Kmail/Kontact/KPim/etc replies, (a) and (b) is exactly what they are doing, and there's no way around this. The only question is how to achieve those in a way that is compatible with both Google terms and FSF requirements, if there is such a way. Thunderbird "achieves" (b) by having "secret" keys in source code. I don't know what the K* applications do, it did not seem to be specified in their discussions. In any case, (b), which seems to be the unsolvable puzzle, isn't even worth pursuing if (a) is not doable under FSF requirements, and that is something that only somebody from the FSF can determine. Looks to me like the most direct course of action here would be for somebody from the FSF to contact *Google themselves* and ask them for guidance on how to make libre software make use of OAuth2 authentication. They may say "can't be done, we won't allow it," but at least the discussion will have an official resolution then and there. -- Cesar Crusius