From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Michael Albinus Newsgroups: gmane.emacs.bugs Subject: bug#48598: 28.0.50; buffer-naming collisions involving bouncers in ERC Date: Thu, 21 Apr 2022 09:08:58 +0200 Message-ID: <87czha3oc5.fsf_-___47943.6160925374$1650528508$gmane$org@gmx.de> References: <875yzakzvi.fsf@neverwas.me> <87bkxaeyuw.fsf@neverwas.me> <87zgkisetn.fsf@cassou.me> <87ee1ucvv3.fsf@neverwas.me> <87tuaqs9br.fsf__15054.4815858424$1650295523$gmane$org@cassou.me> <87k0bmbage.fsf@gmx.de> <878rrz268v.fsf@neverwas.me> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="10220"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) Cc: Damien Cassou , 48598@debbugs.gnu.org, Ted Zlatanov , emacs-erc@gnu.org, Sam Steingold To: "J.P." Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Thu Apr 21 10:08:21 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nhRrR-0002WD-JL for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 21 Apr 2022 10:08:21 +0200 Original-Received: from localhost ([::1]:46016 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nhRrQ-0005tV-Dv for geb-bug-gnu-emacs@m.gmane-mx.org; Thu, 21 Apr 2022 04:08:20 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:58686) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nhQx0-00034D-O3 for bug-gnu-emacs@gnu.org; Thu, 21 Apr 2022 03:10:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:54305) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nhQx0-0003u4-Cr for bug-gnu-emacs@gnu.org; Thu, 21 Apr 2022 03:10:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nhQx0-000266-1W for bug-gnu-emacs@gnu.org; Thu, 21 Apr 2022 03:10:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Michael Albinus Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 21 Apr 2022 07:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48598 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 48598-submit@debbugs.gnu.org id=B48598.16505249517977 (code B ref 48598); Thu, 21 Apr 2022 07:10:01 +0000 Original-Received: (at 48598) by debbugs.gnu.org; 21 Apr 2022 07:09:11 +0000 Original-Received: from localhost ([127.0.0.1]:48197 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhQwB-00024b-AA for submit@debbugs.gnu.org; Thu, 21 Apr 2022 03:09:11 -0400 Original-Received: from mout.gmx.net ([212.227.17.22]:43965) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhQw9-00024J-FO for 48598@debbugs.gnu.org; Thu, 21 Apr 2022 03:09:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1650524940; bh=fNZd098x5ntc+UhhR1PY6V5qpBd4hZuzG0ayRHQvzVA=; h=X-UI-Sender-Class:From:To:Cc:Subject:References:Date:In-Reply-To; b=ImS52nrWig3V5HqlsxFUMIXswwtz4zwj1m3brvpcW6Y1w0OeT963hU33OQuvuZTwd IdwtnEX5TgkmpiK9Djh2YrOBi6LUwEB90j8x3YmQOAZuwboxbJN4LO9QOZ+jq3Vdh6 hG8Nm+9lXvvOZITDL+qlLq0htEcjpScou7xMt62M= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Original-Received: from gandalf.gmx.de ([79.140.124.122]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MhlGq-1oLBbX3fKi-00dmq6; Thu, 21 Apr 2022 09:09:00 +0200 In-Reply-To: <878rrz268v.fsf@neverwas.me> (J. P.'s message of "Wed, 20 Apr 2022 07:12:48 -0700") X-Provags-ID: V03:K1:fyXbTA7Qy6F14bVUxsGtS+VKzYgnoinnhVAIzZZ1SgN/2rfRuHI jpBgK2SLyIFOGLtXIOO6PcSofwnyQgUV9ISJPTGMc7qLUU2hd4hc2ZggvFOypL9FqzAD9oB V3WCPHUrriRThIY9jY9Viz1Ee4zg74a8pD1as/H5Xp9YLus2JQ7G8CElnCh4nFCAJXw6Mb1 AIUwaEWI/DIHreKcFlyOA== X-UI-Out-Filterresults: notjunk:1;V03:K0:8vZI5qph56U=:n7etq1Z4Idcv9/cg8ACKqp 5+hiNBfVvislRvuR80RxcGt9KuMnar9XUrDSuaqZ3e8jgtw69ZvLioseeHq7NU4HxlCeKlP0j LePSBKfIAyvBXowO3bUawKAVPnbZFYrZIcFYtVJBANvhpo5QidHk42fnBwGFHeAWl18Ji6sYg bcFcingnJQDl1gD017aO6iGq/jQw+86xNrU86ZHK6snSD5Eq9I0KwEcAgXe9f9+/4HPAIu4E7 peNSluen/EPkrHr7JI+xO60n1t6urGMRDsCsv7Rz0Jzb4ph7Y57GpZXDNTPPX9SkIpIvV/Eca YK7PKqCSvxkZSHbznh13TFKlBQEUzJtvHaWlRLscFbU3M3H1CHCxq8JxGMUw0CcqqiZpxmF78 Qq5Tfqg6GWZJ3G0PWe9qrSx5RCrwUbNYkZub1e2t2umZVU+9f0Xe1EsRQLOFd8623A4IKxI/i WBJMAhj5Swe5se1bWe6jWgtspYXYgsolSAkmDF5lBEuFxTc1xu3M6szrUFSXq/87/X7pwlPr3 SXmKLHGHVDumcz/eOMujmiVu+NMkyfAGRJFsAkRdJ3NA3iJpDreBw3zIli+hK7r0zPMm2b4AL 5d1fkI2mQHVpFUmk46nvr+dobEoiUbbMbs79cSRvRF9nxkRovXWRVVLBeT4QUeuTrHCwNm/Wd A8E7b75oHHLAGqw7miFcV7esalPDo5s2FjWGAMHzGJGNhej5Hc7UHiiaAr36Am/ZpjVFxi53d Vo/pf5J+I8z8Pone2By4qsyDv2GtC3f62eTXJc2Plsb/9QI8uIPNEika8/v1tzDAwxyztEiA X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:230348 Archived-At: "J.P." writes: > Hi all, Hi, A general remark: I haven't read the complete bug messages, so in case I'm missing something pls point me to this. In fact, I'm focussing on the auth-source releated problems; erc details are not important for me just now. Btw, I found it hard to scan a bug report with so many different problems. Usually, it is more simple to discuss every problem in a separate bug report, in order not to lose control. Except, all of them are strongly dependent. You have said somewhere there is an archive at . I cannot access this URL. Is there another URL to be used? > While it may be tempting to single out pass, this part from the doc > string for `auth-source-search' says that ignoring :max and returning at > most one result is totally acceptable: > > :max N means to try to return at most N items (defaults to 1). > More than N items may be returned, depending on the search and > the backend. Indeed. In Tramp there are two calls of auth-source-search: One call in order to retrieve the password, and there I use ':max 1' explicitly (see `tramp-read-passwd'). And there is another function used for user/host name completion, not looking for the password, and there I use ':max most-positive-fixnum' (see `tramp-parse-auth-sources'). But the former case could refrain from specifying :max. > Now, I suppose it's safe to assume those back ends in auth-source.el > already supporting :max will continue to do so forever and that the > proposed kludges for pass [1] are likewise safe (as long as we only ever > apply them to 27 and 28). > > What I'd like to know is actually something Damien had had the foresight > to raise initially but that I was too dim to grasp fully in the moment: > >> if auth-source-pass doesn't implement auth-source protocol, shouldn't >> we try to improve it instead of working around it in all users of the >> library? Am I missing something? > > In truth, without such an addition (adding :max to auth-source-pass), > I'm not sure it makes sense for ERC to shoot for pass support at all. So > ERC aside, would such a change be worthwhile from the perspective of > auth-source, seeing as pass is technically already fully compliant? Making auth-source-pass conform to the auth-source API would always be a good thing=E2=84=A2. I don't know whether there exist already such a bug re= port, otherwise I recommend you to write a new report. > [2] A couple (non-pass specific) questions: > > - Is there anything obvious to watch out for in our integration > tests to avoid contaminating existing ones for auth-source or > secrets? I don't believe. Just follow the usual recommendation for ERT tests: make a temporary environment for the test (for example, create a temporary auth-source-pass store), run your test, remove test data (for example, remove the temporary auth-source-pass store). That's how the tests in auth-source-tests.el and auth-source-pass-tests.el are designed, IIRC. Since you don't want to test auth-source-pass functionality explicitly, you can of course use any other auth-source backend. The scenario is the same, and you could even provide several test functions like erc-tests--auth-source-netrc, erc-tests--auth-source-json, and alike. > Right now, the only thing we attend to specifically is let-binding > `auth-source-do-cache' around every test. > > - Are there any security-related gotchas to heed when retrieving a > bunch of secrets in bulk and sifting through them? > > Currently, results are narrowed to the best candidate, and its > secret is returned as a string for (relatively) immediate > transmission. IOW, I don't think any obvious references to the > discarded ones remain, if that matters. That sounds OK. Even better would be to use functions for the :secret token, instead of the secret strings themselves. And call that function when you need it. > Thanks everyone, > J.P. Best regards, Michael.