From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: David Engster Newsgroups: gmane.emacs.bugs Subject: bug#41386: 28.0.50; Gnus nnimap OAuth 2.0 support Date: Tue, 19 May 2020 18:00:21 +0200 Message-ID: <87r1vfhq3u.fsf@randomsample> References: <87y2poqehh.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="4024"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.91 (gnu/linux) Cc: Lars Ingebrigtsen , 41386@debbugs.gnu.org To: Thomas Fitzsimmons Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue May 19 18:05:08 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jb4jr-0000m2-Bg for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 19 May 2020 18:05:07 +0200 Original-Received: from localhost ([::1]:59162 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jb4jq-0002Vq-2d for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 19 May 2020 12:05:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54154) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jb4fv-0006FF-EG for bug-gnu-emacs@gnu.org; Tue, 19 May 2020 12:01:03 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:39216) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jb4ft-0002bD-V2 for bug-gnu-emacs@gnu.org; Tue, 19 May 2020 12:01:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jb4ft-0006sn-Sa for bug-gnu-emacs@gnu.org; Tue, 19 May 2020 12:01:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: David Engster Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 19 May 2020 16:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41386 X-GNU-PR-Package: emacs Original-Received: via spool by 41386-submit@debbugs.gnu.org id=B41386.158990403726418 (code B ref 41386); Tue, 19 May 2020 16:01:01 +0000 Original-Received: (at 41386) by debbugs.gnu.org; 19 May 2020 16:00:37 +0000 Original-Received: from localhost ([127.0.0.1]:50762 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jb4fU-0006s2-Ui for submit@debbugs.gnu.org; Tue, 19 May 2020 12:00:37 -0400 Original-Received: from zplane.randomsample.de ([192.145.45.252]:37908) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jb4fS-0006rj-Gj for 41386@debbugs.gnu.org; Tue, 19 May 2020 12:00:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=randomsample.de; s=a; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xn0s9i8sGfPNITMiaRKq+YmcFQAp8a+oDJMEHuiiIeM=; b=OJR2OL2h6AKLHVDCfQ/Mi8YfL +YbtBTOwdEBkFlgjSn1wKXGqu8H8vF2n6Ty0J6m2YsYvbBG7LEu952cVuBjltdbyrZab5tjSLgt0E yFF5F16boabkZlrXt3LXgrCJ5kWbDVtclnghr9l+cfKHUIcpVSQO0q5Fe4ckLNN/kI/Jd9PuFpO4Y P5vsSWXR5M1yZhxrKuSYNl2mXIKx2sA53xcW0teEGrq6Emzo1QK3t4sdvxpWFL0CL54uNnT7+KMCt PzYCEDzS4UF6aipgEIpxZI8aafiBkz25hWdRt/XDhy/uhM7YD7MueyawCoxpUoIiVQ7EwBkiX5Prr 0yyiKvZZQ==; Original-Received: from [95.90.186.238] (helo=void) by zplane.randomsample.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jb4fH-0005xh-BI; Tue, 19 May 2020 18:00:27 +0200 In-Reply-To: (Thomas Fitzsimmons's message of "Tue, 19 May 2020 11:37:46 -0400") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:180603 Archived-At: > Maybe a solution could be found for Free Software like Emacs. > Thunderbird is mentioned as a not-less-secure-app, so they seem to have > solved this problem to Thunderbird/Google's satisfaction. No, they haven't. It's just that at the moment, no one cares. It is pretty obvious that OAuth2 client id/secrets do not make sense in desktop applications (whether (F)OSS or not), making their whole point moot. Google admits this much in their documentation, where they say The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.) (see https://developers.google.com/identity/protocols/oauth2) People took this paragraph as permission to simply put client id and secret directly into the source code. However, Google *explicitly* forbids this in their developer TOS: Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects. (see https://developers.google.com/terms) The Thunderbird people simply ignore this and do it anyway, but it's not like they have much choice. > OK, maybe Google could relax the secrecy requirement for Emacs though, > since I'd hope they'd be sufficiently Free-Software-friendly to work > something out. Google does not care one bit. The solution to this problem is to choose another mail provider. -David