From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Mon, 09 May 2022 10:01:10 +1000 Message-ID: <87tu9za6wu.fsf@gmail.com> References: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="39444"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.7.18; emacs 29.0.50 Cc: tom@logand.com, fitzsim@fitzsim.org, jostein@kjonigsen.net, emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Mon May 09 02:26:51 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nnrEg-000A3Y-9B for ged-emacs-devel@m.gmane-mx.org; Mon, 09 May 2022 02:26:50 +0200 Original-Received: from localhost ([::1]:60194 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nnrEe-0006tY-Rg for ged-emacs-devel@m.gmane-mx.org; Sun, 08 May 2022 20:26:48 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45874) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nnrDe-0006AY-Rl for emacs-devel@gnu.org; Sun, 08 May 2022 20:25:46 -0400 Original-Received: from mail-pf1-x42a.google.com ([2607:f8b0:4864:20::42a]:37683) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nnrDd-0002L7-42; Sun, 08 May 2022 20:25:46 -0400 Original-Received: by mail-pf1-x42a.google.com with SMTP id bo5so10889203pfb.4; Sun, 08 May 2022 17:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version; bh=lwn/4GsInw23sfsixbLfFH3sV1RjzlleAfubxm6I3wc=; b=nLkHdrTLmm/eaGFVaXoPc5uEnBFTc2S9NL4XahpenmgHtHqdaDv8Ez7mF+NBsdbnfX Bfsqfb8uAV/cM1G4uGChD3ve7ULb1wyNhunxjz+AWgWPtIAx/M3wepmlTeZg0vPw6v8i Z+MOhHV6fwvk9pW3H/naYF7oPt+XucTrz82hcotPlbrmayQGBnvKobERVUh+BsPXXBPJ XF7Hw/XRoE1GfYd14hMhaCK9GNuggkQZTsQeV+ET3QxJmQd5RwTHuCGGGcMQsNCe9Qxi nMTvy3liq+FixfpvLEFeqvosytAB8txA/5FqgQKu8DCbrmQhvr0UetuYnVeAXGmPfstv PnaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version; bh=lwn/4GsInw23sfsixbLfFH3sV1RjzlleAfubxm6I3wc=; b=UOHRwZqUZQqg9ced4ioei40ZyRNi++2KSW8olzQ5LvnI2W5ZTfaF800Z8skFJ7fKrH e+X7uAuQiw5UkBEcGyEk2QDTrc0dP2OEqYXEoHRU/TF2IJuWAUJPUqVbRBk71npXFsIQ xeKX7b7k50/ZBmXSpmiy4oMSRf1CVPYgjA1H0YeLLC4siiOXO2zKl3EaNu6wsrwKfc2f Cx78vPa68PCNIc2l9X/7TOvwI/fz+xlAuk2bJHkOB8V7RYH9+P7lm41ASAzpJCZs6fFj K9S71Vgb2es9tNHHdMP3erKGdK+IAWUCvqNZpuOzvFPbRLJG6vr8V2St+LmyW51Tdi9o 9D2w== X-Gm-Message-State: AOAM533XExfxQnka6lEnpm4vYdDvKERCK7Mq0o0JIkAwXZ1xfZy5Qk2z JsfyhWPH9KlMRrohCp+wpyy4nxVNQaI= X-Google-Smtp-Source: ABdhPJwU25UDuWsustJOBHJexN5MoWQrJAGzI9C8ZGH788arHCV6Vw9Feklgq+Fu0XwNvr8O+c8kVQ== X-Received: by 2002:a65:60d3:0:b0:39c:f431:5859 with SMTP id r19-20020a6560d3000000b0039cf4315859mr11027278pgv.442.1652055942708; Sun, 08 May 2022 17:25:42 -0700 (PDT) Original-Received: from dingbat (220-235-29-41.dyn.iinet.net.au. [220.235.29.41]) by smtp.gmail.com with ESMTPSA id a6-20020a636606000000b003c60b1f0dbasm7125228pgc.35.2022.05.08.17.25.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 May 2022 17:25:42 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::42a; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x42a.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289510 Archived-At: Richard Stallman writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > Thanks very much for spelling out the whole situation clearly. > > (Where does TOTP fit into this picture?) For the 2FA process. Instead of using something like Google Authenticator, you could use an open source TOTP client. Your still going to have to use the non-free Javascript based UI, your just using less non-free software. However, as they say, you cannot be a little bit pregnant! > > > At this stage, I do not know of any way to create/register a google > > account which does not require Javascript and the status of that > > javascript is unknown, but can be expected to be non-free. Once you have > > created an account, the only way to access your account 'settings' page > > is to login to the Google site, again requiring use of non-free > > javascript. > > This is an injustice, of course. It is one reason to refuse to use > Gmail. It may be possible to write free replacement Javascript code > and use that instead. But it doesn't pertain to Emacs in particular, > so we don't need to go into it here. > True. It is also possible Google does provide an API which a school or institution could use to create a custom account registration and settings update site. Note also that many larger institutions may actually integrate Google into their in-house identity and access management (IAM) system (it is one of the strengths of oauth2, being able to integrate with 3rd party identity providers). However, few (if any) of the commercial IAM solutions are based on libre software (there are some Universities who have been working on an IAM solution which is based on libre packages, but sadly, too many Universities have ignorant administrators who still see proprietary = quality, libre = amateur. > In case a school demands you have a Gmail account, it would be useful > if we had instructions to send to the staff, saying, "You may create > the account, choose a password, and tell it to me. (Since it will > only be for email to and from the school, it makes no difference to me > that school staff will know the password.) Please choose an account > name with no resemblance to my name. Please set the account settings > as follows so that my software can access the account." > There is no way any institution would support such a workflow. Apart from the additional resource demands, it would raise lots of questions regarding staff knowing student's email passwords. In many schools/Universities, email is considered an official record and many critical workflows are based around it (enrolling, unenrolling, assignment submission, various approval processes etc). > > Google has started enforcing 2FA (now mandatory on all new accounts). > > If 2FA is enabled, in which situations does the user have to do the > 2FA procedure? And how many times? Only once, for setup -- or > repeatedly? > Basically, every time you connect from a new device or new browser and any time you want to modify your settings. Of course, you can change that and enforce 2FA every time you try to access a service. > This, I think, is where the possibility of using hardware keys such as > the Yubikey, is pertinent, >