From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Sat, 07 May 2022 13:22:33 +1000 Message-ID: <87wneyc6zu.fsf@gmail.com> References: <871qxbdulc.fsf@mat.ucm.es> <877d72nf3h.fsf@gmail.com> <87v8ul4ad4.fsf@gmail.com> <87r157qcta.fsf@logand.com> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31326"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.7.13; emacs 28.1.50 Cc: Tomas Hlavaty , fitzsim@fitzsim.org, jostein@kjonigsen.net, emacs-devel@gnu.org To: Richard Stallman Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat May 07 06:17:32 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nnBsp-0007t7-FM for ged-emacs-devel@m.gmane-mx.org; Sat, 07 May 2022 06:17:31 +0200 Original-Received: from localhost ([::1]:41860 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nnBso-0000Nu-Hn for ged-emacs-devel@m.gmane-mx.org; Sat, 07 May 2022 00:17:30 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54680) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nnBrr-00085U-56 for emacs-devel@gnu.org; Sat, 07 May 2022 00:16:32 -0400 Original-Received: from mail-pf1-x433.google.com ([2607:f8b0:4864:20::433]:39476) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nnBrp-00071Z-1f; Sat, 07 May 2022 00:16:30 -0400 Original-Received: by mail-pf1-x433.google.com with SMTP id v11so7813660pff.6; Fri, 06 May 2022 21:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version; bh=GW6lm7DRMcOVRyiO5lYsxf4iExiqp4SnJjuEmgtX5mw=; b=N5V5//WRfXhJPlzmWMmMOjkgQ50Cwarnyb5/Kztub2S7MlF6U6H3kdViJgszZ+5dAe lmNamE5wqbUhnZzgFbN3uIrj7jjYKcXm4NkLElWtfqINtCfMvZ34SELlMSiKHAP3lQLG zpAt+KSPV0k6OH4WJi7R/uy44qxwZz1fLFcKF1mfbiK7buOsXlqomKPH+XkX+S+s0h4r zO1Va3t9BM5ktf4ZJI6rG4vScG+DFPe1Nw9g3UgP8Cq/VtwEBBY21YINJncLhwNW0XOk NiAm/ZebgBrRWx1sXkV0tph9c/HWBvhBio2gi1bt/XeGTq/8qsYh9PVhy/2kY87rEzR9 Fb/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version; bh=GW6lm7DRMcOVRyiO5lYsxf4iExiqp4SnJjuEmgtX5mw=; b=nbCYbsIon2xh4yk2OWYNiamJ5VHnQFA51600wT4QcMn2TXttotFp1lfu2UZbxuUIHM 1vjnyEjiAYT4s4iEHmPH7YAhTHoAF7RNMqXLTGcsHohXSB4ZvfXoHjImFfJuKrtm+/hT aq4UYmWp5USURZRhZbWpZTpsbOGbYGoIjFnnXhH7T0JV3DDUg7kO7fkcx50WeANMjiFQ is1kwGDWCG38dkVuJej1o84Mjm9yF80UTFRFDJoSKJY5r7mGis0DF+ucjxBgsJud+43t PwS4R1HLtPe1KDxOSheGWrO3recvlEsG10SxfEyn6+sUYYTL2yOleIHT5ZnmS9WAP5Xa HG0w== X-Gm-Message-State: AOAM532KRb0Z3UHfcpBiwqEGpqkxcZKFs3LlRY7k4sWMN4fqa083qBTl b499iUXpfQW8+TMNMOEYClnZ5UbW7jE= X-Google-Smtp-Source: ABdhPJzUI1dFyXu1dB2Z1AWzwdrcLK1q4lsOzO8bTqs4BwWqNjT5AKTOD7VHF1WKkaLv80isJKn5TA== X-Received: by 2002:a63:87c3:0:b0:3ab:5ca7:1763 with SMTP id i186-20020a6387c3000000b003ab5ca71763mr5374203pge.552.1651896986987; Fri, 06 May 2022 21:16:26 -0700 (PDT) Original-Received: from dingbat (220-235-29-41.dyn.iinet.net.au. [220.235.29.41]) by smtp.gmail.com with ESMTPSA id bb12-20020a170902bc8c00b0015e8d4eb2bbsm2548960plb.261.2022.05.06.21.16.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 May 2022 21:16:26 -0700 (PDT) In-reply-to: Received-SPF: pass client-ip=2607:f8b0:4864:20::433; envelope-from=theophilusx@gmail.com; helo=mail-pf1-x433.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289365 Archived-At: Richard Stallman writes: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > but as pointed out, the real issue is not so much on the client side > > but on the server side > > Since the issue is whether we can use free software to make GNUS talk > with Gmail, naturally the issue has a "server side". > Would you please identify more precisely what "real issue" you mean? > For instance, quote the text that described this issue? > > There have been so many messages about this that I can't identify one > of them based on a generally description of what it said. Your looking for a clear concise short explaination for a larger complex set of problems. There are multiple issues. Big Question: Can you use gmail only using libre software. Anser NO. Subsequent questions: Can you minimise the use of non-libre software Yes. At this stage, I do not know of any way to create/register a google account which does not require Javascript and the status of that javascript is unknown, but can be expected to be non-free. Once you have created an account, the only way to access your account 'settings' page is to login to the Google site, again requiring use of non-free javascript. Google login authentication supports a number of different 2FA schemes. Some are non-free (SMS, Google Authenticator). Some are free (keyPassXC). It is up to the user to select which scheme is used. Until recently, once your account was registered, you could use libre tools to access your messages and send new ones via IMAP and SMTP. However, you do have to use the non-free account settings page to turn these services on and you must not enable 2FA. Once they are enabled, you don't need to use the non-free login/settings pages again (unless you want to change your password or other settings). Google has started enforcing 2FA (now mandatory on all new accounts). If you have 2FA, you cannot use your 'normal' Google username/password with IMAP and SMTP. At this point you have 2 choices. This is where the main issue for this thread started. The choices are - 1. Use application passwords. These are a 'special' password you create using your google settings page (running non-free software). Once you have the applicaiton password, you can use IMAP/SMTP with libre clients, using the application password in place of your 'normal' password. At this point, your retrieval and sending of messages can be done using only libre software. 2. Use a Google oauth2 compliant client to obtain an oath2 access token which you then use as your password in your libre IMAP/SMTP client. However, at this time, there doesn't seem to be any libre Google oauth2 client we can use. If there was, it would be theoretically possible to access your emails and send new ones using only libre software and avoid needing to login to the non-free settings page to setup application passwords. The issue with having a libre oauth2 client is that the client needs to be approved by Google and issued with an application ID which is supplied as part of the client authorisation request. The Google T&C state that this value must be kept secret. If we put this ID into the source code, it won't be secret and therefore not compliant with Google's T&C. It has been argued that the interpretation of the T&C is misleading or ambiguous and the applicaiton ID does not need to be kept secret (or does not need to be 'as secret' as something like a password). Other projects, like thunderbird, appear to be adopting this position and have incorporated oauth2 authentication, eliminating the need for applicaiton passwords or the need for users to use the non-free Google login page in order to access IMAP/SMTP. The risk for them is that if Google decides their application has not complied with the T&c, they will cancel the application ID and thunderbird will stop working with Google. Personally, I think the thunderbird position is the right one. It minimises the need to use non-free software and I think it is unlikely Google will cancel their application ID. Even if they do, all the user then needs to do is setup application passwords and use them. What might be good is if the FSF could get clarification from Google regarding the T&C requirements for application ID. I suspect Google's intention with the T&C is that developers should not publicise the application ID i.e. having it embedded in source code is OK, having it referenced on the web site homepage is not. As Stefan pointed out, even with closed source software, an embedded ID of this type can still be extracted by anyone with sufficient patience and knowledge on how to use a debugger. There are some risks associated with requesting clarification. If google comes back and categorically states the application ID cannot be embedded in an open source program and we then go ahead and do it, I guess Google could use that as a pretext for more serious legal action. It would not be possible to argue it was an error and would likely be seen as a deliberate breach of their T&C. A situation FSF lawyers would probably find unacceptable.