From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Lars Ingebrigtsen <larsi@gnus.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg
Date: Mon, 30 Jan 2012 17:18:03 +0100
Message-ID: <87y5spdv0k.fsf@gnus.org>
References: <87mxgcffq1.fsf@niu.edu> <87k44ffsdu.fsf@lifelogs.com>
	<jwv4nvj1awv.fsf-monnier+emacs@gnu.org> <87aa5aa38p.fsf@lifelogs.com>
	<20259.46649.66744.396059@gargle.gargle.HOWL>
	<877h0bveaq.fsf@gnus.org>
	<20260.19768.553254.135471@gargle.gargle.HOWL>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: dough.gmane.org 1327940348 25653 80.91.229.3 (30 Jan 2012 16:19:08 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Mon, 30 Jan 2012 16:19:08 +0000 (UTC)
Cc: 9113@debbugs.gnu.org, Ted Zlatanov <tzz@lifelogs.com>
To: "Roland Winkler" <winkler@gnu.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jan 30 17:19:07 2012
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([140.186.70.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Rrtwf-0003CP-8b
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 30 Jan 2012 17:19:05 +0100
Original-Received: from localhost ([::1]:38700 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Rrtwe-0006uh-P8
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 30 Jan 2012 11:19:04 -0500
Original-Received: from eggs.gnu.org ([140.186.70.92]:35474)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RrtwY-0006uV-05
	for bug-gnu-emacs@gnu.org; Mon, 30 Jan 2012 11:19:03 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RrtwR-0003Qt-Sw
	for bug-gnu-emacs@gnu.org; Mon, 30 Jan 2012 11:18:57 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:41772)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1RrtwR-0003Qp-Ot
	for bug-gnu-emacs@gnu.org; Mon, 30 Jan 2012 11:18:51 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Rrtwb-000602-UF
	for bug-gnu-emacs@gnu.org; Mon, 30 Jan 2012 11:19:01 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Lars Ingebrigtsen <larsi@gnus.org>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 30 Jan 2012 16:19:01 +0000
Resent-Message-ID: <handler.9113.B9113.132794031123017@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 9113
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 9113-submit@debbugs.gnu.org id=B9113.132794031123017
	(code B ref 9113); Mon, 30 Jan 2012 16:19:01 +0000
Original-Received: (at 9113) by debbugs.gnu.org; 30 Jan 2012 16:18:31 +0000
Original-Received: from localhost ([127.0.0.1]:45394 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Rrtw6-0005zB-A8
	for submit@debbugs.gnu.org; Mon, 30 Jan 2012 11:18:30 -0500
Original-Received: from hermes.netfonds.no ([80.91.224.195]:48928)
	by debbugs.gnu.org with esmtp (Exim 4.72)
	(envelope-from <larsi@gnus.org>) id 1Rrtw2-0005z2-HV
	for 9113@debbugs.gnu.org; Mon, 30 Jan 2012 11:18:28 -0500
Original-Received: from 93-41-188-50.ip82.fastwebnet.it ([93.41.188.50] helo=rusty)
	by hermes.netfonds.no with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.72) (envelope-from <larsi@gnus.org>)
	id 1Rrtvi-0007nB-0H; Mon, 30 Jan 2012 17:18:06 +0100
In-Reply-To: <20260.19768.553254.135471@gargle.gargle.HOWL> (Roland Winkler's
	message of "Sat, 28 Jan 2012 13:32:08 -0600")
User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)
X-MailScanner-ID: 1Rrtvi-0007nB-0H
MailScanner-NULL-Check: 1328545086.32235@721grmwwMNMcs8YfR3GYYw
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.13
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2)
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:56222
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/56222>

"Roland Winkler" <winkler@gnu.org> writes:

> But then it appears to me that elsewhere there is a problem:
>
> Why is it necessary that Emacs reads this file three gazillion
> times? I would assume: reading the encrypted file once and holding
> the content in memory cannot be more unsecure than storing the
> sensitive information in an unencrypted file.

Yes, that's more secure.  Now that you mention it, perhaps we did fix
the aggressive password prompting?  I seem to remember adding a cache at
some point...

Anyway, having to enter a password for (say) sending email, even if your
SMTP server isn't password-protected (as you have to do with
.authinfo.gpg) isn't particularly ideal.

So I think the .authinfo.gpg concept isn't a good thing.  (But
encrypting tokens in the .authinfo file might be.)

And perhaps the password token in .authinfo should always be obscured,
at least, to avoid accidentally spilling the passwords (visually) if you
do a grep .* or something.  (This is what all the other
password-hoarding applications like Firefox, Chrome, etc do by default.)

-- 
(domestic pets only, the antidote for overdose, milk.)
  http://lars.ingebrigtsen.no  *  Sent from my Rome