From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Arthur Miller Newsgroups: gmane.emacs.devel Subject: Re: Making GNUS continue to work with Gmail Date: Sat, 22 Aug 2020 09:24:12 +0200 Message-ID: References: <875z9p5hnc.fsf@mat.ucm.es> <87364pbkn0.fsf@gnus.org> <87lfihe0zf.fsf@mat.ucm.es> <874kp55l8t.fsf@gnus.org> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32924"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: Gregory Heytings , Richard Stallman To: Gregory Heytings via "Emacs development discussions." Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Aug 22 09:24:55 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1k9NtX-0008SA-16 for ged-emacs-devel@m.gmane-mx.org; Sat, 22 Aug 2020 09:24:55 +0200 Original-Received: from localhost ([::1]:58028 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k9NtW-00032D-4K for ged-emacs-devel@m.gmane-mx.org; Sat, 22 Aug 2020 03:24:54 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52854) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k9Nt1-0002c0-MG for emacs-devel@gnu.org; Sat, 22 Aug 2020 03:24:23 -0400 Original-Received: from mail-oln040092073059.outbound.protection.outlook.com ([40.92.73.59]:3653 helo=EUR04-HE1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k9Nsy-0002X1-1j; Sat, 22 Aug 2020 03:24:23 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HLCT7UZZ1b3zKTs1jmq+e38SGFRavYFTSZjk+pDYH87cR86zVJKknGbdhHvdf2MH17tBAe+hkl96FJMwRbu4nFODXUHelhS8h84EoCXrZHAHZM6teUptl5aSezWO8G3q10FZwSugT9Z1ijXVZwhRzmrw90Sywqihaci36iEd8f9jmpy+xeVQ7yIsh7yCqEDGQvUOVqLmUGuuTkGdfdPEDNyxZM/wVrVy9TDVlcBD061fXKr/TaONVnhVFJLKpubgcL3KrorC8qxlzTiIYuvNOpveGQgZYWrpHv0iKItN262P4jJVKb6QiwaSxQuvSd49k1zYIJ7Z/5jCA32RHkH6Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SEjTjw6vcyC6FmG5/6jbbheJ9XSvGQVvG6x0kWh5cBU=; b=IzIR/tzjM4UKjmKusa3CaXu41cccaZ/LeIZ/axb8PJ/6wifTE+0wspADyV1OO4hLcbVm8AIdT6dmE/zS8PF2nklCxq+Cir/l6YsDcQxfQAEz9c9JER8LzMxnAykVY+GBku8m2274mnOIJugqai3xTKuXzuwE3oOB76pUMxrvCCq9AarFbSU0KwIg8sQutkjVRfmeJF93+XePXkX5pjrARwKOnY0N6rr42/Cv8tBYl/IK8icfwqoLAar1Xnc/BFIQhS3t3GyWdqGVtWQYaCLtG5wgb5/thVNGpUEHvQOPVtEsYSj2vjhAhP4jsF4GV/IMNDx1LA+0s40eL30iNfH7+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SEjTjw6vcyC6FmG5/6jbbheJ9XSvGQVvG6x0kWh5cBU=; b=FTjzZCRcwZ02MOkZaI0RF60ui+PkxSTFLMaeklIl+YR01DkiUVoqkZ42a39mLYzelHpoPynDNj8Un39DU/HNNtRbiZBvcJOqcUqnQRWaPXRN/J++Estxj+MC1FsPFOyBOCg6XJiwD+CsweB9OQYassSlKwuB+aKOXF38eQwflHyVdb4TJjblCS1EsKFzIHbq8X8L8etRjPEGM5CxXWyFHx0AqQQPk+q6fwGCbBwNHDV1aGqRco+IUCxGfnKTKBNQnyfyS6p7+umICqwsmrzI5bGkuQVRsHmpeBQMPIb8q+HYW6ism/OInow8PtEbKj4KT1N0/dh2HSzNC4fndFrbyw== Original-Received: from DB3EUR04FT015.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0c::47) by DB3EUR04HT201.eop-eur04.prod.protection.outlook.com (2a01:111:e400:7e0c::143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Sat, 22 Aug 2020 07:24:14 +0000 Original-Received: from VI1PR06MB4526.eurprd06.prod.outlook.com (2a01:111:e400:7e0c::53) by DB3EUR04FT015.mail.protection.outlook.com (2a01:111:e400:7e0c::453) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Sat, 22 Aug 2020 07:24:14 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:D4A91F142336637484EC7A09F9060645330DA7F875B4EC4BA616DAF81A0E51A1; UpperCasedChecksum:83C3566D9D11A2ACBA67E8DB3456704A69221A8597E5F03EDBC870B6E2BCBD52; SizeAsReceived:8365; Count:47 Original-Received: from VI1PR06MB4526.eurprd06.prod.outlook.com ([fe80::b547:51cd:16c5:4487]) by VI1PR06MB4526.eurprd06.prod.outlook.com ([fe80::b547:51cd:16c5:4487%7]) with mapi id 15.20.3305.026; Sat, 22 Aug 2020 07:24:14 +0000 In-Reply-To: (Gregory Heytings via's message of "Fri, 21 Aug 2020 17:16:46 +0000") X-ClientProxiedBy: AM6P195CA0060.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::37) To VI1PR06MB4526.eurprd06.prod.outlook.com (2603:10a6:803:ac::17) X-Microsoft-Original-Message-ID: <874kovcfdv.fsf@live.com> X-MS-Exchange-MessageSentRepresentingType: 1 Original-Received: from pascal.homepc (90.230.29.56) by AM6P195CA0060.EURP195.PROD.OUTLOOK.COM (2603:10a6:209:87::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.25 via Frontend Transport; Sat, 22 Aug 2020 07:24:13 +0000 X-Microsoft-Original-Message-ID: <874kovcfdv.fsf@live.com> X-TMN: [CfVfh+j/2JcZwVle2SwY+18cvzNvWwRl] X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 1e779313-b58e-4990-dbd7-08d8466c5eff X-MS-TrafficTypeDiagnostic: DB3EUR04HT201: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 5UVYkehggpP7uEuPd34qBfYqS2+9+BA+DxTziBX7hZSJwDY90wNDBZhM3kSWrQma4uh9RHmWBoJQUPaEJPkHGYq6NJbup3/DTAhDkGa3KkWMl87qKYRMIRh1yHFH/41vR21NUUmdQpK8G3mXLWnJV6fsQ2EvlM5y3aw4qcyaCCMS/GOGRYhhIi4ZIBq6Oh9XEVqwRmUhvH/7nRzXJrk+w0HF6E2mmccTjubl/AdiY3VYCnjKk9GqClKtmuyHZnXm X-MS-Exchange-AntiSpam-MessageData: LfEmetMlNqgPTHikw7d0aAIkU/nMA2bindA6I8IKj9UBX5eqTKmONNF1OC+7ItZAamIhij1KOb8MSUOYZsJmN590a0vCKfQZplsCFgdZhH/A4m3sn7GrFki4W6rEBihah/lYU7nrbPQfLqQou6yxSA== X-OriginatorOrg: live.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e779313-b58e-4990-dbd7-08d8466c5eff X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Aug 2020 07:24:14.6748 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: DB3EUR04FT015.eop-eur04.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3EUR04HT201 Received-SPF: pass client-ip=40.92.73.59; envelope-from=arthur.miller@live.com; helo=EUR04-HE1-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/22 03:24:15 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -30 X-Spam_score: -3.1 X-Spam_bar: --- X-Spam_report: (-3.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:254104 Archived-At: Gregory Heytings via "Emacs development discussions." writes: >> >>> Yes, if they agree to take the legal responsibility of the use of these >>> credentials, and if they pay if Google wants to have the code of the program >>> reviewed by security experts. >> >> I am completely lost here. What legal responsibility is involved? >> > > This is an answer that developers cannot give you. It's a question that only a > lawyer can answer. But I at least would not agree to personally take the risk > of being sued by Google for having knowingly violated their terms of service, > even if Google tolerates (at the moment at least) that free software projects > violate these TOS. I observe that this is what happened in similar projets, > e.g. Kmail: it's not an individual who has submitted the app for verification by > Google, but a legal person, KDE e.V. > > Violating these TOS by making the OAuth credentials public (which is what > happens in a free software project) can have consequences, for example if a > malicious person uses them in their own app to fraudulently gain access to > Google accounts. > >> >> I've asked for someone to please tell me, in brief terms, the concrete >> reqwuirements for issuing an app key to something like GNUS, but I have not >> seen a reply stating them. >> > > Google's terms of service for OAuth services are available at > https://developers.google.com/terms . Only a lawyer can tell you in brief terms > what the concrete requirements are. > > I've just read them again, and it seems to me that: > > - Paragraph 4.a.1, which states that "you will not create an API Client that > functions substantially the same as the APIs and offer it for use by third > parties", expressly prohibits your idea of creating a "modif[ied] Kmail so > that it does the necessary low-level access, and nothing else". > > - Paragraph 4.b.1, which states that "You will keep your credentials > confidential and make reasonable efforts to prevent and discourage other API > Clients from using your credentials. Developer credentials may not be embedded > in open source projects." prohibits the use of OAuth credentials in free > software projects. As I wrote above (and earlier), Google tolerates (at the > moment) that this specific point of their TOS is violated. But that doesn't > mean that violating them is without legal risk. > > - Paragraph 9.c list the legal risks: "Unless prohibited by applicable law, if > you are a business, you will defend and indemnify Google, and its affiliates, > directors, officers, employees, and users, against all liabilities, damages, > losses, costs, fees (including legal fees), and expenses relating to any > allegation or third-party legal proceeding to the extent arising from: - your > misuse or your end user's misuse of the APIs; - your violation or your end > user's violation of the Terms; or - any content or data routed into or used > with the APIs by you, those acting on your behalf, or your end users." Of > course an individual person is not a business, but nobody is completely > independent, and I'd guess that Google would seek redress against that > person's employer for example. > > What I wrote above is nothing but my understanding. Again, only a lawyer can > tell you what these TOS concretely imply. > > Gregory Just as a curiosa: have you guys thought about asking Google for help/clarification? Can't FSF send a mail to Google lawyers/devs and ask what has to be done get FSF/GNU software work with Google services? Of course there is no sure that Google will answer in any meaningful way if at all, but have you tried?