From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Gregory Heytings via "Emacs development discussions." <emacs-devel@gnu.org>
Newsgroups: gmane.emacs.devel
Subject: Re: Making GNUS continue to work with Gmail
Date: Tue, 18 Aug 2020 09:15:12 +0000
Message-ID: <alpine.NEB.2.21.2008181045480394.27168@sdf.lonestar.org>
References: <m38shor86n.fsf@fitzsim.org> <878sf9c69y.fsf@gnus.org>
 <E1jzBBX-0007nJ-0s@fencepost.gnu.org> <871rkw62t3.fsf@gnus.org>
 <E1k3Wq4-00055u-Ns@fencepost.gnu.org> <87bljki71n.fsf@mat.ucm.es>
 <87364wxlec.fsf@gnus.org> <87imdsgmlw.fsf@mat.ucm.es>
 <yw8778cive.fsf@vtyht.birch.chromebook> <871rkfhkhc.fsf@mat.ucm.es>
 <ywve7ajkzws.fsf@vtyht.birch.chromebook> <p91y2mm4htt.fsf@google.com>
 <m2wo25iju4.fsf@gmail.com> <875z9p5hnc.fsf@mat.ucm.es>
 <m2h7t9i2mq.fsf@gmail.com>
 <d0ab8a1d-68d8-4e03-f7a3-ff5445ddd0d0@harpegolden.net>
 <87364pbkn0.fsf@gnus.org> <87lfihe0zf.fsf@mat.ucm.es>
 <874kp55l8t.fsf@gnus.org> <pxwho8nd3z4h.fsf@gmail.com>
 <E1k6o3N-00082y-2J@fencepost.gnu.org> <m2ft8o413l.fsf@gmail.com>
 <E1k7A3B-0005ei-Ag@fencepost.gnu.org>
 <alpine.NEB.2.21.2008160957050394.3721@sdf.lonestar.org>
 <E1k7Vk9-0002D0-BP@fencepost.gnu.org>
 <alpine.NEB.2.21.2008170916570394.24165@sdf.lonestar.org>
 <E1k7svJ-0004x5-6k@fencepost.gnu.org>
Reply-To: emacs-devel@gnu.org, Gregory Heytings <ghe@sdf.org>
Mime-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="23211"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Alpine 2.21 (NEB 202 2017-01-01)
Cc: Richard Stallman <rms@gnu.org>
To: emacs-devel@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Aug 18 11:15:56 2020
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1k7xim-0005wP-2K
	for ged-emacs-devel@m.gmane-mx.org; Tue, 18 Aug 2020 11:15:56 +0200
Original-Received: from localhost ([::1]:45498 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>)
	id 1k7xil-0002IA-1h
	for ged-emacs-devel@m.gmane-mx.org; Tue, 18 Aug 2020 05:15:55 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:57034)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ghe@sdf.org>) id 1k7xiH-0001qH-AF
 for emacs-devel@gnu.org; Tue, 18 Aug 2020 05:15:25 -0400
Original-Received: from mx.sdf.org ([205.166.94.24]:57917)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ghe@sdf.org>)
 id 1k7xiE-0008H0-UE; Tue, 18 Aug 2020 05:15:25 -0400
Original-Received: from sdf.org (IDENT:ghe@faeroes.freeshell.org [205.166.94.9])
 by mx.sdf.org (8.15.2/8.14.5) with ESMTPS id 07I9FFbY019485
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO);
 Tue, 18 Aug 2020 09:15:15 GMT
Original-Received: (from ghe@localhost)
 by sdf.org (8.15.2/8.12.8/Submit) id 07I9FFT9019863;
 Tue, 18 Aug 2020 09:15:15 GMT
In-Reply-To: <E1k7svJ-0004x5-6k@fencepost.gnu.org>
Received-SPF: pass client-ip=205.166.94.24; envelope-from=ghe@sdf.org;
 helo=mx.sdf.org
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/18 04:17:07
X-ACL-Warn: Detected OS   = ???
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/emacs-devel>,
 <mailto:emacs-devel-request@gnu.org?subject=subscribe>
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org
Original-Sender: "Emacs-devel"
 <emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.devel:253934
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/253934>


>
> > "will have to run _that same_ nonfree software to start": no.  For 
> > solution (1), it is necessary to use 
> > https://console.developers.google.com to "create" an app
>
> We are miscommunicaing here.  I am talking about option (2), where the 
> user only has to log in and permit access to per account via the 
> already-existing app.  (Or at least, that's what I think you said.)
>
> I'm not talking about option (1) since it is totally unacceptable.
>

It was not clear at all until now that option (1) was totally 
unacceptable.

>
> What we avoid on principle is the situation where use of our software 
> depends on running nonfree software.  For one person to run nonfree 
> software once, to make it unnecessary for others to run it, is the sort 
> of situation which we consider a legitimate exception.
>

Okay, I was not aware of that subtlety.

>
> Also, I am not convinced it has to be done by "someone from [the GNU 
> Project], or on behalf of [the GNU Project]".
>

Well, this is what happened for Kmail, Thunderbird and others.  The person 
who applies to have an app approved by Google becomes legally responsible 
of the use of the OAuth credentials received at the end of the process. 
In the case of an app that is used by many people around the world, this 
should be a legal person, not an individual.

Moreover one of the (possible) steps in having Google approve an app is to 
have the code of the app reviewed by security experts, and it is the 
person who applies to have an app approved who has to pay for this. 
Again this cannot be an individual.

Writing the privacy policy is also something that an individual cannot do, 
and that is required by Google.

>
> It could be anyone who wants to keep using GNUS with Gmail (and is 
> willing to sometimes run Gmail's nonfree JS code).  If someone does this 
> and sends us some data, we can use it.
>

Yes, if they agree to take the legal responsibility of the use of these 
credentials, and if they pay if Google wants to have the code of the 
program reviewed by security experts.

>
> This brings me to another issue that may be harder to work around. What 
> conditions would someone have to agree to when requesting Google's 
> approval for an app?  There could be something morally unacceptable in 
> that.  Though it does matter who would have to agree to it.
>

I gave some indications above.  But I'm not a lawyer.

>
> Here's an idea.  Is it possible to modify Kmail so that it does the 
> necessary low-level access, and nothing else?  Delete the code for 
> displaying an editing mail.  This drastically modified version of Kmail 
> would satisfy Kmail's license.  GNUS and Rmail could use it, much as 
> they used to use movemail.
>

It's an idea indeed, but I fear it is not a good one.  It means at least 
that:

(1) The KDE foundation would become legally responsible of the use of the 
OAuth credentials by people outside of the KDE project.  They would most 
likely officially ask you to stop using their credentials.  If you did not 
agree, the risk for them is that their credentials would be revoked by 
Google.

(2) During the OAuth grant process (when a user adds an account to their 
email client), the OAuth credentials are used to identify the app.  In 
other words, with your idea the Gnus user would be presented with a screen 
which says "The app Kmail wants to access your email.  Approve?".  A Gnus 
user would not know what "Kmail" is, or at least would be reluctant to 
click on "Approve".

Gregory