[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gmail+imap+smtp (oauth2)
From: |
Tim Cross |
Subject: |
Re: gmail+imap+smtp (oauth2) |
Date: |
Thu, 05 May 2022 00:48:35 +1000 |
User-agent: |
mu4e 1.7.13; emacs 28.1.50 |
Thomas Fitzsimmons <fitzsim@fitzsim.org> writes:
> Hi Tim,
>
> Tim Cross <theophilusx@gmail.com> writes:
>
>> Richard Stallman <rms@gnu.org> writes:
>>
>>> [[[ To any NSA and FBI agents reading my email: please consider ]]]
>>> [[[ whether defending the US Constitution against all enemies, ]]]
>>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>>>
>>> > I landed on the conclusion that SMTP
>>> > and IMAP should keep working as long as you use app-passwords for
>>> > logging in to your account.
>>>
>>> Can you explain what "app-passwords" are? I have never used Gmail,
>>> and I don't need to know technical details, but I have to think
>>> about the ethical implications of this.
>
> [...]
>
>> I don't think there are any significant ethical considerations
>> associated with app passwords (in addition to those associated with
>> using Google/Gmail that is). It is likely that setting the app password
>> via the Google account settings page involves non-free Javascript, but I
>> think that boat sailed when you initially sign up for a gmail account
>> anyway.
>
> One issue with OAuth2 schemes is that they periodically force the user
> through a web-browser-only authentication process that requires non-free
> JavaScript, in order to get a refresh token.
>
> (I'm hoping someone can prove me wrong, and point me to a command-line
> procedure using only free software that allows me to get a refresh token
> when required. We're told OAuth2 is a modern standard, right? So there
> should be a modern, standard way of doing the same things as the
> JavaScript authentication blobs... right?)
>
> There are two issues, which I think should be considered separately:
>
> One-time registration requiring non-free JavaScript (1).
>
> Subsequently requiring non-free JavaScript for authentication to use
> IMAP or SMTP protocols (2).
>
> See the discussion in this bug report, closed wontfix:
>
> https://debbugs.gnu.org/cgi/bugreport.cgi?bug=41386
>
> I'm hoping the FSF will study and comment on the issue in general, given
> that gmail.com, such a large email provider, is making this OAuth2
> change. To me, issue (2) seems like a high priority one for Free
> Software. Keep in mind that avoiding issue (1) isn't always optional,
> from an employee/student perspective.
>
I think your confusing oauth2 as an authn/authz framework/standard and
its implementation as done by Google. There is nothing which requires
oauth2 be implemented in Javascript or that requies it to use non-free
software.
Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/03
- Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/03
- Re: gmail+imap+smtp (oauth2), tomas, 2022/05/04
- Re: gmail+imap+smtp (oauth2), Thomas Fitzsimmons, 2022/05/04
- Re: gmail+imap+smtp (oauth2), Stefan Monnier, 2022/05/04
- Re: gmail+imap+smtp (oauth2), Robert Pluim, 2022/05/04
Re: gmail+imap+smtp (oauth2),
Tim Cross <=
Re: gmail+imap+smtp (oauth2), Thomas Fitzsimmons, 2022/05/04
Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/05
Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/06
Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/06
Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/07
Re: gmail+imap+smtp (oauth2), Richard Stallman, 2022/05/08
Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/08
Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/10
Re: gmail+imap+smtp (oauth2), Tim Cross, 2022/05/10
Re: gmail+imap+smtp (oauth2), Tomas Hlavaty, 2022/05/10