Re: gmail+imap+smtp (oauth2)

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

Thanks very much for spelling out the whole situation clearly.

(Where does TOTP fit into this picture?)

  > At this stage, I do not know of any way to create/register a google
  > account which does not require Javascript and the status of that
  > javascript is unknown, but can be expected to be non-free. Once you have
  > created an account, the only way to access your account 'settings' page
  > is to login to the Google site, again requiring use of non-free
  > javascript. 

This is an injustice, of course.  It is one reason to refuse to use
Gmail.  It may be possible to write free replacement Javascript code
and use that instead.  But it doesn't pertain to Emacs in particular,
so we don't need to go into it here.

In case a school demands you have a Gmail account, it would be useful
if we had instructions to send to the staff, saying, "You may create
the account, choose a password, and tell it to me.  (Since it will
only be for email to and from the school, it makes no difference to me
that school staff will know the password.)  Please choose an account
name with no resemblance to my name.  Please set the account settings
as follows so that my software can access the account."

  > Google has started enforcing 2FA (now mandatory on all new accounts).

If 2FA is enabled, in which situations does the user have to do the
2FA procedure?  And how many times?  Only once, for setup -- or
repeatedly?

This, I think, is where the possibility of using hardware keys such as
the Yubikey, is pertinent,

> Personally, I think the thunderbird position is the right one. It
  > minimises the need to use non-free software and I think it is unlikely
  > Google will cancel their application ID. Even if they do, all the user
  > then needs to do is setup application passwords and use them. 

I tend to agree, except that the FSF can't do it by making a contract
with Google that we intend not to keep.

  > What might be good is if the FSF could get clarification from Google
  > regarding the T&C requirements for application ID.

Actually I doubt that Google would respond.  Also,

  > There are some risks associated with requesting clarification. If google
  > comes back and categorically states the application ID cannot be
  > embedded in *a free* program

that is a cogent reason not to ask,

(We shun the term "open source" because it implies rejection of our moral
stance.  Likewise the term "closed source", which also rejects it.
See https://gnu.org/philosophy/open-source-misses-the-point.html.)


-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)