GNU bug report logs - #7487
24.0.50; Gnus nnimap broken

Previous Next

Full log

Message #25 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Lars Magne Ingebrigtsen <larsi <at> gnus.org>
To: Stefan Monnier <monnier <at> iro.umontreal.ca>
Cc: bug-gnu-emacs <at> gnu.org, bugs <at> gnus.org
Subject: Re: bug#7487: 24.0.50; Gnus nnimap broken
Date: Thu, 09 Dec 2010 22:10:35 +0100

Stefan Monnier <monnier <at> iro.umontreal.ca> writes:

>> that I'm tempted to go back to just storing this data in the plain-text
>> ~/.authinfo file until all this has been worked out.
>
> No!!!! Or only after prompting the user five times for
> (different) confirmation.

If you look at other widely used software packages, like Firefox, they
default to just storing the passwords in an (obfuscated) non-encrypted
file.  I don't think that's such a bad default.

>> When writing the ~/.authinfo.gpg file, the user should be queried one
>> thing: "Password for ~/.authinfo.gpg: ****".  And that's it, in my
>> extremely humble opinion.
>
> I partly agree, though some users won't have a key-pair setup, others
> will have several, so the right thing to do may be either to use
> symmetric encryption, or to guess which key-pair to use, and since it's
> a guess there needs to be a way for the user to override the guess.

Again, if you look at what the user experience is with, say, Firefox --
if you have password encryption turned on, then Firefox will prompt you
for the password to unlock your credential storage.  This is intuitive
and works well.

If you want a more complicated credential storage setup, then that
should be a user option, not a default.  At present, the ~/.authinfo.gpg
credential storage is not something you can present to a normal user and
expect them to understand at all.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi <at> gnus.org * Lars Magne Ingebrigtsen

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.