GNU bug report logs - #8069
23.2.94; auth-source should support ~/.netrc by default

Previous Next

Packages: emacs, gnus;

Reported by: Reuben Thomas <rrt <at> sc3d.org>

Date: Thu, 17 Feb 2011 22:06:02 UTC

Severity: wishlist

Found in version 23.2.94

Done: Lars Magne Ingebrigtsen <larsi <at> gnus.org>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 8069 <at> debbugs.gnu.org (full text, mbox):

From: Lars Magne Ingebrigtsen <lmi <at> gnus.org>
To: Reuben Thomas <rrt <at> sc3d.org>
Cc: 8069 <at> debbugs.gnu.org
Subject: Re: bug#8069: 23.2.94; auth-source should support ~/.netrc by default
Date: Thu, 17 Feb 2011 16:37:24 -0800

Reuben Thomas <rrt <at> sc3d.org> writes:

> auth-source is trying to encourage users to use ~/.authinfo rather than
> ~/.netrc. This is fine. But many programs and libraries still use
> ~/.netrc (personally, until reading the auth-source manual I had not
> heard of ~/.authinfo).

I don't quite remember why we started using ~/.authinfo instead of
~/.netrc?  I think that change was done a long, long time ago.  (At
least for nntp.el.)  Anybody remember?  Was there a technical reason?

This was done in:

66292b12 lisp/nntp.el      (Lars Magne Ingebrigtsen 1998-03-07 16:19:30 +0000  243) (defcustom nntp-authinfo-file "~/.authinfo"

and the ChangeLog entry helpfully says

+	* nntp.el (nntp-authinforc-file): Changed default.

Yay me.

But, yes, I think ~/.netrc should be added to the list of auth sources
to consult.

> Carrot: Default to searching ~/.netrc (unencrypted), ~/.authinfo
> (unencrypted), and ~/.authinfo.gpg (encrypted). This means that users
> with an unencrypted file or old-name file are not annoyed.

Agreed.

> By all means create a symlink from ~/.authinfo to ~/.netrc if the
> former doesn’t already exist, and don’t actually search ~/.netrc. (But
> maybe that would create potential security problems of its own.)

Nah.  Symlinks shouldn't be necessary.

> Stick: Display a minibuffer warning message when an unencrypted file is
> found. Thus, the user is not actually interrupted (which breeds
> annoyance), but does receive a gentle reminder that encrypted is better.

No, I don't think any reminders are necessary.  It's perfectly
reasonable to keep your passwords (for services you don't consider to be
super-secret for you) unencrypted.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi <at> gnus.org * Lars Magne Ingebrigtsen
This bug report was last modified 13 years and 329 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.