GNU bug report logs -
#9113
24.0.50; auth-sources: .authinfo versus .authinfo.gpg
Previous Next
Full log
Message #17 received at 9113 <at> debbugs.gnu.org (full text, mbox):
>>> The Emacs maintainers asked me to make the default unencrypted. I don't
>>> think they will change their position.
SM> I can't remember exactly how we got there. But I do agree that saving
SM> a password unencrypted by default is not a good idea.
> I don't recall exactly either. But here's how we can proceed. We have
> several options:
> 1) go back to authinfo.gpg as the first choice
I'm not sure what this means: how does it fix the problem, what other
consequences does it have? E.g. will Emacs end up asking for my
password to read autoinfo.gpg even though the thing it's looking for is
not there?
> 2) use unencrypted authinfo with encrypted password tokens, which
> looks like this:
> machine supertest password
> gpg:jA0EAwMC2tUEaZgM7A5gyWM/owySdCOS/cjoFCuf8LI1d1kYX7z6cjsNkakM04u1geh/iesqyH3XQFI+SEVLb/oEC/EoQ0LIgRRoBiLyu9XZWN1ytY7MQxpPZniFz13oGV4/Dwl8yrP3Hba5LfQpHy2FZRM=
That might be a good option.
> Additionally, we should decide if any of this is happening for 24.1. I
> would really prefer to make the default more secure for 24.1.
IIRC for 23 the default was to keep the password for the current session
and not to store it in any file at all. I think it's a better default
than writing it in clear in some file, so at least for 24.1 reverting to
the Emacs-23 default is very attractive.
Another option (the better long-term option) is to use an external
keychain service to handle these issues. That's what we should focus on
for the "next time".
Stefan
This bug report was last modified 13 years and 123 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.