GNU bug report logs - #9113
24.0.50; auth-sources: .authinfo versus .authinfo.gpg

Previous Next

Package: emacs;

Reported by: "Roland Winkler" <winkler <at> gnu.org>

Date: Mon, 18 Jul 2011 03:09:01 UTC

Severity: normal

Found in version 24.0.50

Full log

Message #29 received at 9113 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Monnier <monnier <at> IRO.UMontreal.CA>
To: Achim Gratz <Stromeko <at> nexgo.de>
Cc: 9113 <at> debbugs.gnu.org, Lars Ingebrigtsen <larsi <at> gnus.org>,
	Roland Winkler <winkler <at> gnu.org>
Subject: Re: bug#9113: 24.0.50;
	auth-sources: .authinfo versus .authinfo.gpg, bug#9113: 24.0.50;
	auth-sources: .authinfo versus .authinfo.gpg, bug#9113: 24.0.50;
	auth-sources: .authinfo versus .authinfo.gpg
Date: Thu, 26 Jan 2012 16:41:19 -0500

SM> That might be a good option.
> It works fairly well but it's hacky, and can't be shared with other
> programs.

Indeed, it's a major downside.

> I'd like to implement it with libnettle at least, so it doesn't depend
> on the external gpg utility.

But that would make it work even less with other programs.

LI> Yes.  But it will require the user to type in a password to get to the
LI> password.  :-)  And again, programs like Firefox defaults to storing the
LI> passwords in non-encrypted files, so I don't really see why Emacs should
LI> be more difficult to use than Firefox.

I don't know about you, but I don't let Firefox store my mailbox's
password.  I have a lot of passwords stored in Firefox's database, but
they're all things I don't really care about (e.g. passwords to log into
some stupid web-forums).

SM> Another option (the better long-term option) is to use an external
SM> keychain service to handle these issues.  That's what we should focus on
SM> for the "next time".
> Do you mean gpg-agent or the OS keychain?

I mean the keychain.

> Neither is available on all platforms consistently.

AFAIK all platforms have a keychain nowadays and it's the best place to
put sensitive passwords such as the ones used to access your IMAP server.

>>> IIRC for 23 the default was to keep the password for the current session
>>> and not to store it in any file at all.  I think it's a better default
>>> than writing it in clear in some file, so at least for 24.1 reverting to
>>> the Emacs-23 default is very attractive.
LI> Well, Emacs 23 just made you write the .authinfo file by hand.  Emacs 24
LI> prompts you for whether you want to store the password or not.  If you
LI> don't want to, say "n".

Yes, I guess it's good enough.

> One possible flow:
> If the user says `y' then we can ask (if `auth-sources' is 'ask) 
> "Do you want to keep your passwords in a GPG-encrypted file?"

> If they say `y' then set `auth-sources' to "~/.authinfo.gpg" and check
> that EPA/EPG are enabled. If GPG is not available, what do we do? Use
> libnettle? Or explain and pretend they said `n'?

If GPG is not available, ask a different question, as in "It will be
saved in cleartext, is that OK?"


        Stefan
This bug report was last modified 13 years and 123 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.