bug#40676: 28.0.50; gnus locks when reading email

[Philip K.]

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > > Indeed -- it makes libravatar a much worse interface than the central
>   > > Gravatar service (where you just have to trust the Gravatar people
>   > > somewhat, instead of the entire internet).
>   > >
>   > > So that's another reason not to make libravatar the default provider.
>
> I don't know about libravatar, but ISTR that gravatar was found
> to do some sort of surveillance of users.

I'm not sure if it was proven, but just like Google Analytics or the
Facebook Like-button, they offer a service with a hidden fee -- that
they can or cannot exploit. 

In the case of Emacs' Gravatar Integration, they get "notified" whenever
someone opens a message from person X (at least once), meaning they
could more easily reconstruct a database of who communicates with whom.

> Is that correct?  Was libravatar intended as a replacement to respect
> users' privacy more than gravatar?

>From libravatar's web page:

        FREEDOM AND FEDERATION

        How is Libravatar different from Gravatar though? The main
        difference is that while Libravatar.org is an online avatar
        hosting service just like Gravatar, the software that powers the
        former is also available for download under a free software
        license.

        Why would you want to run your own instance? Our belief is that
        centralised approaches don't put users in control. If you own
        your own domain name, you control how mail is delivered to your
        domain. You should also be able to control how avatars are
        served to other websites.

So kind of, thought it seems to be more about controlling the software
you use than privacy per se.

> But it seems there is a problem with using libravatar, right?

Yes, the same attack as above with Gravatar (getting notified when you
open a message), just that a third party can set up their own libravatar
server and get notified when I open their email, instead of one
centralised service. So kind of like tracking bits in HTML messages.

> If that is the case, we should not think of "use gravatar"
> as a _solution_.  It might fix an urgent problem, but we
> would not want it as a permanent change.  A real solution 
> is to make libravatar work well.

That would require an architectural change to libravatar itself. It's
current mechanism to retrieve an image for user@domain.tld is:

1. Check if domain.tld has a libravatar service (via DNS)
2. If yes, use that server, otherwise default to libravatar's server
3. Send a request to the server using the MD5/SHA256 hash of
   user@domain.tld

Steps 1./2. are the trick to federation, but the crux of the issue as
well. 

> If what is needed is async DNS lookup, how about running
> a shell command asynchronously to do it?

I guess that would also be possible, but wouldn't that require a DNS
tool to be installed on the system?

-- 
        Philip K.