[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Making GNUS continue to work with Gmail

From: Cesar Crusius
Subject: Re: Making GNUS continue to work with Gmail
Date: Sat, 15 Aug 2020 12:39:55 -0700
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Richard Stallman <rms@gnu.org> writes:

>> It looks like this approach keeps popping up as a "possible
>> solution," so I'll just point out again that this is _already
>> implemented_ in the package above, and is being used by various people
>> to make Gnus work with Gmail and XOAuth2. The discussion here is about
>> how to _avoid_ having to do that.
> What IS "this approach"?  Does it get a key that GNUS can use for everyone?
> Does it have each user get a key from Google?

Others already replied, but in any case: the approach I and Lars were replying 
to and was quoted in my message, namely

>>> Yeah, we could just use that and tell the users to "just" register their
>>> own developer accounts at Google and then put the keys somewhere.  It's
>>> a really really horrid experience to go through, though, and Google will
>>> sic an API compliancy review at the users at random.

... so each user gets a key from Google. The procedure for doing so is 
documented in the auth-source-xoauth2 package. The only difference between this 
and the "one key GNUS can use for everyone" approach is that the latter 
requires (a) an official, Google-approved, GNUS/Emacs app registered from which 
keys can be shared, and (b) a key sharing mechanism.

From what I've seen from Kmail/Kontact/KPim/etc replies, (a) and (b) is exactly 
what they are doing, and there's no way around this. The only question is how 
to achieve those in a way that is compatible with both Google terms and FSF 
requirements, if there is such a way. Thunderbird "achieves" (b) by having 
"secret" keys in source code. I don't know what the K* applications do, it did 
not seem to be specified in their discussions.

In any case, (b), which seems to be the unsolvable puzzle, isn't even worth 
pursuing if (a) is not doable under FSF requirements, and that is something 
that only somebody from the FSF can determine.

Looks to me like the most direct course of action here would be for somebody 
from the FSF to contact *Google themselves* and ask them for guidance on how to 
make libre software make use of OAuth2 authentication. They may say "can't be 
done, we won't allow it," but at least the discussion will have an official 
resolution then and there.

Cesar Crusius

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]