[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Making GNUS continue to work with Gmail

From: Gregory Heytings
Subject: Re: Making GNUS continue to work with Gmail
Date: Tue, 18 Aug 2020 09:15:12 +0000
User-agent: Alpine 2.21 (NEB 202 2017-01-01)

> "will have to run _that same_ nonfree software to start": no. For > solution (1), it is necessary to use > https://console.developers.google.com to "create" an app

We are miscommunicaing here. I am talking about option (2), where the user only has to log in and permit access to per account via the already-existing app. (Or at least, that's what I think you said.)

I'm not talking about option (1) since it is totally unacceptable.

It was not clear at all until now that option (1) was totally unacceptable.

What we avoid on principle is the situation where use of our software depends on running nonfree software. For one person to run nonfree software once, to make it unnecessary for others to run it, is the sort of situation which we consider a legitimate exception.

Okay, I was not aware of that subtlety.

Also, I am not convinced it has to be done by "someone from [the GNU Project], or on behalf of [the GNU Project]".

Well, this is what happened for Kmail, Thunderbird and others. The person who applies to have an app approved by Google becomes legally responsible of the use of the OAuth credentials received at the end of the process. In the case of an app that is used by many people around the world, this should be a legal person, not an individual.

Moreover one of the (possible) steps in having Google approve an app is to have the code of the app reviewed by security experts, and it is the person who applies to have an app approved who has to pay for this. Again this cannot be an individual.

Writing the privacy policy is also something that an individual cannot do, and that is required by Google.

It could be anyone who wants to keep using GNUS with Gmail (and is willing to sometimes run Gmail's nonfree JS code). If someone does this and sends us some data, we can use it.

Yes, if they agree to take the legal responsibility of the use of these credentials, and if they pay if Google wants to have the code of the program reviewed by security experts.

This brings me to another issue that may be harder to work around. What conditions would someone have to agree to when requesting Google's approval for an app? There could be something morally unacceptable in that. Though it does matter who would have to agree to it.

I gave some indications above.  But I'm not a lawyer.

Here's an idea. Is it possible to modify Kmail so that it does the necessary low-level access, and nothing else? Delete the code for displaying an editing mail. This drastically modified version of Kmail would satisfy Kmail's license. GNUS and Rmail could use it, much as they used to use movemail.

It's an idea indeed, but I fear it is not a good one. It means at least that:

(1) The KDE foundation would become legally responsible of the use of the OAuth credentials by people outside of the KDE project. They would most likely officially ask you to stop using their credentials. If you did not agree, the risk for them is that their credentials would be revoked by Google.

(2) During the OAuth grant process (when a user adds an account to their email client), the OAuth credentials are used to identify the app. In other words, with your idea the Gnus user would be presented with a screen which says "The app Kmail wants to access your email. Approve?". A Gnus user would not know what "Kmail" is, or at least would be reluctant to click on "Approve".


reply via email to

[Prev in Thread] Current Thread [Next in Thread]