Re: Proposal for an Emacs User Survey

[Thibaut Verron]

Le sam. 17 oct. 2020 à 07:44, Jean Louis <bugs@gnu.support> a écrit :
>
> * Thibaut Verron <thibaut.verron@gmail.com> [2020-10-17 07:50]:
> > I gave my reasons above. It's not just about "helping users", it's
> > about helping them move more of their activities to the free world.
> > Those packages (helm-lastpass, lastpass) are helping users who already
> > use lastpass at the moment do exactly that.
> >
> > > Nonfree
> > > software is an injustice -- nonfree software subjugates users.
> > > Our goal is to _eradicate it_.
> >
> > Again, the same question: by arranging for links to such software to
> > be removed everywhere? Or by offering free alternatives?
> >
> > Incidentally, I see a lot of effort so far discussing how evil
> > helm-lastpass and lastpass are, and how to get them moved to obscure
> > parts of the internet. What I don't see is efforts discussing free
> > alternatives.
>
> There are many password managers in any GNU/Linux system, including, I
> am sure, and there are cross platform free software password managers
> such as keepass, then there are packages that can manage passwords
> with Emacs only, those may not be well integrated, then both KDE/Gnome
> have their password managers, each browser has it password managers.

Can you use Keepass with Emacs? Can you use Keepass on a phone? Can
you use it on a computer without root access?

> both KDE/Gnome have their password managers

Can you use them with Emacs? Can you use them on a phone?

> each browser has it password managers.

I don't know what Edge does, and Chrome and Chromium use Google
services for their password manager.

Firefox offers Lockwise and Opera also has its in-house method, which
at least work on phones (afaik). But then they require storage in the
cloud in the same way as Lastpass. And can you use them with Emacs?

I mentioned it before, but as far as I know, the only free software
offering for a service similar to Lastpass is Bitwarden: free software
for both the client and the server with the possibility to self-host,
same features as Lastpass (including measuring the overall safety of
your passwords, which I don't think those other password managers do)
and same compatibility list.

Focusing efforts towards evaluating the freedom (freeness?) of
Bitwarden, and if applicable, extending the support for Bitwarden to
the level of that of emacs-lastpass would make it a lot easier to
convince users to abandon that bit of non-free software.

>
> Especially when we are talking about subject of password management,
> advising GNU Emacs users to keep their passwords online in a cloud,
> managed by proprietary software is very wrong.
>
> (...)
>
> From Wikipedia:
> https://en.wikipedia.org/wiki/LastPass
>
> https://en.wikipedia.org/wiki/LastPass#2011_security_incident
> https://en.wikipedia.org/wiki/LastPass#2015_security_breach
> https://en.wikipedia.org/wiki/LastPass#2016_security_incidents
> https://en.wikipedia.org/wiki/LastPass#2017_security_incidents
> https://en.wikipedia.org/wiki/LastPass#2019_security_incidents
>
> Those are only publicly announced security incidents. How many there
> are not announced?
>
> In that sense, knowing the background of the insecurities at the
> company producing proprietary software, the package lastpass for Emacs
> and helm-lastpass is only helping that company subjugates users to
> keep their passwords online and sooner or later abuse Emacs users.
>
> (...)
>
> At MELPA bug tracking, or Github issue tracker, the issue is closed,
> there was no question if the package "lastpass" is driving users to
> insecurities, issue was simply closed, without possibility to publish
> this exact information.

Yes yes, but that's still about the availability of and the problems
behind lastpass and the emacs packages. My question is about
alternatives.

Or, what would you tell users who currently use lastpass and
emacs-lastpass, after you tell them they should stop using lastpass?

Surely you don't want to convince them to use an inferior product just
for purity of software?

I would keep the issue of security incidents separate. Security flaws
are regularly found in both free and non-free software. Lastpass makes
it a policy to announce such breaches.

And 5 incidents in 9 years does not make Lastpass "known for security
incidents", not any more than OpenSSL would be known for security
incidents (even though in the same period, 6 flaws were found and
patched in OpenSSL).

> My system of keeping passwords is the file .passwords which is stored
> on encrypted partition. It is appendable only file by using chattr +a,
> and Emacs asks me for host name, username, email, etc. and it
> generates password which is appeneded to a file. Other simple function
> is grepping and finding list of passwords.

Do you use it across devices? On devices where you don't have root
access? On phones?

> It would be disaster to keep my 4362 passwords online

Assuming that sufficiently strong encryption is used, why exactly?

> Especially when we are talking about subject of password management,
> advising GNU Emacs users to keep their passwords online in a cloud,
> managed by proprietary software is very wrong.
>
> Thus there is no alternative to free software.

I don't see what it has to do with the question, but it is factually
wrong. There are plenty of alternatives to free software.