Re: Proposal for an Emacs User Survey

[Jean Louis]

* Richard Stallman <rms@gnu.org> [2020-10-18 07:17]:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
> 1. Looking for free password managers on GNU/Linux makes sense,
> and perhaps developing another would be useful.

There are many password managers as free software including those that
work on various operating system and mobile devices.

There is GNU password manager:
https://www.gnu.org/software/gnu-pw-mgr/

There are GUI password managers in Gnome and KDE, there is
closs-platform keepass and many others:

pass - lightweight directory-based password manager
passwordsafe - Simple & Secure Password Management
qtpass - GUI for password manager pass
gnome-pass-search-provider - GNOME Shell search provider for the pass
password manager
impass - Simple and secure password management and retrieval system
ylva - command line password manager

What the proprietary software lastpass do, they provide online cloud
service for people to store passwords so that they are accessible from
various devices. Maybe 60 million people use that software.

As I am not of opinion that passwords should be stored online, I will
not say that such software is necessary. Other people will argue it is
necessary.

Additionally there are password management packages for Emacs out
there that do not use proprietary software.

There is Syncthing free software package that can synchronize files
across devices, it could also synchronize passwords, it would not be
well integrated.

> 2. If and when the free password managers are miles above lastpass, it
> could happen that no one has a rational use for lastpass except due to
> habit.

There is no rational use to store passwords at centralized server by
using proprietary software, as one cannot know exactly how they
encrypt those passwords, neither is management of their server and
breahes of security transparent.

What can make sense in free software world is cross platform password
manager that users can host on their own server while knowing what
type of encryption is used there.

> If and when that happens, perhaps people could modify the Lisp package
> for using lastpass so that it clearly informs users, that lastpass is
> not worth even trying and they should instead try the free password
> managers X, Y, Z.

That is good idea, MELPA can be replicated and some packages could be
automated to be made unusable with such warning.

> 3. Once that change is, perhaps that Lisp package would be so unlikely
> to lead anyone to use lastpass that we would have no reason to worry
> about informing users about its existence.  In particular, it would
> not be a flaw in MELPA that MELPA contains it.

It would not be flaw if package author would agree with you. The fact
that package author made the package shows that there is opinion
difference, so it cannot work that way. It can only work by third
party that is not MELPA, to duplicate MELPA and offer it in safe way
to users.

> 5. If someday MELPA contains no programs that might lead users
> to use a nonfree program, another one might be added at any time.
> As long as the MELPA maintainers say it is ok to add such packages,
> we have to suppose that more such packages may be added.

That is right, exactly that is the problem, they consider if software
package is GNU GPL, that it is enough regardless if package is
subjugating user.

What I consider larger problem at hand is that MELPA is developed on
Github, Emacs package contributors have to use none free Javascript to
become developers and they all bind themselves to centralized
development system held by Microsoft.