[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg, bug#911

From: Stefan Monnier
Subject: bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg, bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg, bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg
Date: Thu, 26 Jan 2012 16:41:19 -0500
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.92 (gnu/linux)

SM> That might be a good option.
> It works fairly well but it's hacky, and can't be shared with other
> programs.

Indeed, it's a major downside.

> I'd like to implement it with libnettle at least, so it doesn't depend
> on the external gpg utility.

But that would make it work even less with other programs.

LI> Yes.  But it will require the user to type in a password to get to the
LI> password.  :-)  And again, programs like Firefox defaults to storing the
LI> passwords in non-encrypted files, so I don't really see why Emacs should
LI> be more difficult to use than Firefox.

I don't know about you, but I don't let Firefox store my mailbox's
password.  I have a lot of passwords stored in Firefox's database, but
they're all things I don't really care about (e.g. passwords to log into
some stupid web-forums).

SM> Another option (the better long-term option) is to use an external
SM> keychain service to handle these issues.  That's what we should focus on
SM> for the "next time".
> Do you mean gpg-agent or the OS keychain?

I mean the keychain.

> Neither is available on all platforms consistently.

AFAIK all platforms have a keychain nowadays and it's the best place to
put sensitive passwords such as the ones used to access your IMAP server.

>>> IIRC for 23 the default was to keep the password for the current session
>>> and not to store it in any file at all.  I think it's a better default
>>> than writing it in clear in some file, so at least for 24.1 reverting to
>>> the Emacs-23 default is very attractive.
LI> Well, Emacs 23 just made you write the .authinfo file by hand.  Emacs 24
LI> prompts you for whether you want to store the password or not.  If you
LI> don't want to, say "n".

Yes, I guess it's good enough.

> One possible flow:
> If the user says `y' then we can ask (if `auth-sources' is 'ask) 
> "Do you want to keep your passwords in a GPG-encrypted file?"

> If they say `y' then set `auth-sources' to "~/.authinfo.gpg" and check
> that EPA/EPG are enabled. If GPG is not available, what do we do? Use
> libnettle? Or explain and pretend they said `n'?

If GPG is not available, ask a different question, as in "It will be
saved in cleartext, is that OK?"


reply via email to

[Prev in Thread] Current Thread [Next in Thread]