Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: 

LMI>  	* auth-source.el (auth-sources): Add ~/.authinfo to the default, since
LMI>  	that's probably most useful for users.

LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg"))

LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg")
LMI> +			  (:source "~/.authinfo"))

I was trying to discourage people from putting their password in an
unencrypted file.  So I'm sort of OK with making the unencrypted file
the second choice, but I'd like to at least warn the user.  WDYT?

Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> I was trying to discourage people from putting their password in an
> unencrypted file.  So I'm sort of OK with making the unencrypted file
> the second choice, but I'd like to at least warn the user.  WDYT?

If it could be done unobtrusively...  I don't really like software that
tells me that what I'm doing is stupid, even though it's right.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Sebastian Krause]

Ted Zlatanov <tzz@lifelogs.com> wrote:
> I was trying to discourage people from putting their password in
> an unencrypted file.  So I'm sort of OK with making the
> unencrypted file the second choice, but I'd like to at least warn
> the user.  WDYT?

Personally, I don't like to enter my long GnuPG password every time
I start up Gnus. It's safe enough anyway because I use full disk
encryption with LUKS. Or maybe those passwords are not too important
because they're only for a simple Usenet server. So, warning users
shouldn't be too noisy because there might be good reasons of using
the unencrypted file.

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Sebastian Krause <sebastian@realpath.org> writes:

> Personally, I don't like to enter my long GnuPG password every time
> I start up Gnus. It's safe enough anyway because I use full disk
> encryption with LUKS. Or maybe those passwords are not too important
> because they're only for a simple Usenet server. So, warning users
> shouldn't be too noisy because there might be good reasons of using
> the unencrypted file.

Yup.  If we're going to warn people about having "unsafe" passwords, it
shouldn't be intrusive.

And if there was a nice, painless road towards storing the passwords in
~/.authinfo.gpg, that would be nice.  That is, if the user is queried
for user name/password, then auth-source.el should store it encrypted,
and not in the plain ~/.authinfo file.

(At least it's not stored there when I try it, but I might just not have
stuff set up correctly.)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Sebastian Krause]

Lars Magne Ingebrigtsen <larsi@gnus.org> wrote:
> And if there was a nice, painless road towards storing the passwords in
> ~/.authinfo.gpg, that would be nice.  That is, if the user is queried
> for user name/password, then auth-source.el should store it encrypted,
> and not in the plain ~/.authinfo file.
>
> (At least it's not stored there when I try it, but I might just not have
> stuff set up correctly.)

However, I just saw that even in case of an encrypted
~/.authinfo.gpg it's pretty easy to find out my IMAP password if
Gnus is still running: It's simply shown in the *imap log*
buffer. It's probably because imap.gmail.com uses cleartext login
through SSL. Is there any way to not print out the password, but
some kind of placeholder instead?

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Sebastian Krause <sebastian@realpath.org> writes:

> It's simply shown in the *imap log* buffer.

That buffer won't be created once the initial nnimap problems have been
ironed out.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Sat, 18 Sep 2010 13:47:39 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> I was trying to discourage people from putting their password in an
>> unencrypted file.  So I'm sort of OK with making the unencrypted file
>> the second choice, but I'd like to at least warn the user.  WDYT?

LMI> If it could be done unobtrusively...  I don't really like software that
LMI> tells me that what I'm doing is stupid, even though it's right.  :-)

An unobtrusive warning?  That's pretty useless, better not to bother the
user.

On Sat, 18 Sep 2010 14:50:38 +0200 Sebastian Krause <sebastian@realpath.org> wrote: 

SK> Personally, I don't like to enter my long GnuPG password every time
SK> I start up Gnus.

It's entered once per Emacs session.  If that's too much use the Secrets
API (KWallet or Gnome Seahorse).

SK> It's safe enough anyway because I use full disk encryption with
SK> LUKS.

That's a completely different type of security, though it's useful too.
Your passwords are in the clear to anything running in your environment,
right?

SK> Or maybe those passwords are not too important because they're only
SK> for a simple Usenet server. So, warning users shouldn't be too noisy
SK> because there might be good reasons of using the unencrypted file.

It's a balancing act (and a familiar problem since I've been a sysadmin
for a long time).  I'll just be quiet about this as long as it's the
second default choice.

On Sat, 18 Sep 2010 17:40:23 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> And if there was a nice, painless road towards storing the passwords in
LMI> ~/.authinfo.gpg, that would be nice.  That is, if the user is queried
LMI> for user name/password, then auth-source.el should store it encrypted,
LMI> and not in the plain ~/.authinfo file.

auth-source.el has nothing to do with it.  All the work is done by
EPA/EPG and I'm intentionally keeping auth-source.el agnostic of
encryption issues beyond mentioning the .gpg extension.

On Sat, 18 Sep 2010 23:29:01 +0200 Sebastian Krause <sebastian@realpath.org> wrote: 

SK> However, I just saw that even in case of an encrypted
SK> ~/.authinfo.gpg it's pretty easy to find out my IMAP password if
SK> Gnus is still running: It's simply shown in the *imap log*
SK> buffer. It's probably because imap.gmail.com uses cleartext login
SK> through SSL. Is there any way to not print out the password, but
SK> some kind of placeholder instead?

If the attacker has any access to Emacs, he can sniff the encryption
passphrase from the auth-source.el cache.  Sorry but ELisp (in Emacs or
XEmacs) is just not a secure environment; auth-source.el tries to at
least make it less necessary to store your passwords in an unencrypted
location.  Its main purpose is to provide a single place for all ELisp
code to get authentication tokens.

Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> LMI> And if there was a nice, painless road towards storing the passwords in
> LMI> ~/.authinfo.gpg, that would be nice.  That is, if the user is queried
> LMI> for user name/password, then auth-source.el should store it encrypted,
> LMI> and not in the plain ~/.authinfo file.
>
> auth-source.el has nothing to do with it.  All the work is done by
> EPA/EPG and I'm intentionally keeping auth-source.el agnostic of
> encryption issues beyond mentioning the .gpg extension.

I don't know what EPA/EPG is.  Will auth-source.el store the passwords
that are queried anywhere?  Like in the ~/.authinfo.gpg file?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Sebastian Krause]

Ted Zlatanov <tzz@lifelogs.com> wrote:
> SK> Personally, I don't like to enter my long GnuPG password every time
> SK> I start up Gnus.
>
> It's entered once per Emacs session.  If that's too much use the Secrets
> API (KWallet or Gnome Seahorse).

Yes, that's too much. :) However, I'm running Gnome with Seahorse
and it would be good alternative. Does Gnus support it and if so,
how?

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Robert Pluim]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: 
>
> LMI>  	* auth-source.el (auth-sources): Add ~/.authinfo to the default, since
> LMI>  	that's probably most useful for users.
>
> LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg"))
>
> LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg")
> LMI> +			  (:source "~/.authinfo"))
>
> I was trying to discourage people from putting their password in an
> unencrypted file.  So I'm sort of OK with making the unencrypted file
> the second choice, but I'd like to at least warn the user.  WDYT?

Apropos, I have a ~/.authinfo which contains

machine myimapserver login myusername port imap

machine myimapserver login myusername port 993

machine myimapserver login myusername port imaps

And I *still* get prompted for both my username and password when
connecting to imap. What magic incantation am I missing? (and no, I'm
not going to be putting my password in that file).

Regards

Robert

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Richard Riley]

Robert Pluim <rpluim@gmail.com> writes:

> Ted Zlatanov <tzz@lifelogs.com> writes:
>
>> On Sat, 18 Sep 2010 00:33:36 +0200 Lars Magne Ingebrigtsen <larsi@quimbies.gnus.org> wrote: 
>>
>> LMI>  	* auth-source.el (auth-sources): Add ~/.authinfo to the default, since
>> LMI>  	that's probably most useful for users.
>>
>> LMI> -(defcustom auth-sources '((:source "~/.authinfo.gpg"))
>>
>> LMI> +(defcustom auth-sources '((:source "~/.authinfo.gpg")
>> LMI> +			  (:source "~/.authinfo"))
>>
>> I was trying to discourage people from putting their password in an
>> unencrypted file.  So I'm sort of OK with making the unencrypted file
>> the second choice, but I'd like to at least warn the user.  WDYT?
>
> Apropos, I have a ~/.authinfo which contains
>
> machine myimapserver login myusername port imap
>
> machine myimapserver login myusername port 993
>
> machine myimapserver login myusername port imaps
>
> And I *still* get prompted for both my username and password when
> connecting to imap. What magic incantation am I missing? (and no, I'm
> not going to be putting my password in that file).
>
> Regards
>
> Robert
>

Hi Robert,

Some suggestions :

Change it to a .gpg file. Put it wherever you want and customise the
auth-sources variable accordingly. 

(I would expect to be prompted for userid and password if you dont
include passwords in a file thats supposed to include your authorities)

EPA is pretty seamless in 23 onwards.

No one should be using .authinfo IMO - .authinfo.gpg is the way forward
since its publicly distributable (think free git repos) and not prey to
accidental to chmods.

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Richard Riley]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Sat, 18 Sep 2010 13:47:39 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 
>
> LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
>>> I was trying to discourage people from putting their password in an
>>> unencrypted file.  So I'm sort of OK with making the unencrypted file
>>> the second choice, but I'd like to at least warn the user.  WDYT?
>
> LMI> If it could be done unobtrusively...  I don't really like software that
> LMI> tells me that what I'm doing is stupid, even though it's right.  :-)
>
> An unobtrusive warning?  That's pretty useless, better not to bother the
> user.
>
> On Sat, 18 Sep 2010 14:50:38 +0200 Sebastian Krause <sebastian@realpath.org> wrote: 
>
> SK> Personally, I don't like to enter my long GnuPG password every time
> SK> I start up Gnus.
>
> It's entered once per Emacs session.  If that's too much use the Secrets
> API (KWallet or Gnome Seahorse).

I use gpg-agent and keychain.

The whole seahorse thing is a tad confusing, certainly in Debian. But
when I first start emacs and launch gnus I get promppted via gpg-agent
pin entry for my password to unencrypt my .authinfo.gpg and thats that
until the specified gpgagent timeout is reached.

As a side note : my setting for auth-sources works in 23.2 with the
shipped gnus but doesnt seem to properly authenticate my local dovecot
nnimap accounts with nognus. 

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Mon, 20 Sep 2010 12:47:42 +0200 Sebastian Krause <sebastian@realpath.org> wrote: 

SK> Ted Zlatanov <tzz@lifelogs.com> wrote:
SK> Personally, I don't like to enter my long GnuPG password every time
SK> I start up Gnus.
>> 
>> It's entered once per Emacs session.  If that's too much use the Secrets
>> API (KWallet or Gnome Seahorse).

SK> Yes, that's too much. :) However, I'm running Gnome with Seahorse
SK> and it would be good alternative. Does Gnus support it and if so,
SK> how?

The Secrets API is supported in recent builds on Seahorse AFAIK; I don't
know how far back the support goes.  To use it, customize `auth-sources'.

This is not a Gnus function per se.  auth-source.el is consulted by Gnus
but is used by other packages as well, e.g. url.el and Tramp.

Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Robert Pluim]

Richard Riley <rileyrg@googlemail.com> writes:

> Robert Pluim <rpluim@gmail.com> writes:
>> And I *still* get prompted for both my username and password when
>> connecting to imap. What magic incantation am I missing? (and no, I'm
>> not going to be putting my password in that file).
>>
>
> Hi Robert,
>
> Some suggestions :
>
> Change it to a .gpg file. Put it wherever you want and customise the
> auth-sources variable accordingly. 
>
> (I would expect to be prompted for userid and password if you dont
> include passwords in a file thats supposed to include your authorities)
>

And I would expect to be prompted for the password if I don't supply it
but do supply a username, which is what I'm pretty sure used to happen
in the past when using imap (admittedly probably 2 years ago). No
accounting for taste ;-)

> EPA is pretty seamless in 23 onwards.
>
> No one should be using .authinfo IMO - .authinfo.gpg is the way forward
> since its publicly distributable (think free git repos) and not prey to
> accidental to chmods.

I suppose I can investigate that, assuming I can get it to work under
cygwin.

Thanks

Robert

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Mon, 20 Sep 2010 16:27:31 +0200 Richard Riley <rileyrg@googlemail.com> wrote: 

RR> As a side note : my setting for auth-sources works in 23.2 with the
RR> shipped gnus but doesnt seem to properly authenticate my local dovecot
RR> nnimap accounts with nognus. 

I could test it if you showed your `auth-sources', the relevant line of
your authinfo file, and the messages in *Messages* produced by
auth-source when it looks up the server by name.

Thanks
Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Mon, 20 Sep 2010 10:14:22 +0200 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
LMI> And if there was a nice, painless road towards storing the passwords in
LMI> ~/.authinfo.gpg, that would be nice.  That is, if the user is queried
LMI> for user name/password, then auth-source.el should store it encrypted,
LMI> and not in the plain ~/.authinfo file.
>> 
>> auth-source.el has nothing to do with it.  All the work is done by
>> EPA/EPG and I'm intentionally keeping auth-source.el agnostic of
>> encryption issues beyond mentioning the .gpg extension.

LMI> I don't know what EPA/EPG is.

It's a transparent encryption/decryption layer at the file handler level
that comes with Emacs and gets triggered by the .gpg extension.  See
(info "(epa) Top") for more.  I put some info in the auth-source.el
manual as well, see (info "(auth) Help for users")

LMI> Will auth-source.el store the passwords that are queried anywhere?
LMI> Like in the ~/.authinfo.gpg file?

It caches them but doesn't save them.

Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Mon, 20 Sep 2010 13:03:38 +0200 Robert Pluim <rpluim@gmail.com> wrote: 

RP> Apropos, I have a ~/.authinfo which contains

RP> machine myimapserver login myusername port imap

RP> machine myimapserver login myusername port 993

RP> machine myimapserver login myusername port imaps

RP> And I *still* get prompted for both my username and password when
RP> connecting to imap. What magic incantation am I missing? (and no, I'm
RP> not going to be putting my password in that file).

It assumes you have both or neither in the file.  Can you try this
version of nnimap-credentials (press `C-x C-e' after the closing
parenthesis)?

(defun nnimap-credentials (address ports)
  (let (port credentials)
    ;; Request the credentials from all ports, but only query on the
    ;; last port if all the previous ones have failed.
    (while (and (null credentials)
		(setq port (pop ports)))
      (setq credentials
	    (or
             (auth-source-user-or-password
              '("login" "password") address port nil (null ports))
             (auth-source-user-or-password
              '("login") address port nil (null ports)))))
    credentials))

I don't think the general solution is to return ("myusername" nil) in
such cases.  It seems to me that if the application asks for two
authentication tokens, it expects them both to be valid.

Thanks
Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Richard Riley]

Ted Zlatanov <tzz@lifelogs.com> writes:

> On Mon, 20 Sep 2010 16:27:31 +0200 Richard Riley <rileyrg@googlemail.com> wrote: 
>
> RR> As a side note : my setting for auth-sources works in 23.2 with the
> RR> shipped gnus but doesnt seem to properly authenticate my local dovecot
> RR> nnimap accounts with nognus. 
>
> I could test it if you showed your `auth-sources', the relevant line of
> your authinfo file, and the messages in *Messages* produced by
> auth-source when it looks up the server by name.
>

The select method connects to a dovecot virtual user via the name part (here
"riley") :-

,----
|   (add-to-list 'gnus-secondary-select-methods
|                `(nnimap "riley"
|                         (nnimap-address "offlineimap")
|                         (nnir-search-engine imap)
|                         (nnimap-stream network)
|                         ))
`----

The auth-sources value is :-

,----
| auth-sources is a variable defined in `auth-source.el'.
| Its value is 
| ((:source "/home/shamrock/.emacs.d/.authinfo.gpg" :host t :protocol t))
`----

The relevant line in .authinfo.gpg is :-

,----
| machine riley login riley password pass1
`----

The relevant /etc/dovecot.pass entry is

,----
| riley:{plain}pass1
`----

The relevant auth default pass set up in dovecot.conf  for virtual users

,----
|   passdb passwd-file {
|      args = /etc/dovecot.pass
|   }
|   userdb static {
|     args = uid=1000 gid=1000 home=/home/shamrock/.Maildir/%u
|   }
`----

All works with gnus in emacs 23.2

With nognus I dont see anything other than INBOX.

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Tibor Simko]

On Mon, 20 Sep 2010, Ted Zlatanov wrote:
> I don't think the general solution is to return ("myusername" nil) in
> such cases.  It seems to me that if the application asks for two
> authentication tokens, it expects them both to be valid.

BTW `smtpmail-auth-credentials' allows to use nil for the password
in which case the user is prompted for one.

Best regards
-- 
Tibor Simko

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Robert Pluim]

Ted Zlatanov <tzz@lifelogs.com> writes:

> version of nnimap-credentials (press `C-x C-e' after the closing
> parenthesis)?
>
> (defun nnimap-credentials (address ports)
>   (let (port credentials)
>     ;; Request the credentials from all ports, but only query on the
>     ;; last port if all the previous ones have failed.
>     (while (and (null credentials)
> 		(setq port (pop ports)))
>       (setq credentials
> 	    (or
>              (auth-source-user-or-password
>               '("login" "password") address port nil (null ports))
>              (auth-source-user-or-password
>               '("login") address port nil (null ports)))))
>     credentials))
>
> I don't think the general solution is to return ("myusername" nil) in
> such cases.  It seems to me that if the application asks for two
> authentication tokens, it expects them both to be valid.

That version of nnimap-credentials causes me to not get prompted for
anything, and the connection to my imap server to fail. The *nnimap
buffer contains:

    1 NO LOGIN failed.
    
    Process *nnimap* kill

so I either more code changes are required, or I should use
authinfo.gpg (assuming the combination-from-hell of XEmacs & cygwin
supports it).

Thanks

Robert

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Michael Albinus]

Ted Zlatanov <tzz@lifelogs.com> writes:

> The Secrets API is supported in recent builds on Seahorse AFAIK; I don't
> know how far back the support goes.

Gnome 2.29, IIRC.

> Ted

Best regards, Michael.

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

>              (auth-source-user-or-password
>               '("login" "password") address port nil (null ports))

If the application asks for "login" and "password", but it can only find
one of them in the files (etc), shouldn't it just prompt for the thing
it can't find?  In this case, it finds the login name in .authinfo, but
not the password, so it should prompt for the password and then cache
it.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Gijs Hillenius]

On 20 Sep 2010, Ted Zlatanov wrote:


[...]

>>> auth-source.el has nothing to do with it.  All the work is done by
>>> EPA/EPG and I'm intentionally keeping auth-source.el agnostic of
>>> encryption issues beyond mentioning the .gpg extension.

[...]

> LMI> Will auth-source.el store the passwords that are queried anywhere?
> LMI> Like in the ~/.authinfo.gpg file?
>
> It caches them but doesn't save them.

Hello

I wonder about this caching. I've been reading the manual, and wonder if
I understand it correctly. I think I'm following 'the simple' example in
the docs.

my .authinfo.gpg contains two lines
machine 1 (mail)
machine 2 (usenet)

And Gnus accesses three machines, news, mail and gmane (among others for
reading this Ding here).

Now, Gnus at start-up currently asks me *six* times to decrypt
~/.authinfo.gpg and twice more when I send an email / news. I have cache
enabled, so I expected to be prompted just once, per Emacs session. Or
something.

in .emacs
,----
|  (require 'epa-file) (epa-file-enable)
| (setq epa-file-cache-passphrase-for-symmetric-encryption t)
`----

in .gnus

,----
| (setq auth-sources '((:source "~/.authinfo.gpg")))
`----






-- 
Anyone who goes to a psychiatrist ought to have his head examined.
		-- Samuel Goldwyn

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Lars Magne Ingebrigtsen]

Gijs Hillenius <gijs@hillenius.net> writes:

> Now, Gnus at start-up currently asks me *six* times to decrypt
> ~/.authinfo.gpg and twice more when I send an email / news. I have cache
> enabled, so I expected to be prompted just once, per Emacs session. Or
> something.
>
> in .emacs
> ,----
> |  (require 'epa-file) (epa-file-enable)
> | (setq epa-file-cache-passphrase-for-symmetric-encryption t)
> `----

I hadn't used the .gpg stuff before, so I just tried saving ~/.foo.gpg.
It asked me for a passphrase, and then saved the file.  If I've set the
passphrase caching thing like you, I'm then only asked a single time per
Emacs session for the phrase.

(insert-file-contents "~/.foo.gpg")

works fine, too.

Are you sure that you're using the epa-file supplied with Emacs, and
not...  something else?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Sat, 25 Sep 2010 14:47:23 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: 

GH> Now, Gnus at start-up currently asks me *six* times to decrypt
GH> ~/.authinfo.gpg and twice more when I send an email / news. I have cache
GH> enabled, so I expected to be prompted just once, per Emacs session. Or
GH> something.

GH> in .emacs
GH> ,----
GH> |  (require 'epa-file) (epa-file-enable)
GH> | (setq epa-file-cache-passphrase-for-symmetric-encryption t)
GH> `----

There's two kinds of caching we're talking about, unfortunately.  The
one I mentioned in this thread was username and password caching, so
authinfo doesn't have to parse the netrc repeatedly.

The one giving you trouble is the EPA passphrase caching, which is
external to auth-source.el.  AFAIK it works and I use it daily, so you
may want to check your EPA version (as Lars suggested) and possibly
submit a bug for EPA.

Ted

Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.

[Ted Zlatanov]

On Sun, 26 Sep 2010 10:36:42 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: 

GH> Doing this off-list, hope that is ok. i'll bring it there when I feel
GH> confident my contribution is useful.

No, please use the ding list.  I use GMane so if you send me e-mail I
may not notice it for a while, and you'll feel ignored :)  I've done
that unintentionally to a few people already.  So I hope you don't mind
but I've cc-ed ding back.

GH> Yet, just now, all of a sudden, I realised:

GH> In *Messages* I get:

GH> Opening TLS connection to `mail.hillenius.net'...
GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net'...failed
GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net --protocols ssl3'...failed
GH> Opening TLS connection with `openssl s_client -connect mail.hillenius.net:imaps -no_ssl2 -ign_eof'...done

GH> That is two fails and a 'error but I'll ignore it". Could *that* explain
GH> why my .authinfo.gpg gets accessed *three* times? So far my explanation
GH> was that I'm accessing /three/ servers, a) xs4all 4 news, b)
GH> hillenius.net 4 mail and c) gmane 4 ding...

It should get opened once per server+port combination.  But even that's
not necessary: we should look at the file age and know if it needs to be
reopened in auth-source.  I want to fix the auth-source issues you and
others have reported, now that the (broken) GnuTLS support is checked
in, so I'll work on that over the next few days.

Ted

tls.el I added '--insecure' (Was :Re: [gnus git] Add ~/.authinfo to the default, since that's probably most useful for users.)

[Gijs Hillenius]

On 26 Sep 2010, Ted Zlatanov wrote:

[...]

>
> GH> In *Messages* I get:
>
> GH> Opening TLS connection to `mail.hillenius.net'...
> GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net'...failed
> GH> Opening TLS connection with `gnutls-cli -p imaps mail.hillenius.net --protocols ssl3'...failed
> GH> Opening TLS connection with `openssl s_client -connect mail.hillenius.net:imaps -no_ssl2 -ign_eof'...done

Thanks Ted, for your explanation.

I decided to change the tls.el file that comes with this gnus, adding a 

changing this line: 
,----
| (defcustom tls-program '("gnutls-cli -p %p %h"
`----
into

,----
| (defcustom tls-program '("gnutls-cli --insecure -p %p %h"
`----

and byte-compile & load it. 

That "fixed" my `gnutls-cli -p imaps mail.hillenius.net'...error.



Which means that now I'm back to my bigger problem, understanding why my gcc
is not yet working.

Re: tls.el I added '--insecure'

[Ted Zlatanov]

On Sun, 26 Sep 2010 14:38:15 +0200 Gijs Hillenius <gijs@hillenius.net> wrote: 

GH> I decided to change the tls.el file that comes with this gnus, adding a 

GH> changing this line: 
GH> ,----
GH> | (defcustom tls-program '("gnutls-cli -p %p %h"
GH> `----
GH> into

GH> ,----
GH> | (defcustom tls-program '("gnutls-cli --insecure -p %p %h"
GH> `----

GH> and byte-compile & load it. 

(sorry if I misunderstood, but I think you may not know about
customize-variable)

You can just do `M-x customize-variable tls-program' and it will do it
correctly.  The modified variable will be stored in your custom.el file,
which Emacs will manage.  Try it.

Ted