Re: authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials

Re: authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials

[Ted Zlatanov]

On Tue, 9 Jun 2009 23:49:41 -0400 MON KEY <monkey@sandpframing.com> wrote: 

MK> use of .authinfo.gpg implies auth-sources.el (or will soon)
MK> auth-sources wants netrc.el per `auth-source-user-or-password'
MK> netrc.el defines a var `netrc-services' that is hard bound to "/etc/services"

MK> How is this going to remain secure/stable/reliable across platforms -
MK> esp. going forward in lieu of emerging and recent new functionality
MK> with auth-sources, epa, epg?

MK> If netrc.el wants to hardwire the `netrc-services-file' he should be
MK> mindful that not all systems have this path available - maybe a
MK> defcustom is in order here?

It makes sense to bundle some default service definitions with Emacs,
but allow overriding and lookups in external resources (files, etc.) as
well.  There's always the option of specifying the port as a number.
Also there are packages which have their own ideas about service ports,
e.g. from imap.el:

;; Internal constants.  Change these and die.

(defconst imap-default-port 143)
(defconst imap-default-ssl-port 993)
(defconst imap-default-tls-port 993)

or tramp.el:

    ("ssh"   (tramp-login-program        "ssh")
...
	     (tramp-default-port         22))


The place to put the service port definitions and API should probably be
a new .el file in Emacs, not netrc.el or auth-sources.el.  Then Emacs
packages can migrate to using the new API.  One of the Emacs maintainers
should give an opinion here, I don't have a strong one.

MK> It doesn't look like this oversight can pose an immediate problem
MK> because where the `/etc/services' is missing netrc.el just ignores the
MK> void... and quietly proceeds - still... is that a _good_ thing?

Yes, it lets people get stuff done.  It's not a security risk and does
not behave in an unexpected way.  It can be augmented but the
fundamental principle is sound: use the host OS's idea of service ports
if it's available.

Ted

Re: authinfo gnutls netrc.el auth-sources & smtpmail-starttls-credentials

[Ted Zlatanov]

On Wed, 10 Jun 2009 16:43:14 -0400 MON KEY <monkey@sandpframing.com> wrote: 

MK> Some observations:

I appreciate your thoughts, but please realize not everyone has an hour
to parse all your code.  If you have specific suggestions, please make
them directly and succinctly.  I've tried to answer what I could; please
follow up with questions implicit in your code that I have missed.

MK> docstring for `gnus-message' provides some guidelines for message levels:
MK> "Guideline for numbers: {...} 9 - messages inside loops."

MK> The `gnus-message' is printed when it exceeds the `gnus-verbose'
MK> threshold (defaults to 7)
MK> Which is to say, assuming the user has `gnus-util' library loaded and
MK> his `gnus-verbose' level
MK> set at or above level 9(nine) - he may see _gnus-message_ indicating
MK> that the password/login has been cached
MK> along with a timestamp _if_ `gnus-add-timestamp-to-message' it t.

auth-source.el currently is part of Gnus, so it uses Gnus logging
facilities.  If it's moved out, we can adjust the logging.  Perhaps
you're suggesting we need an auth-source-verbose variable?

MK> Great! No Wait... any code that evaluates
MK> `auth-source-user-or-password' directly has the value returned to
MK> *Messages*
MK> regardless of the `gnus-verbosity' levels. He _may not_ see those but
MK> they may well be there anywasy

MK> `../emacs/lisp/gnus/gnus-util.el' has one of these: (require 'netrc)


MK> `../emacs/lisp/url/url-auth.el' has one of these:
MK> (autoload 'auth-source-user-or-password "auth-source")

Can you explain what the problem is, please?  Is there unwanted
information in the *Messages* buffer?

MK> Also, re: my previous post:
>> auth-sources wants netrc.el per `auth-source-user-or-password'

MK> It is worth noting that the call out to netrc.el happens at compile time:
MK> (eval-when-compile (require 'netrc))

I'm not sure why that's worth noting.

MK> Alongside these really interesting autoloads:
MK> (autoload 'encrypt-find-model "encrypt")
MK> (autoload 'encrypt-insert-file-contents "encrypt")

MK> What _are_ these?

encrypt.el was my encryption API, which (through a discussion with many
Emacs users and developers) was obsoleted in favor of EPG/EPA.  The
calls you saw will be removed eventually, together with encrypt.el
itself, but I haven't done it yet (primarily due to lack of time).

MK> An experiment:
...
MK> ;GREAaaaat... I feel so dirty...
...
MK> ;=>Why are those sleeper gnus-messages are hanging around in *Messages*?

Sorry, as I said above I simply could not figure out everything you're
asking through 3-4 pages of code.  Please rewrite as simple questions I
can answer.

Thanks
Ted