Re: auth-source change default spec

[Tim Cross]

Hi Ted,

I looked at that bug report and I think the options you offered were
good. I disagree with the useability argument i.e. that asking the
user to enter their gpg passphrase in order to search their
.authinfo.gpg file is too much to ask and that if firefox doesnt use
encrypted files to store passwords why should we. Security always has
a small element of inconvenience and asking to enter a passphrase is
not too much. Just because firefox uses poor practice in storing
sensitive data doesn't justify emacs doing the same.

For me, the main question relating to this and usability is to what
extent other platforms, like windows, will have the necessary
encryption facilities available such that having the encrypted version
as default will not result in really broken or inconvenient behaviour
for them. Not being a windows user, I cannot assess this issue.

However, this is perhaps getting off point for my main issue.

Regardless of the style of authinfo file being used, my issue is that
the library appears to only use the first choice in the auth-sources
list even when it knows (at least should) there is a gpg file. In this
situation, it should default to the gpg version, not to the first item
in the auth-sources spec.

Make not mistake, the current way things work does cause problems for
users. A couple of us recently spent some hours trying to work out why
things were breaking after changing some code to use auth-sources.

Unfortunately,, I don't think asking the user to edit the auth-sources
list is the right answer. Some packages will automatically create
entries for authinfo. It is likely they are unaware of auth-sources or
the configuration variables. Asking them to modify the default is
possibly expecting too much.

I think this can be resolved fairly easily. If auth-sources has
already found a .authinfo.gpg file in it's initial search, then that
should become the default file to sotre new credentials, regardless of
what is first in auth-sources. In addition, it would be good to allow
the user to hange the destination filename at the prompt when asked if
they want to save the current credentials.

Not also, the auth-sources manual is a bit misleading. It states that
the gpg version will be searched first. If I understand correctly,
this is not the case - it depends on auth-sources.

I will also need to check the meaning of :max 1 - I thought that meant
the search should return a maximum of one result, not, as seems to be
implied by the text in that bug report, that the library would only
search a max of 1 file. Another (less desirable) solution would be for
the library to continue to search all files until either it found a
match or ran out of files. This would at least stop the bug we ran
into beause auth-source created a .authinfo file when we already had
an .authinfo.gpg file.

Having said all that, the library is a good addittion and I appreciate
the work which has gone into it.

Tim

On 30 April 2012 22:51, Richard Riley <address@hidden> wrote:
> Ted Zlatanov <address@hidden> writes:
>
>> On Sat, 28 Apr 2012 10:45:37 +1000 Tim Cross <address@hidden> wrote:
>>
>> TC> I've recently run into a minor problem with the auth-source library
>> TC> which I think is due to the default SPEC for auth-sources. I wanted
>> TC> some feedbak before logging a bug request and also wanted to make this
>> TC> possible issue visible asap given the need to get defaults sorted for
>> TC> the next release.
>>
>> TC> The current default sorces spec (taken from recent emacs bzr sources) is
>>
>> TC> ("~/.authinfo" "~/.authinfo.gpg" "~/.netrc")
>>
>> TC> I think it should be changed to have .authinfo.gpg first in the
>> TC> list.
>>
>> Could you please read through Emacs bug #9113?  It deals with this issue
>> at length.
>>
>> http://comments.gmane.org/gmane.emacs.bugs/49377
>>
>> I had the .gpg file first originally and would still like it to be
>> first, but the objections are quite reasonable.
>>
>> TC> The reason is that if you already have a .authinfo.gpg file and then
>> TC> attempt to access a resource for which you don't yet have credentials
>> TC> and the search criteria specifies the :create option, because
>> TC> .authinfo is first, it will attempt to save the credentials in the
>> TC> .authinfo file and not .authinfo.gpg. If you have things configured to
>> TC> ask if you want to save (the default) it will ask if you want to save
>> TC> to .authinfo even when it is aware you have a .authinfo.gpg file. It
>> TC> does not appear to give you an option to change this.  If you just
>> TC> accept the defaults and you do use .authinfo.gpg, things will break
>> TC> when you add new credentials because it will create a .authinfo
>> TC> file.
>>
>> I don't think anything is broken.  auth-source is simply respecting
>> `auth-sources' as it's supposed to.  Preferring the second source
>> because of some attribute (e.g. "it has the .gpg extension") is much
>> worse in terms of usability.
>
> I would strongly disagree. I would expect it should default to the most
> secure. And allow fall through on the search. Should you really want,
> for some really obscure reason, to prefer a plain text file for secure
> passwords over the .gpg then some sort of override could be
> implemented. I know I'd be pretty miffed if I saved passwords thinking
> they were going into .gpg only to have them read out to me at a later
> date by someone who got hold of the plaintext file.
>
>
>
>
>
>



-- 
Tim Cross