Re: Has anyone looked at JMAP?

2020-09-02 Thread Ken Hornstein 
>Oh, it's fairly easy for a user to create their own custom API key for their
>own instance of fetchmail.  What's *not* permitted is for a *project* to ship a
>tarball or whatever with a key usable by everybody who installs the package.

Well, we've been doing this for years with nmh!  And it sounds like
KMail does the same.  I'm not really sure HOW you're supposed to do it
for OSS projects otherwise.

And ... well ... to show how COMPLETELY dumb this is, the same authentication
scheme (OAauth2) is used for Microsoft exchange.  When testing out DavMail
for Exchange email access, my company refused to allow DavMail as an authorized
client.  So I simply changed DavMail to use the client identifier of
Microsoft Office ... which I found on docs.microsoft.com.

>Which of course is actually pretty reasonable - imagine the flamestorm if
>openssh shipped a public/private keypair that it installed on every
>machine.

If you cound provide pointers on how to create your own custom API
key (there is confusion on how difficult it is), I'd be glad to add
that documentation to nmh.

--Ken

Re: Has anyone looked at JMAP?

2020-09-02 Thread Valdis Klētnieks 
On Mon, 31 Aug 2020 20:44:42 -0400, Ken Hornstein said:
> >- Paragraph 4.b.1, which states that "You will keep your credentials
> >> confidential and make reasonable efforts to prevent and discourage other
> >> API Clients from using your credentials. Developer credentials may not be
> >> embedded in open source projects." prohibits the use of OAuth credentials
> >> in free software projects.  As I wrote above (and earlier), Google
> >> tolerates (at the moment) that this specific point of their TOS is
> >> violated.  But that doesn't mean that violating them is without legal
> >> risk.
>
> Oof, fair enough.  It does seem unfortunate that the official rules don't
> permit OSS projects; I wish there was a way for a user to create their
> own custom API key and they could just add that to their account.  Honestly,
> I am fine with doing what KMail did (since that's what we did before).

Oh, it's fairly easy for a user to create their own custom API key for their
own instance of fetchmail.  What's *not* permitted is for a *project* to ship a
tarball or whatever with a key usable by everybody who installs the package.

Which of course is actually pretty reasonable - imagine the flamestorm if
openssh shipped a public/private keypair that it installed on every
machine.



pgpEIP4Rkm01d.pgp
Description: PGP signature