| freemangordon | Wizzup: I know you are not fan of google, but there are people (like me) who use google services. | 09:59 |
|---|---|---|
| freemangordon | the point is - shall we register maemo-leste google user | 10:00 |
| freemangordon | and have all the oauth2 tokens issued to that user | 10:00 |
| DaKnig | why do you need a google user for that | 10:03 |
| freemangordon | DaKnig: how to access google developer site without account? | 10:04 |
| freemangordon | DaKnig: if you can help with that, please do, I have zero experience with google APIs etc | 10:05 |
| freemangordon | but, OAuth2 requires application (client) ID to be send | 10:05 |
| DaKnig | https://f-droid.org/packages/org.liberty.android.freeotpplus/ | 10:05 |
| DaKnig | android but still | 10:05 |
| freemangordon | what is this? | 10:06 |
| DaKnig | oh idk | 10:06 |
| DaKnig | otp program sorry not sure its relevant | 10:06 |
| freemangordon | DaKnig: oh, no, it is not | 10:06 |
| freemangordon | OAuth2 is another story | 10:06 |
| DaKnig | what's that | 10:07 |
| freemangordon | it replaces plain password authentication | 10:07 |
| DaKnig | well this program does it too | 10:07 |
| freemangordon | ok, but first - we need it to run on leste | 10:08 |
| freemangordon | also, we have to identify different programs - like telepathy-gabble and modest | 10:08 |
| DaKnig | the point is you can use open source software to generate those tokens | 10:09 |
| DaKnig | you can see the source | 10:09 |
| freemangordon | no, these tokens must be created by google | 10:09 |
| freemangordon | when you want to access google services | 10:10 |
| DaKnig | well yes | 10:10 |
| DaKnig | what's hosted on google? | 10:10 |
| freemangordon | xmpp, imap | 10:10 |
| freemangordon | since yesterday both google-talk and gmail return "Not AUthorised" when you want to authenticate with plain password | 10:11 |
| freemangordon | which is expected as they said this will stop working on 30th of May | 10:12 |
| _uvos_ | here in ger | 10:13 |
| _uvos_ | osm data is way way better | 10:13 |
| _uvos_ | btw | 10:13 |
| _uvos_ | its just that the osm webapplication is bad and dosent allow you to see everything | 10:14 |
| _uvos_ | android osmand is extreamly good | 10:14 |
| _uvos_ | gmapps is almost impossible to use for me | 10:14 |
| _uvos_ | because the mappdata dosent know the difference between a kraftfahrtstrasse and a simple bundesstrasse | 10:15 |
| _uvos_ | and my vehicle cand go on one of those ;) | 10:15 |
| _uvos_ | just food for tought | 10:15 |
| _uvos_ | *cant | 10:15 |
| freemangordon | _uvos_: my questions was rather "what navigation provider services shall I implement first" :) | 10:19 |
| freemangordon | in context of https://github.com/maemo-leste/libnavigation | 10:20 |
| freemangordon | I shall create something similar to https://github.com/community-ssu/nokiamaps-navigation-provider | 10:20 |
| Wizzup | freemangordon: I wasn't saying anything about what services not to use, I just said that osm seems like a good provider :) | 11:20 |
| Pali | Hi! I have experience with xoauth2, I implemented this nonsense last weekend. | 12:24 |
| Pali | I implemented it for imap client. | 12:27 |
| freemangordon | Pali: great | 13:02 |
| freemangordon | could you help with modest when it comes to it? | 13:02 |
| Pali | This is my IMAP implementation: https://github.com/pali/imap-fetcher/commit/5629dc5437c03da7b4798489e7d1569d04a07e56 | 13:02 |
| freemangordon | I plan to use Qt | 13:03 |
| Pali | You need to send at $xoauth2_request_url (https://accounts.google.com/o/oauth2/token) POST FORM with client_id, client_secret, refresh_token and grant_type | 13:04 |
| Pali | grant_type is string 'refresh_token' | 13:04 |
| Pali | all other values are secret keys (generated by google console) | 13:04 |
| freemangordon | I did oauth2 for facebook back then | 13:05 |
| Pali | That HTTPS request returns JSON like { "access_token" : "..." } | 13:05 |
| freemangordon | yeah | 13:05 |
| freemangordon | I am trying to find my code | 13:06 |
| Pali | And this access_token you need to put into IMAP session into command: AUTHENTICATE XOAUTH2 encode_base64("user=$user\x01auth=Bearer $xoauth2_access_token\x01\x01") | 13:06 |
| Pali | And that is all. | 13:06 |
| freemangordon | the fuck!!! we already had that :( https://github.com/community-ssu/rtcom-accounts-plugin-jabber | 13:07 |
| freemangordon | well... | 13:08 |
| Pali | In past I implemented it also in Qt/KDE4 for Kopete XMPP client: https://github.com/KDE/kopete/commit/3bff188483fd2ee01bb8310a511e8cc9a4808d22 | 13:08 |
| Pali | But this is 6 years old code... | 13:08 |
| freemangordon | ok, this https://github.com/community-ssu/feedservice-plugin-fb-common/tree/master/src/oauth | 13:09 |
| freemangordon | Pali: what about using stuff like libgsignon-glib | 13:10 |
| Pali | I do not know this library. | 13:10 |
| Wizzup | https://github.com/ayoy/qoauth/wiki ? | 13:10 |
| Pali | You need XOATUH2 Bearer auth | 13:11 |
| Pali | Not auth1 | 13:11 |
| freemangordon | yeah, we need oauth2 | 13:11 |
| Wizzup | https://liboauth.sourceforge.io/ ? | 13:11 |
| Pali | and for IMAP you need Bearer, not basic oatuh2 | 13:11 |
| freemangordon | whatever it is :) | 13:12 |
| Pali | If you look at my imap-fetcher code, implementation is really simple, so I think it would be easier to implement it (like I did) instead of using 3rd library and hooking it into project | 13:12 |
| freemangordon | Pali: we still need UI | 13:12 |
| Pali | You need just one HTTPs request for retrieving access token from refresh token | 13:13 |
| Pali | Yes! You need UI for setting all those private keys | 13:13 |
| freemangordon | hmm, what? | 13:13 |
| freemangordon | we need UI to embed browser into | 13:13 |
| freemangordon | unless I am missing something | 13:13 |
| Pali | Nope, this is browser-less. | 13:13 |
| freemangordon | how's that? | 13:13 |
| freemangordon | seems I lack the knowledge | 13:14 |
| Pali | Well, you need browser for generating refresh token | 13:14 |
| freemangordon | yep, on the first login with user/pass | 13:14 |
| Pali | but refresh token has infinite lifetime. | 13:14 |
| Wizzup | are we talking just modest or supporting it in many places? | 13:14 |
| freemangordon | you login into google page accepting TC and whatnot | 13:15 |
| freemangordon | Wizzup: may places | 13:15 |
| freemangordon | *many | 13:15 |
| Pali | I generated refresh token via google's python script (which wants me to open URI in browser) | 13:15 |
| freemangordon | and modest/TP being clients | 13:15 |
| freemangordon | Pali: well, we can use the scheme for TV sets, but I don;t think that's user friendly | 13:15 |
| Pali | and then I put refresh token into config file... and then my imap-fetcher can generate access token for login fully automatically | 13:15 |
| freemangordon | given that we *have* browser :) | 13:15 |
| freemangordon | I think we shall create centralized oauth service available to everybody on the system | 13:16 |
| Pali | Hm... this is probaby harder to implement. I did not try it. | 13:16 |
| freemangordon | a dbus service in Qt shall do it | 13:17 |
| freemangordon | and then modest or whatever just asks for the token and leaves the service to do whatever is needed | 13:17 |
| freemangordon | well, we shall provide oauth URL along with user/pass | 13:18 |
| freemangordon | unless oauth has a mechanism to provide that to clients | 13:18 |
| Pali | you still need to ask for client_id and client_secret | 13:18 |
| Pali | This is private info. | 13:19 |
| freemangordon | but it is private to the application, no? | 13:19 |
| Wizzup | something like this surely must exist in foss desktop already | 13:19 |
| Pali | Yes! Either you create closed-source application with bundled those keys | 13:19 |
| freemangordon | UUIC, you register the application with google and you receive application id (client_id?) | 13:19 |
| Pali | Or you create open-source application but then you cannot distribute these private data. | 13:20 |
| freemangordon | Wizzup: I guess https://gitlab.com/accounts-sso/libgsignon-glib/ | 13:20 |
| Pali | You register application in google console and you will get from google client_id and client_secret. | 13:20 |
| freemangordon | And I am not allowed to show those in public? | 13:20 |
| freemangordon | this is crazy | 13:20 |
| Pali | Yes! | 13:21 |
| freemangordon | yeah, security by obscurity at its finest :( | 13:21 |
| Pali | It is 2022, open-source is not more allowed in google | 13:21 |
| Pali | So now, everybody has to register its own application to get those private keys. | 13:21 |
| freemangordon | but wait, how is that secret given that it is embedded in the code even if it is closed source | 13:22 |
| Pali | All this xoauth2 nonsense is just to elimitate open source apps | 13:22 |
| Pali | it is regulation from google that you must keep this secret in your (EXE) binary application, e.g. by obfuscation. | 13:23 |
| freemangordon | ah, I see | 13:23 |
| Pali | If you want to register your application on google with full access to your account, then part of the registraction is google verification. | 13:23 |
| freemangordon | well, if it is obfuscated in the source, isn;t it the same? | 13:23 |
| Pali | You has to prepare video on youtube, put link to that video into verification form. And in your video you had to explain why it is secure! | 13:24 |
| Pali | IIRC all this you had to explain that youtube video and if google thinks it is is not enough, you would not get access to _full account_. | 13:25 |
| freemangordon | what is "full account"? | 13:25 |
| Pali | If you are registering application, there are lot of levels for access... E.g. only XMPP, only some subset of HTTP api, or IMAP, or everything = full access | 13:26 |
| freemangordon | well, we need xmpp and imap so far | 13:26 |
| freemangordon | I give a shit about adds API or whatever | 13:27 |
| Pali | And some APIs are marked as _restricted_ which needs this special google verification for approval. | 13:27 |
| freemangordon | maybe we'll need maps @ some point, if it is free for use at all | 13:27 |
| Pali | IMAP API is already marked as restricted and needs some verification. | 13:28 |
| Pali | Yesterday I enabled something and it allowed me at least to generate some TV token. | 13:28 |
| Pali | As I said, this xoauth2 nonsense is there just for eliminating open sourcre applications. | 13:28 |
| freemangordon | Wizzup: https://gitlab.com/accounts-sso/gsignond | 13:29 |
| Pali | google do not want other people to access google's service via unverified applications. | 13:29 |
| freemangordon | well, that's not the same as "they don;t want FOSS" :) | 13:29 |
| Pali | ok, lets say they do not want applications which are not under their control... but for me such application is not FOSS anymore. | 13:31 |
| bencoh | you can still use regular auth with google, as long as you create an application password, btw | 13:44 |
| bencoh | (I had to do that at $job) | 13:44 |
| Pali | Only in case you enable 2FA on your account for which you need google application or another nonsense for login | 13:45 |
| bencoh | hmm, I don't think so | 13:47 |
| Pali | I was not able to enable application password support without 2FA and random people on internet confirmed this. | 13:47 |
| bencoh | I mean, they eventually forced us to enable 2FA here, but it's not used for 3rd-party applications (imap client in my case) | 13:47 |
| freemangordon | I wonder how thunderbird manages to do it | 13:48 |
| bencoh | I only need to use 2FA once in a while to login to their website, and then I just receive a short message on my phone | 13:48 |
| bencoh | I have no android/ios app whatsoever anyway | 13:48 |
| freemangordon | I have no android phone, neither I have 2FA enabled | 13:48 |
| Pali | thunderbird passed verification process and EXE binary contains private keys | 13:48 |
| freemangordon | so, we'll do the same | 13:49 |
| freemangordon | I don;t think it is bad that google will audit our application | 13:49 |
| bencoh | it's bad if it is mandatory | 13:49 |
| bencoh | it's not bad per-se | 13:49 |
| freemangordon | well... | 13:49 |
| freemangordon | noone forces us to use their services ;) | 13:49 |
| bencoh | sure, but ... :) | 13:50 |
| freemangordon | yeah... | 13:50 |
| Pali | I wrote some info about XMPP years ago: https://www.mail-archive.com/kopete-devel@kde.org/msg17537.html | 13:50 |
| bencoh | (tbh I only have a professional account at $job, I have been living without a personal google account for .... forever) | 13:51 |
| Pali | I have personal account in download mode as still I receive some email on it. But I'm not using it (activelly) anymore. | 13:51 |
| bencoh | (oh actually I had one at some point, but lost the password :D) | 13:53 |
| bencoh | (even forgot about it) | 13:53 |
| Pali | It does not matter, you cannot use that lost password for loggin anymore :P | 13:54 |
| bencoh | :] | 13:54 |
| freemangordon | umm, you can. in the web interface | 13:54 |
| Pali | but none of my scripts use web interface | 13:55 |
| freemangordon | well, yah | 13:55 |
| freemangordon | *yeah | 13:55 |
| freemangordon | we have signond available on leste | 13:58 |
| freemangordon | so I guess this is the correct route | 13:58 |
| freemangordon | yeah, right | 14:06 |
| freemangordon | client_id/client_secure of thinderbird seems to be in modules/OAuth2Providers.jsm | 14:07 |
| freemangordon | this is in omni.ja | 14:07 |
| freemangordon | and it is in clear text | 14:08 |
| Pali | WUT? secret keys are leaked? | 14:08 |
| Pali | Can you paste it here? :-) | 14:09 |
| freemangordon | what do you mean | 14:09 |
| freemangordon | just unzip omni.ja | 14:09 |
| freemangordon | and open modules/OAuth2Providers.jsm | 14:09 |
| freemangordon | well, I am not 100% sure, but it *looks* like client_id/client_secure | 14:10 |
| freemangordon | Pali: https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm#L87 | 14:11 |
| freemangordon | how is that obfuscated? | 14:11 |
| Pali | first line has format of client id | 14:13 |
| freemangordon | obviously it is | 14:13 |
| Pali | second line does not look like client secret, or at least my secret is longer | 14:14 |
| freemangordon | well, just try those and see what will happen | 14:15 |
| freemangordon | but I would bet the second line is the clear secret | 14:15 |
| freemangordon | or obfuscated by XOR-ing or somesuch | 14:15 |
| freemangordon | https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm#L146 | 14:15 |
| Pali | It is working! | 14:18 |
| freemangordon | sure, why noit | 14:18 |
| freemangordon | *not | 14:18 |
| freemangordon | all the oauth2 apps I did RE bac then (maps provide, facebook sharing, etc) had id/secret in clear form embedded in the code | 14:19 |
| Pali | $ git clone https://github.com/google/gmail-oauth2-tools && cd gmail-oauth2-tools && python2 python/oauth2.py --generate_oauth2_token --client_id="406964657835-aq8lmia8j95dhl1a2bvharmfk3t1hgqj.apps.googleusercontent.com" --client_secret="kSmqreRr0qwBWJgbf5Y-PjSU" --scope=https://mail.google.com/ | 14:19 |
| Pali | I received refresh token via URI auth | 14:20 |
| freemangordon | ok, but I don;t want leste to use thunderbird id/secret | 14:20 |
| freemangordon | leste == telepathy-gabble, modest | 14:20 |
| freemangordon | so I am going to register those | 14:20 |
| Pali | for own scripts it is easier than registering own keys | 14:20 |
| freemangordon | yeah | 14:21 |
| freemangordon | still, the main question was whether to develop our own FW or to use something existing | 14:21 |
| freemangordon | for now I am going to try signond | 14:21 |
| Pali | anyway, this is against google verification policy if secret key is publicly available | 14:26 |
| Pali | I'm not sure if google accept this for small application like modest | 14:26 |
| freemangordon | well, I wouldn;t call thunderbird small | 14:29 |
| freemangordon | also, you can *never* keep any key secret, unless you have HSM | 14:30 |
| Pali | I know, but google probably not | 14:30 |
| freemangordon | well.. | 14:30 |
| freemangordon | I doubt they are *that* stupid or ignorant | 14:31 |
| Pali | thunderbird is not small, so maybe they have exception... but small apps would not get exception | 14:31 |
| freemangordon | we'll see | 14:31 |
| freemangordon | also, I will make it as secure as possible | 14:31 |
| freemangordon | like XOR-obfuscating in source code :D | 14:32 |
| freemangordon | Pali: I would say all this is not because of FOSS, but becasue of script-kiddies | 14:34 |
| Pali | look for example at https://faircode.eu/faq.html | 14:35 |
| Pali | google is actively fighting | 14:35 |
| Pali | Gravatars and Libravatars are now marked as spyware | 14:35 |
| Pali | They just do not want to see new email client apps | 14:36 |
| freemangordon | Pali: well, if what is said in the "issues" section is true, I don't want this application anyways :) | 14:36 |
| freemangordon | "your application is uploading..." | 14:36 |
| Pali | it is bullshit | 14:37 |
| freemangordon | what do you mean? | 14:37 |
| freemangordon | does it upload contacts or not? | 14:37 |
| Pali | It is marked as spyware for no reason. | 14:38 |
| freemangordon | Pali: it could be marked as spyware because it uploads user information without user being appropriately informed about that. Maybe "spyware" is not the correct term here, but still, if contacts are being uploaded to some site, then I would have to agree with google | 14:40 |
| Pali | it is using gravatar to retrive public avatar about user from public web | 14:42 |
| freemangordon | that does not make it any different | 14:42 |
| freemangordon | I am not saying the application is doing bad things | 14:42 |
| freemangordon | but, if it sends user data over the internet without the user being informed about that, it is not ok | 14:43 |
| Pali | it is downloading, not sending | 14:44 |
| freemangordon | how's that? how it knows what to download? | 14:44 |
| freemangordon | it sends some user id to gravater, no? | 14:45 |
| freemangordon | maybe the real name of the user | 14:45 |
| freemangordon | also, the issue is "without an adequate disclosure" | 14:46 |
| freemangordon | how hard is for developer to explain to the users what data is being send, where and what for? | 14:46 |
| humpelstilzchen[ | https://github.com/M66B/FairEmail/blob/master/PRIVACY.md | 14:47 |
| humpelstilzchen[ | MD5 hash of email addresses | 14:47 |
| humpelstilzchen[ | If Gravatars are enabled, upon receiving a message (GitHub version only) | 14:47 |
| freemangordon | humpelstilzchen[: do you say that after I install application from appstore, I shall open its github project and look into the source/readme about what it is doing? | 14:48 |
| humpelstilzchen[ | The year 2002 wants its md5 back. But it says if gravatar is enabled, so not default | 14:48 |
| freemangordon | IIUC, google are trying to cover their asses in terms of GDPR, for example | 14:49 |
| humpelstilzchen[ | freemangordon: no, I was not writing that. I just believe there is a difference between "The app always sends all e-mail addresses to gravatar" and "The app sends the e-mail addresses to gravatar AFTER I told it to do that." | 14:52 |
| humpelstilzchen[ | Also with e.g. youtube we see a lot false "something" claims from google that just came from some automatic algorithm. but this is more the politics area.. | 14:53 |
| freemangordon | well, I havent's seen the application in question, neither I know google's audit process, but the issues seem to come from human ticking some boxes | 14:54 |
| freemangordon | and still, the issue seems to be that application does not provide enoug information to the user about what it is doing | 14:54 |
| freemangordon | not the data that is send or something similar | 14:55 |
| freemangordon | and no doubt, it is politics | 14:56 |
| freemangordon | but they are in position to say "take it or leave it" | 14:56 |
| humpelstilzchen[ | "I use FairEmail so I just checked: Display Favicons is disabled by default and there's a note below the setting that says "there might be a privacy risk" and links to https://en.wikipedia.org/wiki/Favicon" | 14:57 |
| humpelstilzchen[ | source: https://news.ycombinator.com/item?id=31432334 | 14:58 |
| humpelstilzchen[ | * from hn: "I use | 14:58 |
| freemangordon | humpelstilzchen[: seems the whole issue was about google not explaining what exactly is wrong | 15:02 |
| freemangordon | this is bad, no doubt | 15:02 |
| freemangordon | also, nor modest neither telepathy-gabble will appear in playstore soon :D | 15:03 |
| freemangordon | also, keep in mind FB blocked my developer account ~1- years ago without any explanation, despite me asking them lots of times | 15:04 |
| humpelstilzchen[ | google can basically do what they want on their platform. I'm ok with that, I feel just sorry for the author. Waste of time and power. | 15:04 |
| freemangordon | so I know how it feels like | 15:04 |
| freemangordon | ~10 years | 15:04 |
| freemangordon | yep, agree | 15:04 |
| Wizzup | uvos: here are the ucm changes: https://github.com/maemo-leste/leste-config/commit/c8790e673d6d9ca949589381d12a31aea1db1816 | 21:31 |
| Wizzup | I think the change in playback priority I will revert, that was not on purpose | 21:31 |
| Wizzup | ah, wait | 21:32 |
| Wizzup | uvos: here are the sphone changes I made to make earpiece audio calls work: https://github.com/maemo-leste/sphone/commits/wip-routehack2 - it lacks the other things we discussed, like using datapipe filters to run the reg reset before calling pulse | 21:39 |
| Wizzup | and it also currently lacks speakerphone+headphone register dumps | 21:39 |
| Wizzup | I also had code somewhere to change the call from say earpiece to speakerphone using the pulse api from sphone, but that code wasn't working yet | 21:40 |
| uvos | Wizzup: ok check | 23:21 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!