[Alpine-info] Seeking someone who..?

[Eduardo Chappa]

On Thu, 30 Nov 2023, D.J.J. Ring, Jr. wrote:


> I am also concerned with loosing Google html search page but one for 

> duckduckgo.com exists. I include everyone in my message who could 

> benefit by any changes that increase accessability to all.


... but at the same time reduce security for all. You see, the information 
you keep in your email is not just your information, it is also mine and 
belongs to everyone else that has corresponded with the person that chose 
not to protect their email, and although I have no control over who you 
choose as your provider and the things that your provider can do with your 
email, you seems to be okay with having external people accessing 
information othe people gave you. This might be in confidence, or maybe 
sensitive. If all the emails in your account were your creation for your 
personal use it would be different, but your email contains information 
about others, which also needs to be protected from third parties.


> Most of the people that I am working with that are having the most 

> problem are those using console line interface (CLI) and who often never 

> have a graphical interface (GUI) installed. 

> Most have changed their email program to mutt but they very much miss 

> the features available in alpine like its address book and ability to 

> access newsgroups.


I am sympathetic to the needs of people, especially people with 
disabilities. I might be one of them in the future. However, my security 
is more important to me than their wants. As you know David, there are 
ways to remove the password from the encryption key, making the encryption 
efforts useless. If someone does not want to follow the procedure to 
remove that password, that is on them, not on me. There are clear 
directions to do that.

I will say one thing about the method Carlos posted to remove the password 
file. I was aware of this, and I have seen posts like this in the past. 
Alpine has the ability to remove this password too, and I have posted in 
the past how to do this. This means, there are two ways to remove the 
password from the encryption key, and I will modify Alpine to force 
everyone to have a password in the encryption key. Please do not 
misunderstand me, I did not say that I will force everyone to enter a 
master password, I said I will force the file to be be encrypted with a 
password, which either the user will know or that Alpine will know, but 
that key will have a password. Unfortunately, as always, the way this will 
work will be in the source code and hackers will be able to figure it out. 
Removing the password from the encryption key will force alpine to create 
a new key with a password only known to Alpine. Today you can transfer 
your password file from one machine to another and have it work smoothly 
in the other machine. I do not guarantee that this will be the case for 
those that choose to "remove" the password from the encryption key.


> One of the problems they are having is with Gmail, they've managed to 

> get an application specific password, and can use alpine by using an old 

> version which does not have the master password, but Google has changed 

> the way email is displayed, what used to be the default was the INBOX of 

> their email, but now they have to change folders to one labeled Gmail 

> and inside there they have to select the folder with the new email. 


I am having a hard time understanding this. This seems like a 
configuration issue, not a Gmail issue. Are these people reading email by 
accessing it through a collection list? or do they read their email by 
configuring the inbox-path? (and maybe separately the collection list). If 
you need to skip [Gmail], add it to the collection list configuration.


> It seems that it would be possible when configuring alpine to have a 

> switch much like the one that creates the ability to use the pinepass 

> file.


I agree with you. This is not a technological requirement. It is a choice. 
Some people like me choose to make it mandatory, some people choose to use 
mutt instead, and some people choose to remove the password from the 
encryption key. We can all coexist in this world and make our choices. My 
choice does not force the choice of other people. I hope people that 
disagree with me choose to remove the password for the encryption key, not 
go to mutt, but that is their choice. After all removing the password from 
the encryption key will give them the experience they are looking for, and 
if they do not wish to do that, well, that is their choice too.

-- 
Eduardo