<Pali>
all other values are secret keys (generated by google console)
<freemangordon>
I did oauth2 for facebook back then
pere has quit [Ping timeout: 276 seconds]
<Pali>
That HTTPS request returns JSON like { "access_token" : "..." }
<freemangordon>
yeah
<freemangordon>
I am trying to find my code
<Pali>
And this access_token you need to put into IMAP session into command: AUTHENTICATE XOAUTH2 encode_base64("user=$user\x01auth=Bearer $xoauth2_access_token\x01\x01")
<Pali>
and for IMAP you need Bearer, not basic oatuh2
<freemangordon>
whatever it is :)
<Pali>
If you look at my imap-fetcher code, implementation is really simple, so I think it would be easier to implement it (like I did) instead of using 3rd library and hooking it into project
<freemangordon>
Pali: we still need UI
<Pali>
You need just one HTTPs request for retrieving access token from refresh token
<Pali>
Yes! You need UI for setting all those private keys
<freemangordon>
hmm, what?
<freemangordon>
we need UI to embed browser into
<freemangordon>
unless I am missing something
<Pali>
Nope, this is browser-less.
<freemangordon>
how's that?
<freemangordon>
seems I lack the knowledge
<Pali>
Well, you need browser for generating refresh token
<freemangordon>
yep, on the first login with user/pass
<Pali>
but refresh token has infinite lifetime.
<Wizzup>
are we talking just modest or supporting it in many places?
<freemangordon>
you login into google page accepting TC and whatnot
<freemangordon>
Wizzup: may places
<freemangordon>
*many
<Pali>
I generated refresh token via google's python script (which wants me to open URI in browser)
<freemangordon>
and modest/TP being clients
<freemangordon>
Pali: well, we can use the scheme for TV sets, but I don;t think that's user friendly
<Pali>
and then I put refresh token into config file... and then my imap-fetcher can generate access token for login fully automatically
<freemangordon>
given that we *have* browser :)
<freemangordon>
I think we shall create centralized oauth service available to everybody on the system
<Pali>
Hm... this is probaby harder to implement. I did not try it.
<freemangordon>
a dbus service in Qt shall do it
<freemangordon>
and then modest or whatever just asks for the token and leaves the service to do whatever is needed
<freemangordon>
well, we shall provide oauth URL along with user/pass
<freemangordon>
unless oauth has a mechanism to provide that to clients
<Pali>
you still need to ask for client_id and client_secret
<Pali>
This is private info.
<freemangordon>
but it is private to the application, no?
<Wizzup>
something like this surely must exist in foss desktop already
<Pali>
Yes! Either you create closed-source application with bundled those keys
<freemangordon>
UUIC, you register the application with google and you receive application id (client_id?)
<Pali>
Or you create open-source application but then you cannot distribute these private data.
<Pali>
You register application in google console and you will get from google client_id and client_secret.
<freemangordon>
And I am not allowed to show those in public?
<freemangordon>
this is crazy
<Pali>
Yes!
<freemangordon>
yeah, security by obscurity at its finest :(
<Pali>
It is 2022, open-source is not more allowed in google
<Pali>
So now, everybody has to register its own application to get those private keys.
<freemangordon>
but wait, how is that secret given that it is embedded in the code even if it is closed source
<Pali>
All this xoauth2 nonsense is just to elimitate open source apps
<Pali>
it is regulation from google that you must keep this secret in your (EXE) binary application, e.g. by obfuscation.
<freemangordon>
ah, I see
<Pali>
If you want to register your application on google with full access to your account, then part of the registraction is google verification.
<freemangordon>
well, if it is obfuscated in the source, isn;t it the same?
<Pali>
You has to prepare video on youtube, put link to that video into verification form. And in your video you had to explain why it is secure!
<Pali>
IIRC all this you had to explain that youtube video and if google thinks it is is not enough, you would not get access to _full account_.
<freemangordon>
what is "full account"?
<Pali>
If you are registering application, there are lot of levels for access... E.g. only XMPP, only some subset of HTTP api, or IMAP, or everything = full access
<freemangordon>
well, we need xmpp and imap so far
<freemangordon>
I give a shit about adds API or whatever
<Pali>
And some APIs are marked as _restricted_ which needs this special google verification for approval.
<freemangordon>
maybe we'll need maps @ some point, if it is free for use at all
<Pali>
IMAP API is already marked as restricted and needs some verification.
<Pali>
Yesterday I enabled something and it allowed me at least to generate some TV token.
<Pali>
As I said, this xoauth2 nonsense is there just for eliminating open sourcre applications.
<Pali>
Gravatars and Libravatars are now marked as spyware
<Pali>
They just do not want to see new email client apps
<freemangordon>
Pali: well, if what is said in the "issues" section is true, I don't want this application anyways :)
<freemangordon>
"your application is uploading..."
<Pali>
it is bullshit
<freemangordon>
what do you mean?
<freemangordon>
does it upload contacts or not?
<Pali>
It is marked as spyware for no reason.
<freemangordon>
Pali: it could be marked as spyware because it uploads user information without user being appropriately informed about that. Maybe "spyware" is not the correct term here, but still, if contacts are being uploaded to some site, then I would have to agree with google
<Pali>
it is using gravatar to retrive public avatar about user from public web
<freemangordon>
that does not make it any different
<freemangordon>
I am not saying the application is doing bad things
<freemangordon>
but, if it sends user data over the internet without the user being informed about that, it is not ok
<Pali>
it is downloading, not sending
<freemangordon>
how's that? how it knows what to download?
<freemangordon>
it sends some user id to gravater, no?
<freemangordon>
maybe the real name of the user
<freemangordon>
also, the issue is "without an adequate disclosure"
<freemangordon>
how hard is for developer to explain to the users what data is being send, where and what for?
<humpelstilzchen[>
If Gravatars are enabled, upon receiving a message (GitHub version only)
<freemangordon>
humpelstilzchen[: do you say that after I install application from appstore, I shall open its github project and look into the source/readme about what it is doing?
<humpelstilzchen[>
The year 2002 wants its md5 back. But it says if gravatar is enabled, so not default
pere has joined #maemo-leste
<freemangordon>
IIUC, google are trying to cover their asses in terms of GDPR, for example
<humpelstilzchen[>
freemangordon: no, I was not writing that. I just believe there is a difference between "The app always sends all e-mail addresses to gravatar" and "The app sends the e-mail addresses to gravatar AFTER I told it to do that."
<humpelstilzchen[>
Also with e.g. youtube we see a lot false "something" claims from google that just came from some automatic algorithm. but this is more the politics area..
<freemangordon>
well, I havent's seen the application in question, neither I know google's audit process, but the issues seem to come from human ticking some boxes
<freemangordon>
and still, the issue seems to be that application does not provide enoug information to the user about what it is doing
<freemangordon>
not the data that is send or something similar
<freemangordon>
and no doubt, it is politics
<freemangordon>
but they are in position to say "take it or leave it"
Livio_ has quit [Ping timeout: 240 seconds]
<humpelstilzchen[>
"I use FairEmail so I just checked: Display Favicons is disabled by default and there's a note below the setting that says "there might be a privacy risk" and links to https://en.wikipedia.org/wiki/Favicon"
<freemangordon>
humpelstilzchen[: seems the whole issue was about google not explaining what exactly is wrong
<freemangordon>
this is bad, no doubt
<freemangordon>
also, nor modest neither telepathy-gabble will appear in playstore soon :D
<freemangordon>
also, keep in mind FB blocked my developer account ~1- years ago without any explanation, despite me asking them lots of times
<humpelstilzchen[>
google can basically do what they want on their platform. I'm ok with that, I feel just sorry for the author. Waste of time and power.
<freemangordon>
so I know how it feels like
<freemangordon>
~10 years
<freemangordon>
yep, agree
raub has quit [Quit: Leaving.]
Livio_ has joined #maemo-leste
vgratian has joined #maemo-leste
Livio_ has quit [Ping timeout: 248 seconds]
norayr has joined #maemo-leste
Guest5196 has quit [Remote host closed the connection]
<Wizzup>
I think the change in playback priority I will revert, that was not on purpose
Danct12 has quit [Remote host closed the connection]
<Wizzup>
ah, wait
vagag has left #maemo-leste [Error from remote client]
Danct12 has joined #maemo-leste
Twig has joined #maemo-leste
<Wizzup>
uvos: here are the sphone changes I made to make earpiece audio calls work: https://github.com/maemo-leste/sphone/commits/wip-routehack2 - it lacks the other things we discussed, like using datapipe filters to run the reg reset before calling pulse
<Wizzup>
and it also currently lacks speakerphone+headphone register dumps
<Wizzup>
I also had code somewhere to change the call from say earpiece to speakerphone using the pulse api from sphone, but that code wasn't working yet
Danct12 has quit [Quit: Quitting]
RedW has quit [Ping timeout: 255 seconds]
Danct12 has joined #maemo-leste
Danct12 has quit [Client Quit]
RedW has joined #maemo-leste
Danct12 has joined #maemo-leste
RedW has quit [Ping timeout: 255 seconds]
RedW has joined #maemo-leste
n900 has quit [Ping timeout: 260 seconds]
n900 has joined #maemo-leste
pere has joined #maemo-leste
Twig has quit [Ping timeout: 240 seconds]
mardy has quit [Quit: WeeChat 2.8]
<uvos>
Wizzup: ok check
sunshavi has joined #maemo-leste
uvos has quit [Ping timeout: 272 seconds]
uvos has joined #maemo-leste
sunshavi has quit [Read error: Connection reset by peer]
sunshavi has joined #maemo-leste
Bratch has joined #maemo-leste
branon_ has joined #maemo-leste
tsaebdeleehwxis has joined #maemo-leste
DPA- has joined #maemo-leste
xmn_ has joined #maemo-leste
vgratian has left #maemo-leste [#maemo-leste]
xmn has quit [*.net *.split]
l_bratch has quit [*.net *.split]
sixwheeledbeast has quit [*.net *.split]
norayr has quit [*.net *.split]
luci[m] has quit [*.net *.split]
branon has quit [*.net *.split]
lel has quit [*.net *.split]
DPA has quit [*.net *.split]
lel has joined #maemo-leste
<Wizzup>
uvos: tomorrow I will try to add headphone and speakerphone
<Wizzup>
and if we can then get the triggers in the right order, the hack should mostly just work