Hi!

Are there any plans to verify Alpine according to the process described here:

https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

Thanks,
Pascal

Pascal W <pascal.wallenius@gmail.com> wrote:

>Hi!

>Are there any plans to verify Alpine according to the process described here:

>https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

What does that do for a linux terminal program?

On Tue, 16 Nov 2021, Pascal W wrote:

> Are there any plans to verify Alpine according to the process described
> here:
>
> https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

Dear Pascal,

in order to do that I would have to create a company. There are a number
of verifications that can be made, so let me explain this.

One verification is that the website that I claim to own I actually own
it. In order to do that I have to create a specific file in my site, and
that is already done. This is typically needed when you want to use a web
product from a company, so the user will see their web site in the
authorization screen. In the case of Alpine it looks as the image in this
site:

https://alpine.x10host.com/alpine/alpine-info/images/OutlookConsentScreen.gif

Note that there is a specific mention of the website in the image.
Alpine is not a web app, so this really does not make much of a difference
in Alpine to do this. However, to give you more context, in the case of
Thunderbird, that image says "unverified" (which is even worse!)

So in case I was not clear I will say it again. The image above is only
useful to identify apps that use the web to login. In the case of Alpine
that is not the case, so it is mostly informational.

There is another level of verification. In this level the point of view
is that the program (alpine) is a product of a company (which does not
exist in this case). Because of that the level of verification that you
are mentioning is not possible. Alpine has never been a comercial product
of any company, and so this level of verification is not possible, so what
you have to explain to your administrators is that

1. Alpine has been verified as a product from the website
alpine.x10host.com, and

2. That Alpine is not a comercial product supported by a company. It is a
free software that is is supported by the community, so the full level
of verification that you are asking about is not possible.

However, please note that Alpine can access other comercial servers, and
that there are many other solutions to this issue.

An example of a solution is that your company registers Alpine with
Microsoft in Azure and they give you a client-id, client-secret and use
"organization" as the tenant. That way they can authorize that instance of
the application. This would work as follows:

1. Your administrators register Alpine as an app in Microsoft. There is
no problem in doing that, anyone can register any app in Microsoft.
There is no violation of copyright. They should use the organization
tenant.

2. They give you the client-id and client-secret information.

3. You enter this information into Alpine by pressing M S U and
modifying the "Outlook" entry.

4. This information that they give you, you keep it secret and do not
share it with anyone. Because of this last step, your administrators
will allow that specific instance of Alpine and no other instance of
Alpine. This will prevent others from attacking the server because
they will not have the necessary information to use Alpine.

There is another way in which people are getting around this and it is by
using the client-id and client-secret of Thunderbird. Take a look at this
page

https://colinxu.wordpress.com/2021/07/15/connect-alpine-email-client-to-office365-via-oauth2/

In other words, there are ways to solve this issue. If anyone in your
administration ever wants to talk to me, share my email address with them.
I will be happy to talk to them and answer their questions.

Good luck.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

On Tue, 16 Nov 2021, Adam H. Kerman wrote:

> Pascal W <pascal.wallenius@gmail.com> wrote:
>
>> Hi!
>
>> Are there any plans to verify Alpine according to the process described here:
>
>> https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
>
> What does that do for a linux terminal program?

It it used to make sure the program is a verified product from a
legal company. This is not a windows vs. linux issue, but a "legal and
verified program" issue. Please see my reply to Pascal to see more of the
issue and how it can be addressed.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Eduardo Chappa <chappa@washington.edu> wrote:
>On Tue, 16 Nov 2021, Adam H. Kerman wrote:
>>Pascal W <pascal.wallenius@gmail.com> wrote:

>>>Hi!

>>>Are there any plans to verify Alpine according to the process
>>>described here:

>>>https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview

>>What does that do for a linux terminal program?

>It it used to make sure the program is a verified product from a
>legal company. This is not a windows vs. linux issue, but a "legal and
>verified program" issue. Please see my reply to Pascal to see more of the
>issue and how it can be addressed.

I understand the hoops that Microsoft wants to make publishers jump
through. I just don't think it's anything a linux user looking for a
program to run in a terminal would expect.

It's undesireable. On my Windows 8.1 machine, I lost access to the
manufacturer's driver for the video screen and have been using a generic
driver published by Microsoft without going through a special startup
procedure that allows me to override the security protocol.

Just because Microsoft makes these demands doesn't mean that
manufacturers and programmers expect to comply or that the user gets a
better result.

Your thoughts about how a third party could register your program are
interesting but I hope that doesn't lead to you losing control of it if
anyone did.

On Tue, 16 Nov 2021, Adam H. Kerman wrote:

> I understand the hoops that Microsoft wants to make publishers jump
> through. I just don't think it's anything a linux user looking for a
> program to run in a terminal would expect.

This is not Microsoft making users do anything. This is an administrator
asking for proof that Alpine is a good program tat will not try to steal
information or attack their systems. This is completely reasonable. The
problem is that the administrator cannot know if Alpine is a legitimate
program because Alpine is not one of the main programs that people use.
This is an obscure program that the administrator might not know, so it is
reasonable to ask questions about it.

To make it clear, if anyone ever has questions about Alpine I will be
happy to help answering them.

> Your thoughts about how a third party could register your program are
> interesting but I hope that doesn't lead to you losing control of it if
> anyone did.

I do not find any problem with anyone registering Alpine to get a
client-id and client-secret if that will help them access their email.
Anyone should be able to do this.

--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)

Eduardo Chappa <chappa@washington.edu> wrote:

>This is not Microsoft making users do anything. This is an administrator
>asking for proof that Alpine is a good program tat will not try to steal
>information or attack their systems. . . .

Fair enough.

Eduardo, thanks for taking the time to write all that and explain! /Pascal

On Tuesday, November 16, 2021 at 6:20:30 PM UTC+1, Eduardo Chappa wrote:
> On Tue, 16 Nov 2021, Pascal W wrote:
>
> > Are there any plans to verify Alpine according to the process described
> > here:
> >
> > https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
> Dear Pascal,
>
> in order to do that I would have to create a company. There are a number
> of verifications that can be made, so let me explain this.
>
> One verification is that the website that I claim to own I actually own
> it. In order to do that I have to create a specific file in my site, and
> that is already done. This is typically needed when you want to use a web
> product from a company, so the user will see their web site in the
> authorization screen. In the case of Alpine it looks as the image in this
> site:
>
> https://alpine.x10host.com/alpine/alpine-info/images/OutlookConsentScreen.gif
>
> Note that there is a specific mention of the website in the image.
> Alpine is not a web app, so this really does not make much of a difference
> in Alpine to do this. However, to give you more context, in the case of
> Thunderbird, that image says "unverified" (which is even worse!)
>
> So in case I was not clear I will say it again. The image above is only
> useful to identify apps that use the web to login. In the case of Alpine
> that is not the case, so it is mostly informational.
>
> There is another level of verification. In this level the point of view
> is that the program (alpine) is a product of a company (which does not
> exist in this case). Because of that the level of verification that you
> are mentioning is not possible. Alpine has never been a comercial product
> of any company, and so this level of verification is not possible, so what
> you have to explain to your administrators is that
>
> 1. Alpine has been verified as a product from the website
> alpine.x10host.com, and
>
> 2. That Alpine is not a comercial product supported by a company. It is a
> free software that is is supported by the community, so the full level
> of verification that you are asking about is not possible.
>
> However, please note that Alpine can access other comercial servers, and
> that there are many other solutions to this issue.
>
> An example of a solution is that your company registers Alpine with
> Microsoft in Azure and they give you a client-id, client-secret and use
> "organization" as the tenant. That way they can authorize that instance of
> the application. This would work as follows:
>
> 1. Your administrators register Alpine as an app in Microsoft. There is
> no problem in doing that, anyone can register any app in Microsoft.
> There is no violation of copyright. They should use the organization
> tenant.
>
> 2. They give you the client-id and client-secret information.
>
> 3. You enter this information into Alpine by pressing M S U and
> modifying the "Outlook" entry.
>
> 4. This information that they give you, you keep it secret and do not
> share it with anyone. Because of this last step, your administrators
> will allow that specific instance of Alpine and no other instance of
> Alpine. This will prevent others from attacking the server because
> they will not have the necessary information to use Alpine.
>
> There is another way in which people are getting around this and it is by
> using the client-id and client-secret of Thunderbird. Take a look at this
> page
>
> https://colinxu.wordpress.com/2021/07/15/connect-alpine-email-client-to-office365-via-oauth2/
>
> In other words, there are ways to solve this issue. If anyone in your
> administration ever wants to talk to me, share my email address with them.
> I will be happy to talk to them and answer their questions.
>
> Good luck.
>
> --
> Eduardo
> https://tinyurl.com/yc377wlh (web)
> http://repo.or.cz/alpine.git (Git)