Hi!
Are there any plans to verify Alpine according to the process described here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
On Tue, 16 Nov 2021, Adam H. Kerman wrote:
Pascal W <pascal.wallenius@gmail.com> wrote:
Hi!
Are there any plans to verify Alpine according to the process
described here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
What does that do for a linux terminal program?
It it used to make sure the program is a verified product from a
legal company. This is not a windows vs. linux issue, but a "legal and >verified program" issue. Please see my reply to Pascal to see more of the >issue and how it can be addressed.
Pascal W <pascal.wallenius@gmail.com> wrote:
Hi!
Are there any plans to verify Alpine according to the process described here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
What does that do for a linux terminal program?
Are there any plans to verify Alpine according to the process described
here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overview
I understand the hoops that Microsoft wants to make publishers jump
through. I just don't think it's anything a linux user looking for a
program to run in a terminal would expect.
Your thoughts about how a third party could register your program are interesting but I hope that doesn't lead to you losing control of it if anyone did.
This is not Microsoft making users do anything. This is an administrator >asking for proof that Alpine is a good program tat will not try to steal >information or attack their systems. . . .
On Tue, 16 Nov 2021, Pascal W wrote:
Are there any plans to verify Alpine according to the process described here:
https://docs.microsoft.com/en-us/azure/active-directory/develop/publisher-verification-overviewDear Pascal,
in order to do that I would have to create a company. There are a number
of verifications that can be made, so let me explain this.
One verification is that the website that I claim to own I actually own
it. In order to do that I have to create a specific file in my site, and
that is already done. This is typically needed when you want to use a web product from a company, so the user will see their web site in the authorization screen. In the case of Alpine it looks as the image in this site:
https://alpine.x10host.com/alpine/alpine-info/images/OutlookConsentScreen.gif
Note that there is a specific mention of the website in the image.
Alpine is not a web app, so this really does not make much of a difference
in Alpine to do this. However, to give you more context, in the case of Thunderbird, that image says "unverified" (which is even worse!)
So in case I was not clear I will say it again. The image above is only useful to identify apps that use the web to login. In the case of Alpine
that is not the case, so it is mostly informational.
There is another level of verification. In this level the point of view
is that the program (alpine) is a product of a company (which does not
exist in this case). Because of that the level of verification that you
are mentioning is not possible. Alpine has never been a comercial product
of any company, and so this level of verification is not possible, so what you have to explain to your administrators is that
1. Alpine has been verified as a product from the website
alpine.x10host.com, and
2. That Alpine is not a comercial product supported by a company. It is a free software that is is supported by the community, so the full level
of verification that you are asking about is not possible.
However, please note that Alpine can access other comercial servers, and
that there are many other solutions to this issue.
An example of a solution is that your company registers Alpine with
Microsoft in Azure and they give you a client-id, client-secret and use "organization" as the tenant. That way they can authorize that instance of the application. This would work as follows:
1. Your administrators register Alpine as an app in Microsoft. There is
no problem in doing that, anyone can register any app in Microsoft.
There is no violation of copyright. They should use the organization
tenant.
2. They give you the client-id and client-secret information.
3. You enter this information into Alpine by pressing M S U and
modifying the "Outlook" entry.
4. This information that they give you, you keep it secret and do not
share it with anyone. Because of this last step, your administrators
will allow that specific instance of Alpine and no other instance of
Alpine. This will prevent others from attacking the server because
they will not have the necessary information to use Alpine.
There is another way in which people are getting around this and it is by using the client-id and client-secret of Thunderbird. Take a look at this page
https://colinxu.wordpress.com/2021/07/15/connect-alpine-email-client-to-office365-via-oauth2/
In other words, there are ways to solve this issue. If anyone in your administration ever wants to talk to me, share my email address with them.
I will be happy to talk to them and answer their questions.
Good luck.
--
Eduardo
https://tinyurl.com/yc377wlh (web)
http://repo.or.cz/alpine.git (Git)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 51:58:16 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,383 |