Looking at how the credentials are stored in the .rc file, perhaps this could be improved on with encryption, or using something like the Keyring within Gnome.
For a more multi-platform solution, Google OAuth authenticates your app directly against the user account, which grants you a token that you use, eliminating the need to store the password. Not sure if any of this helps, just thought I'd mention it :)
I've considered it. Windows has no similar (to gnome-keyring) utility, unfortunately, and I haven't figured out how to get at the gnome and kde keyrings from python (although there's surely a way).
To be honest though, the security is fairly irrelevant -- the file is chmod'd to be read by only your user on both Windows and Linux, and almost everyone is only as secure as their login password or physical access to the machine anyhow (Most browsers, for example, remember (for most of us) how to login to your google account, and most don't use a browser master password.) Any 'encyption' in the rc file would either have to be simply obfuscation (which is 'security theatre' -- it won't help against but the dumbest of attackers), or require an extra password anyhow.
I will probably be adding an option to simply enter your password on startup instead of saving it in the file, though, for the more paranoid. :)
OAuth is interesting, I've never really looked into it. I'd have to play with it to see if it works. Calendar and Contacts are the only two Google APIs I use that are actually 'official', and there's certain authorization things I use that are, well, kind of hacks :)
I'll leave this request open though, as it's certainly something to think about.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It appears Windows has a function that allows you to encrypt based on the login credentials. It seems fairly secure. I've implemented it in SVN (along with kwallet and gnome-keyring support), closing this, will be in 1.2.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For a more multi-platform solution, Google OAuth authenticates your app directly against the user account, which grants you a token that you use, eliminating the need to store the password. Not sure if any of this helps, just thought I'd mention it :)
more info at http://code.google.com/apis/accounts/docs/OAuthForInstalledApps.html
I've considered it. Windows has no similar (to gnome-keyring) utility, unfortunately, and I haven't figured out how to get at the gnome and kde keyrings from python (although there's surely a way).
To be honest though, the security is fairly irrelevant -- the file is chmod'd to be read by only your user on both Windows and Linux, and almost everyone is only as secure as their login password or physical access to the machine anyhow (Most browsers, for example, remember (for most of us) how to login to your google account, and most don't use a browser master password.) Any 'encyption' in the rc file would either have to be simply obfuscation (which is 'security theatre' -- it won't help against but the dumbest of attackers), or require an extra password anyhow.
I will probably be adding an option to simply enter your password on startup instead of saving it in the file, though, for the more paranoid. :)
OAuth is interesting, I've never really looked into it. I'd have to play with it to see if it works. Calendar and Contacts are the only two Google APIs I use that are actually 'official', and there's certain authorization things I use that are, well, kind of hacks :)
I'll leave this request open though, as it's certainly something to think about.
It appears Windows has a function that allows you to encrypt based on the login credentials. It seems fairly secure. I've implemented it in SVN (along with kwallet and gnome-keyring support), closing this, will be in 1.2.