[MlMt] Notes on latest test release and Gmail OAuth application verification

Tue Apr 30 10:56:05 EDT 2019

Hi MailMate users,

I know I'm behind on answering emails (also on the mailing list), but it 
doesn't mean I'm not working :)

## WKWebView

Right now I'd just like to note that I'm busy working on replacing the 
main message view in MailMate. It currently uses the so-called WebView 
class provided by Apple, but this was deprecated a long time ago (by 
Apple) and it should be replaced by a so-called WKWebView. Both classes 
are used to display HTML (which MailMate also generates to display plain 
text messages) and if that is all that is needed then it's a simple 
replacement. But MailMate also has image blocking, context sensitive 
menus, text search, etc. and all of this has to work in a completely 
different way. In some cases, it's not even clear that I can provide the 
same features as before. We'll see about that. WKWebView is 10.10+, but 
right now it looks like image blocking can only work on 10.13+. I'm not 
quite sure what to do about that yet...

The latest test release includes the new message view, but it's disabled 
for now because too many things don't work yet. I'm mainly writing about 
this since some changes might also affect the old message view in the 
latest test release.

The good news is that when the replacement is finished then I should, at 
least in theory, be able to fix various old issues.

## Google OAuth API Application Verification

MailMate uses the so-called OAuth2 authentication method for Gmail 
IMAP/SMTP access. This works far better than password-based access which 
I suspect is eventually going to be dropped completely by Google. I had 
(and still have) some reservations about OAuth2 support which I outlined 
in [this blog 
post](https://blog.freron.com/2015/is-oauth2-support-a-good-thing/). I 
expressed that I worried that Google would some day use OAuth2 to “hit 
the kill switch” on MailMate...

...and recently I was told by Google that I needed to start a 
verification process for MailMate. I've done that and if I understand 
correctly I have until the end of 2019 to complete this process.

Now, the problem is that I'm not really sure I can (or is willing to) 
complete the verification process at all. It *might* include a security 
audit with a price tag between $15000 and $75000+ (I'm clearly in the 
wrong business). There seems to be exemptions for desktop email 
applications and I've asked Google to clarify this, but I also feel that 
I'm obligated to tell my users that I think it's a potential risk that 
MailMate cannot support Gmail starting January 1st, 2020. As soon as I 
fully understand what's going to happen, I'll make sure to clearly state 
it wherever it's relevant on the homepage and in the documentation.

Here's a [link to the Google 
FAQ](https://support.google.com/cloud/answer/9110914) on the subject if 
anyone is interested.

-- 
Benny
https://freron.com/become_a_mailmate_patron/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20190430/0fe7f215/attachment.html>