auth-source change default spec

[Tim Cross]

I've recently run into a minor problem with the auth-source library
which I think is due to the default SPEC for auth-sources. I wanted
some feedbak before logging a bug request and also wanted to make this
possible issue visible asap given the need to get defaults sorted for
the next release.

The current default sorces spec (taken from recent emacs bzr sources) is

("~/.authinfo" "~/.authinfo.gpg" "~/.netrc")

I think it should be changed to have .authinfo.gpg first in the list.
The reason is that if you already have a .authinfo.gpg file and then
attempt to access a resource for which you don't yet have credentials
and the search criteria specifies the :create option, because
.authinfo is first, it will attempt to save the credentials in the
.authinfo file and not .authinfo.gpg. If you have things configured to
ask if you want to save (the default) it will ask if you want to save
to .authinfo even when it is aware you have a .authinfo.gpg file. It
does not appear to give you an option to change this.  If you just
accept the defaults and you do use .authinfo.gpg, things will break
when you add new credentials because it will create a .authinfo file.
Subsequent searches will never see the credentials you already have in
your .authinfo.gpg file as the search stops it has found the .authinfo
file.

I also think that putting the GPG version first would encourage better
practices. On many systems, especially GNU Linux, gpg will already be
installed. I guess it may be an issue on other platforms, but still
think it is better to go for the more secure solution as the default,
even if that does create some additional work for those who don't want
to bothwer with encryptiong and are happy with a less secure approach.

If this is not acceptable, I think the auth-source library may need to
be enhanced so that it defaults to the gpg version of the file for
saving when it knows one already exists.

Tim


-- 
Tim Cross