Contents of /xml/htdocs/proj/en/glep/glep-0012.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.5 - (show annotations) (download) (as text)
Sun Oct 14 17:00:15 2007 UTC (11 years, 3 months ago) by antarus
Branch: MAIN
Changes since 1.4: +4 -251 lines
File MIME type: text/html
the canary on 53 went well, changing the rest

1 <?xml version="1.0" encoding="utf-8" ?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
5 <head>
6 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
7 <meta name="generator" content="Docutils 0.4: http://docutils.sourceforge.net/" />
8 <title>GLEP 12 -- Gentoo.org Finger Daemon</title>
9 <link rel="stylesheet" href="tools/glep.css" type="text/css" />
10 </head>
11 <body bgcolor="white">
12 <table class="navigation" cellpadding="0" cellspacing="0"
13 width="100%" border="0">
14 <tr><td class="navicon" width="150" height="35">
15 <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page">
16 <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]"
17 border="0" width="150" height="35" /></a></td>
18 <td class="textlinks" align="left">
19 [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>]
20 [<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>]
21 [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0012.txt">GLEP Source</a></b>]
22 </td></tr></table>
23 <table class="rfc2822 docutils field-list" frame="void" rules="none">
24 <col class="field-name" />
25 <col class="field-body" />
26 <tbody valign="top">
27 <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">12</td>
28 </tr>
29 <tr class="field"><th class="field-name">Title:</th><td class="field-body">Gentoo.org Finger Daemon</td>
30 </tr>
31 <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.2</td>
32 </tr>
33 <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0012.txt?cvsroot=gentoo">2004/01/31 21:56:55</a></td>
34 </tr>
35 <tr class="field"><th class="field-name">Author:</th><td class="field-body">Tavis Ormandy &lt;taviso&#32;&#97;t&#32;gentoo.org&gt;</td>
36 </tr>
37 <tr class="field"><th class="field-name">Status:</th><td class="field-body">Rejected</td>
38 </tr>
39 <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td>
40 </tr>
41 <tr class="field"><th class="field-name">Created:</th><td class="field-body">10-Aug-2003</td>
42 </tr>
43 <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">11-Aug-2003</td>
44 </tr>
45 </tbody>
46 </table>
47 <hr />
48 <div class="contents topic">
49 <p class="topic-title first"><a id="contents" name="contents">Contents</a></p>
50 <ul class="simple">
51 <li><a class="reference" href="#reason-for-rejection" id="id21" name="id21">Reason for rejection</a></li>
52 <li><a class="reference" href="#abstract" id="id22" name="id22">Abstract</a></li>
53 <li><a class="reference" href="#motivation" id="id23" name="id23">Motivation</a></li>
54 <li><a class="reference" href="#rationale" id="id24" name="id24">Rationale</a></li>
55 <li><a class="reference" href="#implementation-and-security" id="id25" name="id25">Implementation and Security</a></li>
56 <li><a class="reference" href="#example-query" id="id26" name="id26">Example Query</a></li>
57 <li><a class="reference" href="#references" id="id27" name="id27">References</a></li>
58 <li><a class="reference" href="#copyright" id="id28" name="id28">Copyright</a></li>
59 </ul>
60 </div>
61 <div class="section">
62 <h1><a class="toc-backref" href="#id21" id="reason-for-rejection" name="reason-for-rejection">Reason for rejection</a></h1>
63 <p>Information about Gentoo development is already significantly fragmented.
64 Although this GLEP has its merits, the fact that it is a separate source
65 of information, rather than simply another conduit to existing sources
66 of information, poses more problems than it solves. Were this GLEP to
67 be resubmitted/modified so that finger was nothing more than an interface
68 into existing sources of information, it would probably be accepted.</p>
69 </div>
70 <div class="section">
71 <h1><a class="toc-backref" href="#id22" id="abstract" name="abstract">Abstract</a></h1>
72 <p>The finger protocol is documented in rfc742 <a class="footnote-reference" href="#id11" id="id1" name="id1">[1]</a> and rfc1196 <a class="footnote-reference" href="#id12" id="id2" name="id2">[2]</a>, a simple
73 protocol that returns a human readable report about a particular user
74 of the system. Typically, the information returned will be details such as
75 full name, location, etc. These details are entirely optional and are obtained
76 from the system passwd file, which of course can be edited or removed with the
77 standard chfn(1) <a class="footnote-reference" href="#id13" id="id3" name="id3">[3]</a> command.</p>
78 <p>The finger daemon will also return the contents of three files from the users home
79 directory, should they exist and be readable.</p>
80 <blockquote>
81 <ul class="simple">
82 <li>~/.project - which should contain information about the project currently being worked on.</li>
83 <li>~/.plan - which might contain work being done or a TODO style list.</li>
84 <li>~/.pgpkey - which would contain a PGP/GnuPG <a class="footnote-reference" href="#id14" id="id4" name="id4">[4]</a> public key block.</li>
85 </ul>
86 </blockquote>
87 <p>The finger protocol is mature, secure and widely used in the UNIX community.
88 There are clients available for all major operating systems, and web-based
89 clients for those that dont.</p>
90 </div>
91 <div class="section">
92 <h1><a class="toc-backref" href="#id23" id="motivation" name="motivation">Motivation</a></h1>
93 <p>Gentoo developers are already aware of the importance of User Relations <a class="footnote-reference" href="#id19" id="id5" name="id5">[9]</a> .</p>
94 <p>It is essential to keep the community up to date with current goals, status
95 updates, and information from the development team. Currently it is suggested
96 users track mailing lists, monitor the Gentoo bugzilla, developer IRC
97 channels and cvs commits.</p>
98 <p>While the resources to track developer progress and activity are made
99 available to users, they are not in a form usable to many people. Keeping
100 track of development is a tedious challenge, even for developers. For
101 non-technical users wishing to track the progress of a developer, using
102 mailing lists and bugzilla may not be a practical option.</p>
103 <p>Developers may also need a way to quickly find out the progress or activity of
104 other developers, different time zones sometimes makes it difficult for
105 developers to catch each other on IRC, and making already high-volume mailing
106 lists even more cluttered with status updates is not desirable.</p>
107 <p>A method that would allow individual developers to keep a log of their
108 activities and plans that were instantly accesible to anyone who was
109 interested would be desirable, I propose running a finger daemon on
110 gentoo.org, or dev.gentoo.org and forwarding requests there from gentoo.org.</p>
111 <p>Running a developer finger daemon would improve inter developer communication,
112 user communication and relations, and reduce workload on developers who have to
113 respond to queries from users on project status updates.</p>
114 <p>In the future, it is foreseen that portage will require a cryptographically
115 secure means of verifying ebuilds aquired from an rsync mirror are identical
116 to those checked into the portage tree by a developer <a class="footnote-reference" href="#id20" id="id6" name="id6">[10]</a> . Making developer keys
117 available to users for manually checking the integrity of files, or patches
118 sent to them is important. It has long been known that encouraging the
119 use of gpg among developers is desirable <a class="footnote-reference" href="#id15" id="id7" name="id7">[5]</a> .</p>
120 <p>Should a security vulnerability of a serious nature ever be reported,
121 standard procedure <a class="footnote-reference" href="#id16" id="id8" name="id8">[6]</a> is to inform vendors before releasing the information
122 to full disclosure security discussion lists. Making the relevant maintainer's
123 key easily obtainable will allow reporters to encrypt their reports.</p>
124 </div>
125 <div class="section">
126 <h1><a class="toc-backref" href="#id24" id="rationale" name="rationale">Rationale</a></h1>
127 <p>Providing a finger daemon will allow users to instantly access information on
128 developers, and all details of that developers current projects that they decide
129 to share.</p>
130 <p>GPG keys for all developers will be instantly availble, and the output of the
131 finger <a class="reference" href="mailto:devname&#64;gentoo.org">devname&#64;gentoo.org</a> command can be piped into gpg --import to instantly
132 add it to the users keyring.</p>
133 <p>The following projects use finger for user-developer communications,:</p>
134 <pre class="literal-block">
135 Latest kernel releases, and developer information.
136 $ finger &#64;kernel.org
138 Developers and organisers are encouraged to keep .plans about their
139 activity.
140 $ finger nugget&#64;distributed.net
142 Latest NASA news, and information from engineers.
143 $ finger nasanews&#64;space.mit.edu
145 Slackware developers.
146 $ finger volkerdi&#64;slackware.com
148 FreeBSD developers.
149 $ finger nakai&#64;freebsd.org
150 </pre>
151 </div>
152 <div class="section">
153 <h1><a class="toc-backref" href="#id25" id="implementation-and-security" name="implementation-and-security">Implementation and Security</a></h1>
154 <p>Some admins are concerned about the security of running a finger daemon on their
155 machines, the class of security issues involved with the finger protocol are
156 commonly referred to as &quot;information leaks&quot; <a class="footnote-reference" href="#id17" id="id9" name="id9">[7]</a>.</p>
157 <p>This means an attacker may be able to use a finger daemon to identify valid
158 accounts on their target, which they would then try to obtain access to.</p>
159 <p>This scenario does not apply to this implementation, as the gentoo developer
160 names are already well publicised. <a class="footnote-reference" href="#id18" id="id10" name="id10">[8]</a></p>
161 <p>No security issues have ever been reported with the fingerd available in gentoo
162 portage. Finger is used worldwide by universities, unix systems, and development
163 projects.</p>
164 <p>Adding dummy users, will be trivial and allow projects such as gentoo-docs,
165 gentoo-alpha, gentoo-ppc, etc to maintain .plans and .projects. This will allow
166 the projects to maintain more technical details or status updates not suitable
167 for their project webpages.</p>
168 <p>Adding data to a plan is a lot simpler than updating webpages.</p>
169 </div>
170 <div class="section">
171 <h1><a class="toc-backref" href="#id26" id="example-query" name="example-query">Example Query</a></h1>
172 <p>Should a user want information about the author, this might be the output of
173 a finger query:</p>
174 <pre class="literal-block">
175 $ finger taviso&#64;gentoo.org
176 Login: taviso Name: Tavis Ormandy
177 Directory: /home/taviso Shell: /bin/bash
178 Last login: dd-mmm-yyyy
179 Mail last read dd-mmm-yyy
180 Project:
182 Currently working on implementing XXX, and porting XXX to XXX.
184 Plan:
186 dd-mmm-yyyy
188 Investigating bug #12345, testing patch provided in #12236
190 Write documentation for new features in XXX.
192 dd-mmm-yyyy
194 Contact acmesoft regarding license for xxx in portage.
196 PGP Key:
199 Version: GnuPG v1.2.1 (Linux)
200 (...)
202 </pre>
203 </div>
204 <div class="section">
205 <h1><a class="toc-backref" href="#id27" id="references" name="references">References</a></h1>
206 <table class="docutils footnote" frame="void" id="id11" rules="none">
207 <colgroup><col class="label" /><col /></colgroup>
208 <tbody valign="top">
209 <tr><td class="label"><a class="fn-backref" href="#id1" name="id11">[1]</a></td><td><a class="reference" href="http://www.ietf.org/rfc/rfc0742.txt">http://www.ietf.org/rfc/rfc0742.txt</a></td></tr>
210 </tbody>
211 </table>
212 <table class="docutils footnote" frame="void" id="id12" rules="none">
213 <colgroup><col class="label" /><col /></colgroup>
214 <tbody valign="top">
215 <tr><td class="label"><a class="fn-backref" href="#id2" name="id12">[2]</a></td><td><a class="reference" href="http://www.ietf.org/rfc/rfc1196.txt">http://www.ietf.org/rfc/rfc1196.txt</a></td></tr>
216 </tbody>
217 </table>
218 <table class="docutils footnote" frame="void" id="id13" rules="none">
219 <colgroup><col class="label" /><col /></colgroup>
220 <tbody valign="top">
221 <tr><td class="label"><a class="fn-backref" href="#id3" name="id13">[3]</a></td><td><a class="reference" href="http://www.gentoo.org/dyn/pkgs/sys-apps/shadow.xml">http://www.gentoo.org/dyn/pkgs/sys-apps/shadow.xml</a></td></tr>
222 </tbody>
223 </table>
224 <table class="docutils footnote" frame="void" id="id14" rules="none">
225 <colgroup><col class="label" /><col /></colgroup>
226 <tbody valign="top">
227 <tr><td class="label"><a class="fn-backref" href="#id4" name="id14">[4]</a></td><td><a class="reference" href="http://www.gnupg.org">http://www.gnupg.org</a></td></tr>
228 </tbody>
229 </table>
230 <table class="docutils footnote" frame="void" id="id15" rules="none">
231 <colgroup><col class="label" /><col /></colgroup>
232 <tbody valign="top">
233 <tr><td class="label"><a class="fn-backref" href="#id7" name="id15">[5]</a></td><td>&lt;<a class="reference" href="mailto:20030629040521.4316b135.seemant&#64;gentoo.org">20030629040521.4316b135.seemant&#64;gentoo.org</a>&gt;</td></tr>
234 </tbody>
235 </table>
236 <table class="docutils footnote" frame="void" id="id16" rules="none">
237 <colgroup><col class="label" /><col /></colgroup>
238 <tbody valign="top">
239 <tr><td class="label"><a class="fn-backref" href="#id8" name="id16">[6]</a></td><td><a class="reference" href="http://www.oisafety.org/process.html">http://www.oisafety.org/process.html</a></td></tr>
240 </tbody>
241 </table>
242 <table class="docutils footnote" frame="void" id="id17" rules="none">
243 <colgroup><col class="label" /><col /></colgroup>
244 <tbody valign="top">
245 <tr><td class="label"><a class="fn-backref" href="#id9" name="id17">[7]</a></td><td><a class="reference" href="http://search.linuxsecurity.com/cgi-bin/htsearch?words=information%20leak">http://search.linuxsecurity.com/cgi-bin/htsearch?words=information%20leak</a></td></tr>
246 </tbody>
247 </table>
248 <table class="docutils footnote" frame="void" id="id18" rules="none">
249 <colgroup><col class="label" /><col /></colgroup>
250 <tbody valign="top">
251 <tr><td class="label"><a class="fn-backref" href="#id10" name="id18">[8]</a></td><td><a class="reference" href="http://www.gentoo.org/main/en/devlist.xml">http://www.gentoo.org/main/en/devlist.xml</a></td></tr>
252 </tbody>
253 </table>
254 <table class="docutils footnote" frame="void" id="id19" rules="none">
255 <colgroup><col class="label" /><col /></colgroup>
256 <tbody valign="top">
257 <tr><td class="label"><a class="fn-backref" href="#id5" name="id19">[9]</a></td><td><a class="reference" href="http://www.gentoo.org/proj/en/devrel/user-relations.xml">http://www.gentoo.org/proj/en/devrel/user-relations.xml</a></td></tr>
258 </tbody>
259 </table>
260 <table class="docutils footnote" frame="void" id="id20" rules="none">
261 <colgroup><col class="label" /><col /></colgroup>
262 <tbody valign="top">
263 <tr><td class="label"><a class="fn-backref" href="#id6" name="id20">[10]</a></td><td><a class="reference" href="http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml">http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml</a></td></tr>
264 </tbody>
265 </table>
266 </div>
267 <div class="section">
268 <h1><a class="toc-backref" href="#id28" id="copyright" name="copyright">Copyright</a></h1>
269 <p>This document is released under the Open Publications License.</p>
270 </div>
272 </div>
273 <div class="footer">
274 <hr class="footer" />
275 <a class="reference" href="glep-0012.txt">View document source</a>.
276 Generated on: 2007-10-13 13:39 UTC.
277 Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
279 </div>
280 </body>
281 </html>

  ViewVC Help
Powered by ViewVC 1.1.20