--- xml/htdocs/proj/en/glep/glep-0012.html 2004/01/31 21:56:55 1.2 +++ xml/htdocs/proj/en/glep/glep-0012.html 2006/10/10 20:25:14 1.3 @@ -8,9 +8,252 @@ --> - + GLEP 12 -- Gentoo.org Finger Daemon - + -
- +
@@ -33,9 +275,9 @@ - + - + @@ -50,8 +292,8 @@
Title:Gentoo.org Finger Daemon
Version:1.1
Version:1.2
Last-Modified:2003/08/11 14:32:44
Last-Modified:2004/01/31 21:56:55
Author:Tavis Ormandy <taviso at gentoo.org>

-
-

Contents

+ -
-

Reason for rejection

+
+

Reason for rejection

Information about Gentoo development is already significantly fragmented. Although this GLEP has its merits, the fact that it is a separate source -of information, rather than simply another conduit to existing sources +of information, rather than simply another conduit to existing sources of information, poses more problems than it solves. Were this GLEP to be resubmitted/modified so that finger was nothing more than an interface into existing sources of information, it would probably be accepted.

-
-

Abstract

+
+

Abstract

The finger protocol is documented in rfc742 [1] and rfc1196 [2], a simple protocol that returns a human readable report about a particular user of the system. Typically, the information returned will be details such as @@ -93,10 +335,10 @@ There are clients available for all major operating systems, and web-based clients for those that dont.

-
-

Motivation

+
+

Motivation

Gentoo developers are already aware of the importance of User Relations [9] .

-

It is essential to keep the community up to date with current goals, status +

It is essential to keep the community up to date with current goals, status updates, and information from the development team. Currently it is suggested users track mailing lists, monitor the Gentoo bugzilla, developer IRC channels and cvs commits.

@@ -113,27 +355,27 @@ activities and plans that were instantly accesible to anyone who was interested would be desirable, I propose running a finger daemon on gentoo.org, or dev.gentoo.org and forwarding requests there from gentoo.org.

-

Running a developer finger daemon would improve inter developer communication, -user communication and relations, and reduce workload on developers who have to +

Running a developer finger daemon would improve inter developer communication, +user communication and relations, and reduce workload on developers who have to respond to queries from users on project status updates.

-

In the future, it is foreseen that portage will require a cryptographically -secure means of verifying ebuilds aquired from an rsync mirror are identical -to those checked into the portage tree by a developer [10] . Making developer keys -available to users for manually checking the integrity of files, or patches -sent to them is important. It has long been known that encouraging the +

In the future, it is foreseen that portage will require a cryptographically +secure means of verifying ebuilds aquired from an rsync mirror are identical +to those checked into the portage tree by a developer [10] . Making developer keys +available to users for manually checking the integrity of files, or patches +sent to them is important. It has long been known that encouraging the use of gpg among developers is desirable [5] .

-

Should a security vulnerability of a serious nature ever be reported, -standard procedure [6] is to inform vendors before releasing the information -to full disclosure security discussion lists. Making the relevant maintainer's +

Should a security vulnerability of a serious nature ever be reported, +standard procedure [6] is to inform vendors before releasing the information +to full disclosure security discussion lists. Making the relevant maintainer's key easily obtainable will allow reporters to encrypt their reports.

-
-

Rationale

-

Providing a finger daemon will allow users to instantly access information on -developers, and all details of that developers current projects that they decide +

+

Rationale

+

Providing a finger daemon will allow users to instantly access information on +developers, and all details of that developers current projects that they decide to share.

-

GPG keys for all developers will be instantly availble, and the output of the -finger devname@gentoo.org command can be piped into gpg --import to instantly +

GPG keys for all developers will be instantly availble, and the output of the +finger devname@gentoo.org command can be piped into gpg --import to instantly add it to the users keyring.

The following projects use finger for user-developer communications,:

@@ -145,7 +387,7 @@
 $ finger nugget@distributed.net
 
 Latest NASA news, and information from engineers.
-$ finger nasanews@space.mit.edu 
+$ finger nasanews@space.mit.edu
 
 Slackware developers.
 $ finger volkerdi@slackware.com
@@ -154,34 +396,34 @@
 $ finger nakai@freebsd.org
 
-
-

Implementation and Security

-

Some admins are concerned about the security of running a finger daemon on their -machines, the class of security issues involved with the finger protocol are +

+

Implementation and Security

+

Some admins are concerned about the security of running a finger daemon on their +machines, the class of security issues involved with the finger protocol are commonly referred to as "information leaks" [7].

-

This means an attacker may be able to use a finger daemon to identify valid +

This means an attacker may be able to use a finger daemon to identify valid accounts on their target, which they would then try to obtain access to.

-

This scenario does not apply to this implementation, as the gentoo developer +

This scenario does not apply to this implementation, as the gentoo developer names are already well publicised. [8]

-

No security issues have ever been reported with the fingerd available in gentoo -portage. Finger is used worldwide by universities, unix systems, and development +

No security issues have ever been reported with the fingerd available in gentoo +portage. Finger is used worldwide by universities, unix systems, and development projects.

Adding dummy users, will be trivial and allow projects such as gentoo-docs, -gentoo-alpha, gentoo-ppc, etc to maintain .plans and .projects. This will allow -the projects to maintain more technical details or status updates not suitable +gentoo-alpha, gentoo-ppc, etc to maintain .plans and .projects. This will allow +the projects to maintain more technical details or status updates not suitable for their project webpages.

Adding data to a plan is a lot simpler than updating webpages.

-
-

Example Query

-

Should a user want information about the author, this might be the output of +

+

Example Query

+

Should a user want information about the author, this might be the output of a finger query:

-$ finger taviso@gentoo.org 
-Login: taviso                  Name: Tavis Ormandy 
-Directory: /home/taviso        Shell: /bin/bash 
-Last login: dd-mmm-yyyy 
-Mail last read dd-mmm-yyy 
+$ finger taviso@gentoo.org
+Login: taviso                  Name: Tavis Ormandy
+Directory: /home/taviso        Shell: /bin/bash
+Last login: dd-mmm-yyyy
+Mail last read dd-mmm-yyy
 Project:
 
 Currently working on implementing XXX, and porting XXX to XXX.
@@ -190,7 +432,7 @@
 
 dd-mmm-yyyy
 
-Investigating bug #12345, testing patch provided in #12236 
+Investigating bug #12345, testing patch provided in #12236
 
 Write documentation for new features in XXX.
 
@@ -198,88 +440,89 @@
 
 Contact acmesoft regarding license for xxx in portage.
 
-PGP Key: 
+PGP Key:
 
------BEGIN PGP PUBLIC KEY BLOCK----- 
-Version: GnuPG v1.2.1 (Linux) 
-(...) 
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.2.1 (Linux)
+(...)
 -----END PGP PUBLIC KEY BLOCK-----
 
- - - +