1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
---
GLEP: 12
Title: Gentoo.org Finger Daemon
Author: Tavis Ormandy <taviso@gentoo.org>
Type: Standards Track
Status: Rejected
Version: 1
Created: 2003-08-10
Last-Modified: 2017-11-04
Post-History: 2003-08-11
Content-Type: text/x-rst
---
Reason for rejection
====================
Information about Gentoo development is already significantly fragmented.
Although this GLEP has its merits, the fact that it is a separate source
of information, rather than simply another conduit to existing sources
of information, poses more problems than it solves. Were this GLEP to
be resubmitted/modified so that finger was nothing more than an interface
into existing sources of information, it would probably be accepted.
Abstract
========
The finger protocol is documented in rfc742 [1]_ and rfc1196 [2]_, a simple
protocol that returns a human readable report about a particular user
of the system. Typically, the information returned will be details such as
full name, location, etc. These details are entirely optional and are obtained
from the system passwd file, which of course can be edited or removed with the
standard chfn(1) [3]_ command.
The finger daemon will also return the contents of three files from the users home
directory, should they exist and be readable.
* ~/.project - which should contain information about the project currently being worked on.
* ~/.plan - which might contain work being done or a TODO style list.
* ~/.pgpkey - which would contain a PGP/GnuPG [4]_ public key block.
The finger protocol is mature, secure and widely used in the UNIX community.
There are clients available for all major operating systems, and web-based
clients for those that don't.
Motivation
==========
Gentoo developers are already aware of the importance of User Relations [9]_ .
It is essential to keep the community up to date with current goals, status
updates, and information from the development team. Currently it is suggested
users track mailing lists, monitor the Gentoo Bugzilla, developer IRC
channels and cvs commits.
While the resources to track developer progress and activity are made
available to users, they are not in a form usable to many people. Keeping
track of development is a tedious challenge, even for developers. For
non-technical users wishing to track the progress of a developer, using
mailing lists and Bugzilla may not be a practical option.
Developers may also need a way to quickly find out the progress or activity of
other developers, different time zones sometimes makes it difficult for
developers to catch each other on IRC, and making already high-volume mailing
lists even more cluttered with status updates is not desirable.
A method that would allow individual developers to keep a log of their
activities and plans that were instantly accessible to anyone who was
interested would be desirable, I propose running a finger daemon on
gentoo.org, or dev.gentoo.org and forwarding requests there from gentoo.org.
Running a developer finger daemon would improve inter developer communication,
user communication and relations, and reduce workload on developers who have to
respond to queries from users on project status updates.
In the future, it is foreseen that portage will require a cryptographically
secure means of verifying ebuilds acquired from an rsync mirror are identical
to those checked into the portage tree by a developer [10]_ . Making developer keys
available to users for manually checking the integrity of files, or patches
sent to them is important. It has long been known that encouraging the
use of gpg among developers is desirable [5]_ .
Should a security vulnerability of a serious nature ever be reported,
standard procedure [6]_ is to inform vendors before releasing the information
to full disclosure security discussion lists. Making the relevant maintainer's
key easily obtainable will allow reporters to encrypt their reports.
Rationale
=========
Providing a finger daemon will allow users to instantly access information on
developers, and all details of that developers current projects that they decide
to share.
GPG keys for all developers will be instantly available, and the output of the
finger devname@gentoo.org command can be piped into gpg --import to instantly
add it to the user's keyring.
The following projects use finger for user-developer communications,::
Latest kernel releases, and developer information.
$ finger @kernel.org
Developers and organisers are encouraged to keep .plans about their
activity.
$ finger nugget@distributed.net
Latest NASA news, and information from engineers.
$ finger nasanews@space.mit.edu
Slackware developers.
$ finger volkerdi@slackware.com
FreeBSD developers.
$ finger nakai@freebsd.org
Implementation and Security
===========================
Some admins are concerned about the security of running a finger daemon on their
machines, the class of security issues involved with the finger protocol are
commonly referred to as "information leaks" [7]_.
This means an attacker may be able to use a finger daemon to identify valid
accounts on their target, which they would then try to obtain access to.
This scenario does not apply to this implementation, as the Gentoo developer
names are already well publicised. [8]_
No security issues have ever been reported with the fingerd available in Gentoo
Portage. Finger is used worldwide by universities, unix systems, and development
projects.
Adding dummy users, will be trivial and allow projects such as gentoo-docs,
gentoo-alpha, gentoo-ppc, etc to maintain .plans and .projects. This will allow
the projects to maintain more technical details or status updates not suitable
for their project webpages.
Adding data to a plan is a lot simpler than updating webpages.
Example Query
=============
Should a user want information about the author, this might be the output of
a finger query::
$ finger taviso@gentoo.org
Login: taviso Name: Tavis Ormandy
Directory: /home/taviso Shell: /bin/bash
Last login: dd-mmm-yyyy
Mail last read dd-mmm-yyy
Project:
Currently working on implementing XXX, and porting XXX to XXX.
Plan:
dd-mmm-yyyy
Investigating bug #12345, testing patch provided in #12236
Write documentation for new features in XXX.
dd-mmm-yyyy
Contact acmesoft regarding license for xxx in portage.
PGP Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (Linux)
(...)
-----END PGP PUBLIC KEY BLOCK-----
References
==========
.. [1] http://www.ietf.org/rfc/rfc0742.txt
.. [2] http://www.ietf.org/rfc/rfc1196.txt
.. [3] http://www.gentoo.org/dyn/pkgs/sys-apps/shadow.xml
.. [4] http://www.gnupg.org
.. [5] <20030629040521.4316b135.seemant@gentoo.org>
.. [6] http://www.oisafety.org/process.html
.. [7] http://search.linuxsecurity.com/cgi-bin/htsearch?words=information%20leak
.. [8] http://www.gentoo.org/main/en/devlist.xml
.. [9] https://wiki.gentoo.org/wiki/Project:ComRel
.. [10] http://www.gentoo.org/news/en/gwn/20030407-newsletter.xml
Copyright
=========
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Unported License. To view a copy of this license, visit
https://creativecommons.org/licenses/by-sa/3.0/.
|