Re: Proposing gobby?

["Gustavo J. A. M. Carneiro" <gjc inescporto pt>]

Ter, 2005-11-15 às 10:21 -0800, Corey Burger escreveu:
> On 11/15/05, Chris Ball <cjb mrao cam ac uk> wrote:
> > Hi,
> >
> > I'm not the author of gobby[1], but I'd like to hear thoughts on whether
> > gobby should be proposed for inclusion in Gnome 2.14.  Gobby is a
> > collaborative text editor using GtkSourceView/GTK 2.6, with external
> > dependencies of libgmp, gtkmm and libxml++.  There are two libraries
> > that are maintained by the gobby authors used: libobby and libnet6.
> >
> > Collaborative editing is an application many people don't seem to have
> > realised is possible with their computers; I think having it available
> > such that two GNOME users can easily start a collaborative session
> > together would be massively beneficial.
> 
> Gobby is a lot of fun and a great piece of work, but having used this
> extensively at UBZ (along with the rest of the people there), we found
> some bugs[1] that might need to be addressed before we foist it on the
> unsuspecting user.

  I subscribe the good opinion about Gobby, generally, but the security
of its network protocol leaves a lot to be desired.  I captured the
protocol stream with ethereal and, while there is a password based
authentication scheme at session setup time, the remaining of the
traffic passes essentially in clear text: neither authenticated nor
encrypted.  That is a potencial security hole.  I wouldn't dare to do
collaborative editing across the internet with Gobby, yet gobby allows
this easily and doesn't even warn users of these dangers.  Why can't the
session passphrase be used to cypher the whole TCP stream?  Surely that
isn't so hard to do, these days.  I'm sure there are ready made
functions in openssl or gnutls libraries.

  Regards.

-- 
Gustavo J. A. M. Carneiro
<gjc inescporto pt> <gustavo users sourceforge net>
The universe is always one step beyond logic.