On Fri, Dec 03, 2010 at 02:00:43AM +0800, Paul Wise wrote: > On Fri, Dec 3, 2010 at 12:57 AM, Thomas Thurman > <thomas.thurman@collabora.co.uk> wrote: > > > I am proposing an escape sequence which, when transmitted over SSH or > > telnet, requests the client to display a desktop notification. I have > > written up a description, with some example code, at > I'm not sure I would feel comfortable running gnome-terminal any more. > I definitely wouldn't want the admins of all the servers I login to to > be able to inject information into my desktop outside of the terminal > I give them access to by logging in. This needs to be opt-in and > enabled on a per-host basis. I agree. This opens up a huge new vector for potential security bugs. The risks of running a remote session on a terminal are already well understood, but this expands the amount of code that is potentially vulnerable by quite a bit. You will have to consider how many notifications should be allowed and how frequently they should be allowed to occur. You will also have to check that the data is actually valid UTF-8 (in the shortest possible encoding). It also means that text files that are viewed on the local terminal may trigger notifications. Furthermore, because of the required updates to terminal definitions, this will not be practically useful for several years, considering that most Debian machines will run stable and this will almost certainly not appear in squeeze. Plus, I use TERM=gnome-256color, which means that this won't work for me (which I actually find preferable). There are a variety of valid TERM types for gnome-terminal, including xterm, xterm-debian, gnome, and gnome-256color; it's not reasonable to expect all of them to be patched. This feature also will not work in many cases: when the user is on a VT, does not have libnotify installed, or is on a device (e.g. a cell phone) that does not support them. This means that such programs will still have to fall back to their normal method of notifying the user. Overall, I think it's a bad idea. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature