Hi guys,<br>sorry for being late, however here it is my proposal for this summer of code.<br>Since, during PlasMate development, we talked a bit about the possibility to verify the plasmoids downloaded from <a href="http://kde-look.org">kde-look.org</a> or <a href="http://opendesktop.org">opendesktop.org</a>,<br>
I think about it for a while and I came whit the idea to improve plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be enough time) in order<br>to use the QCA api to provide plasmoids authentication. Here it is my implementation details (see the full proposal here <a href="http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/diego_casella/t127038771188">http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/diego_casella/t127038771188</a>):<br>
<p><br></p><p>My idea is to use the QCA framework in order to verify the signature
of the plasmoids downloaded from <a href="http://kde-look.org">kde-look.org</a>, <a href="http://opendesktop.org">opendesktop.org</a>, or
installed with plasmapkg/PlasMate. This will require patching the
plasma widgetexplorer and plasmapkg (and also PlasMate in order to
support the package signing process, if time permits that).</p>
<p>Basically, when downloading a scripted plasmoid, the widget explorer
will extract a file containing the signature of the plasmoid, and check
its validity with a set of public keys shipped with KDE, or a set of
custom imported keys (manageable from a KCM module): if the validation
process is successfull against the original KDE keys, the widget
explorer will show a green flag in a corner of the corresponding
plasmoid icon, meaning that the plasmoid has been made from a KDE
developer, so you can trust it. If the validation is successful with a
custom key imported by the user, a yellow flag will be displayed
instead, meaning that plasmoid is signed and you trust the developer
who released that plasmoid. If no keys are matched, or the plasmoid is
shipped without a signature file, a red flag will be shown, meaning
"use it at your own risk". Tooltips will be also patched in order to
show these informations.</p><p><br></p><p>Any feedback, suggestion or advice is welcome !</p><p>Cheers,</p><p>-- Diego<br></p>