<div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">---------- Messaggio inoltrato ----------<br>From: Chani <<a href="mailto:chanika@gmail.com">chanika@gmail.com</a>><br>
To: <a href="mailto:plasma-devel@kde.org">plasma-devel@kde.org</a><br>Date: Sun, 4 Apr 2010 10:56:42 -0700<br>Subject: Re: [GSoC] Proposal: Authentication for scripted plasmoid downloaded from the web<br>On April 4, 2010 06:39:10 Diego Casella ([Po]lentino) wrote:<br>
> Hi guys,<br>
> sorry for being late, however here it is my proposal for this summer of<br>
> code.<br>
> Since, during PlasMate development, we talked a bit about the possibility<br>
> to verify the plasmoids downloaded from <a href="http://kde-look.org" target="_blank">kde-look.org</a> or <a href="http://opendesktop.org" target="_blank">opendesktop.org</a>, I<br>
> think about it for a while and I came whit the idea to improve<br>
> plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be enough<br>
> time) in order<br>
<br>
I assume you mean plasma *widget* explorer ;)<br></blockquote><div><br>You are right, I made a lot of typos in this email >.< <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
> to use the QCA api to provide plasmoids authentication. Here it is my<br>
> implementation details (see the full proposal here<br>
> <a href="http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/di" target="_blank">http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/di</a><br>
> ego_casella/t127038771188 ):<br>
<br>
psst. only mentors have access to that page - note the "private" in the url :)<br>
I suggest you upload your proposal somewhere public as well.<br>
<br></blockquote><div>this one should work :)<br><a href="http://socghop.appspot.com/gsoc/student_proposal/show/google/gsoc2010/diego_casella/t127038771188">http://socghop.appspot.com/gsoc/student_proposal/show/google/gsoc2010/diego_casella/t127038771188</a> <br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">---------- Messaggio inoltrato ----------<br>From: Chani <<a href="mailto:chanika@gmail.com">chanika@gmail.com</a>><br>
To: <a href="mailto:plasma-devel@kde.org">plasma-devel@kde.org</a><br>Date: Sun, 4 Apr 2010 11:19:25 -0700<br>Subject: Re: [GSoC] Proposal: Authentication for scripted plasmoid downloaded from the web<br>On April 4, 2010 11:02:30 Marco Martin wrote:<br>
> On Sun, Apr 4, 2010 at 3:39 PM, Diego Casella ([Po]lentino)<br>
><br>
> <<a href="mailto:polentino911@gmail.com">polentino911@gmail.com</a>> wrote:<br>
> > Hi guys,<br>
> > sorry for being late, however here it is my proposal for this summer of<br>
> > code.<br>
> > Since, during PlasMate development, we talked a bit about the possibility<br>
> > to verify the plasmoids downloaded from <a href="http://kde-look.org" target="_blank">kde-look.org</a> or <a href="http://opendesktop.org" target="_blank">opendesktop.org</a>,<br>
> > I think about it for a while and I came whit the idea to improve<br>
> > plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be<br>
> > enough time) in order<br>
> > to use the QCA api to provide plasmoids authentication. Here it is my<br>
> > implementation details (see the full proposal here<br>
> > <a href="http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/" target="_blank">http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/</a><br>
> > diego_casella/t127038771188):<br>
> ><br>
> > My idea is to use the QCA framework in order to verify the signature of<br>
> > the plasmoids downloaded from <a href="http://kde-look.org" target="_blank">kde-look.org</a>, <a href="http://opendesktop.org" target="_blank">opendesktop.org</a>, or<br>
> > installed with plasmapkg/PlasMate. This will require patching the plasma<br>
> > widgetexplorer and plasmapkg (and also PlasMate in order to support the<br>
> > package signing process, if time permits that).<br>
><br>
> This is a must have and was in the todo since day one...<br>
> as Chani said i'm not sure if is better at Plasma Package level or at<br>
> a broader thing for all ghns stuff<br>
><br>
<br>
hmm.<br>
honestly I think we'll want it at *both* levels in the end.<br>
the GHNS dialog will need to ask the server about the security rating, so some<br>
sort of server-side support needs writing for that.<br>
but we also want to check the security of manually downloaded plasmoids (or,<br>
say, a plasmoid that a friend emailed us). so we want it in Plasma too.<br>
<br>
it probably makes sense to start it in plasma, and spread it from there. :)<br></blockquote><div><br>Yep ! <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
oh, another thing: the kcm part of the proposal was kinda vague. I expect that<br>
it'll be just a simple thing, and advanced key-management stuff will be left to<br>
programs like kgpg... we don't want to scare people off. :) of course most will<br>
just leave it with the default KDE key anyways.. hrrm... what exactly is the<br>
kcm needed for? can't you just check which keys I trust in my keyring?<br></blockquote><div><br>The idea of the KCM module is to provide a unique place where listing and showing all the
keys saved, with the opportunity to add/delete them, nothing more :)<br>Of
course if the keys are the ones shipped with KDE/linux distributor,
they will be available in read only mode (however they can be modified
by performing something like an "sudo apt-get upgrade", if updated keys are available); otherwise, for third-party keys,you
can add/delete them if you trust its releaser.<br>Using the default keyring is correct, but since we can't tell how many keys will be pre-installed, and how many others will be installed by the user, I don't like the idea to pollute the default keyring with all of these.<br>
By the way this is only my opinion, that's why I need your advices :)<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
--<br>
This message brought to you by eevil bananas and the number 3.<br>
<a href="http://www.chani3.com" target="_blank">www.chani3.com</a><br>
<br></blockquote></div>