KNewStuff - signed

[Josef Spillner]

Am Mittwoch, 2. Februar 2005 10:44 schrieb Andras:
> I finished a few days ago the implementation of the upload support of
> signed resources. The whole code is under kdewebdev/lib/newstuff, under
> LGPL, ready to be moved to kdelibs from my point of view, altough I
> have the feeling that it's a little late now (I was late with the
> upload support).

Thanks for the good work.
I was a bit out of touch with the release cycle - ouch!
Does it count that most of that code was implemented already in another 
module? The new changes mostly affect upload only as I saw, and since the 
classes are additions not much can be broken by them.

Well I also have a lot of thoughts:
- the naming, for KDE 3.4 (if it goes in) KNewStuffSecure is ok, it's like a 
variant to KNewStuffGeneric, and only gets used if the app author explicitely 
wants it (the common download dialog method still uses knewstuff)
(Btw. who came up with Q* classes in quanta? :)

- the gpg dependency: I already asked myself why we don't have the nice UI 
stuff which is used in KMail in kdelibs. I fear that kdelibs-4.0 is going to 
grow a lot but it seems to be necessary. For the time being the user is told 
they need to install gnupg, I don't see a way around that. Packagers need to 
care about adding that dependency.
http://www.kde.org/info/requirements/3.3.php lists kdepim as of now, kdewebdev 
could be added there.

- the way to handle the hash sum and signature. From a crypto point of view it 
doesn't make it less secure to have those in the XML description to avoid 
having to deal with tarballs even for small scripts, does it?
I also do not see a problem here because in 4.0 both methods could coexist 
(with one being recommended of course).

So in summary, I request adding this for KDE 3.4 because if we delay until 4.0 
the potential to mess up something is not exactly smaller (more usage, fd.o 
submission, ...)

Josef