[GSoC] Proposal: Authentication for scripted plasmoid downloaded from the web
Diego Casella ([Po]lentino)
polentino911 at gmail.com
Sun Apr 4 15:39:10 CEST 2010
Hi guys,
sorry for being late, however here it is my proposal for this summer of
code.
Since, during PlasMate development, we talked a bit about the possibility to
verify the plasmoids downloaded from kde-look.org or opendesktop.org,
I think about it for a while and I came whit the idea to improve
plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be enough
time) in order
to use the QCA api to provide plasmoids authentication. Here it is my
implementation details (see the full proposal here
http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/diego_casella/t127038771188
):
My idea is to use the QCA framework in order to verify the signature of the
plasmoids downloaded from kde-look.org, opendesktop.org, or installed with
plasmapkg/PlasMate. This will require patching the plasma widgetexplorer and
plasmapkg (and also PlasMate in order to support the package signing
process, if time permits that).
Basically, when downloading a scripted plasmoid, the widget explorer will
extract a file containing the signature of the plasmoid, and check its
validity with a set of public keys shipped with KDE, or a set of custom
imported keys (manageable from a KCM module): if the validation process is
successfull against the original KDE keys, the widget explorer will show a
green flag in a corner of the corresponding plasmoid icon, meaning that the
plasmoid has been made from a KDE developer, so you can trust it. If the
validation is successful with a custom key imported by the user, a yellow
flag will be displayed instead, meaning that plasmoid is signed and you
trust the developer who released that plasmoid. If no keys are matched, or
the plasmoid is shipped without a signature file, a red flag will be shown,
meaning "use it at your own risk". Tooltips will be also patched in order to
show these informations.
Any feedback, suggestion or advice is welcome !
Cheers,
-- Diego
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/plasma-devel/attachments/20100404/8f3d2e29/attachment.htm
More information about the Plasma-devel
mailing list