[GSoC] Proposal: Authentication for scripted plasmoid downloaded from the web
Chani
chanika at gmail.com
Sun Apr 4 20:19:25 CEST 2010
On April 4, 2010 11:02:30 Marco Martin wrote:
> On Sun, Apr 4, 2010 at 3:39 PM, Diego Casella ([Po]lentino)
>
> <polentino911 at gmail.com> wrote:
> > Hi guys,
> > sorry for being late, however here it is my proposal for this summer of
> > code.
> > Since, during PlasMate development, we talked a bit about the possibility
> > to verify the plasmoids downloaded from kde-look.org or opendesktop.org,
> > I think about it for a while and I came whit the idea to improve
> > plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be
> > enough time) in order
> > to use the QCA api to provide plasmoids authentication. Here it is my
> > implementation details (see the full proposal here
> > http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/
> > diego_casella/t127038771188):
> >
> > My idea is to use the QCA framework in order to verify the signature of
> > the plasmoids downloaded from kde-look.org, opendesktop.org, or
> > installed with plasmapkg/PlasMate. This will require patching the plasma
> > widgetexplorer and plasmapkg (and also PlasMate in order to support the
> > package signing process, if time permits that).
>
> This is a must have and was in the todo since day one...
> as Chani said i'm not sure if is better at Plasma Package level or at
> a broader thing for all ghns stuff
>
hmm.
honestly I think we'll want it at *both* levels in the end.
the GHNS dialog will need to ask the server about the security rating, so some
sort of server-side support needs writing for that.
but we also want to check the security of manually downloaded plasmoids (or,
say, a plasmoid that a friend emailed us). so we want it in Plasma too.
it probably makes sense to start it in plasma, and spread it from there. :)
oh, another thing: the kcm part of the proposal was kinda vague. I expect that
it'll be just a simple thing, and advanced key-management stuff will be left to
programs like kgpg... we don't want to scare people off. :) of course most will
just leave it with the default KDE key anyways.. hrrm... what exactly is the
kcm needed for? can't you just check which keys I trust in my keyring?
--
This message brought to you by eevil bananas and the number 3.
www.chani3.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/plasma-devel/attachments/20100404/e183981b/attachment.sig
More information about the Plasma-devel
mailing list