Subject: Re: [GSoC] Proposal: Authentication for scripted plasmoid downloaded from the web

Diego Casella ([Po]lentino) polentino911 at gmail.com
Mon Apr 5 03:09:27 CEST 2010 

>
> ---------- Messaggio inoltrato ----------
> From: Chani <chanika at gmail.com>
> To: plasma-devel at kde.org
> Date: Sun, 4 Apr 2010 10:56:42 -0700
> Subject: Re: [GSoC] Proposal: Authentication for scripted plasmoid
> downloaded from the web
> On April 4, 2010 06:39:10 Diego Casella ([Po]lentino) wrote:
> > Hi guys,
> > sorry for being late, however here it is my proposal for this summer of
> > code.
> > Since, during PlasMate development, we talked a bit about the possibility
> > to verify the plasmoids downloaded from kde-look.org or opendesktop.org,
> I
> > think about it for a while and I came whit the idea to improve
> > plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be enough
> > time) in order
>
> I assume you mean plasma *widget* explorer ;)
>

You are right, I made a lot of typos in this email >.<

>
> > to use the QCA api to provide plasmoids authentication. Here it is my
> > implementation details (see the full proposal here
> >
> http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/di
> > ego_casella/t127038771188 ):
>
> psst. only mentors have access to that page - note the "private" in the url
> :)
> I suggest you upload your proposal somewhere public as well.
>
> this one should work :)
http://socghop.appspot.com/gsoc/student_proposal/show/google/gsoc2010/diego_casella/t127038771188

---------- Messaggio inoltrato ----------
> From: Chani <chanika at gmail.com>
> To: plasma-devel at kde.org
> Date: Sun, 4 Apr 2010 11:19:25 -0700
> Subject: Re: [GSoC] Proposal: Authentication for scripted plasmoid
> downloaded from the web
> On April 4, 2010 11:02:30 Marco Martin wrote:
> > On Sun, Apr 4, 2010 at 3:39 PM, Diego Casella ([Po]lentino)
> >
> > <polentino911 at gmail.com> wrote:
> > > Hi guys,
> > > sorry for being late, however here it is my proposal for this summer of
> > > code.
> > > Since, during PlasMate development, we talked a bit about the
> possibility
> > > to verify the plasmoids downloaded from kde-look.org or
> opendesktop.org,
> > > I think about it for a while and I came whit the idea to improve
> > > plasmaengineexplorer (plus plasmapkg and PlasMate, if there wil be
> > > enough time) in order
> > > to use the QCA api to provide plasmoids authentication. Here it is my
> > > implementation details (see the full proposal here
> > >
> http://socghop.appspot.com/gsoc/student_proposal/private/google/gsoc2010/
> > > diego_casella/t127038771188):
> > >
> > > My idea is to use the QCA framework in order to verify the signature of
> > > the plasmoids downloaded from kde-look.org, opendesktop.org, or
> > > installed with plasmapkg/PlasMate. This will require patching the
> plasma
> > > widgetexplorer and plasmapkg (and also PlasMate in order to support the
> > > package signing process, if time permits that).
> >
> > This is a must have and was in the todo since day one...
> > as Chani said i'm not sure if is better at Plasma Package level or at
> > a broader thing for all ghns stuff
> >
>
> hmm.
> honestly I think we'll want it at *both* levels in the end.
> the GHNS dialog will need to ask the server about the security rating, so
> some
> sort of server-side support needs writing for that.
> but we also want to check the security of manually downloaded plasmoids
> (or,
> say, a plasmoid that a friend emailed us). so we want it in Plasma too.
>
> it probably makes sense to start it in plasma, and spread it from there. :)
>

Yep !

>
> oh, another thing: the kcm part of the proposal was kinda vague. I expect
> that
> it'll be just a simple thing, and advanced key-management stuff will be
> left to
> programs like kgpg... we don't want to scare people off. :) of course most
> will
> just leave it with the default KDE key anyways.. hrrm... what exactly is
> the
> kcm needed for? can't you just check which keys I trust in my keyring?
>

The idea of the KCM module is to provide a unique place where listing and
showing all the keys saved, with the opportunity to add/delete them, nothing
more :)
Of course if the keys are the ones shipped with KDE/linux distributor, they
will be available in read only mode (however they can be modified by
performing something like an "sudo apt-get upgrade", if updated keys are
available); otherwise, for third-party keys,you can add/delete them if you
trust its releaser.
Using the default keyring is correct, but since we can't tell how many keys
will be pre-installed, and how many others will be installed by the user, I
don't like the idea to pollute the default keyring with all of these.
By the way this is only my opinion, that's why I need your advices :)

>
> --
> This message brought to you by eevil bananas and the number 3.
> www.chani3.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.kde.org/pipermail/plasma-devel/attachments/20100405/e13cbe3c/attachment.htm

More information about the Plasma-devel mailing list