KnewStuff and Quanta (for Ian)
Some minutes ago a mail from Ian landed in my Inbox, where he asks if I would blog or write a "short one paragraph snippet" on how KNewStuff is used in Quanta. I don't really get where should I write that paragraph, that I can certainly blog here. :-) Anyway, my PC is doing some video encoding using the nice DVD Rip-O-Matic application written in Kommander, so I have some free time. I have no idea if this will show up on planetkde.org or not though. Now back to the topic. Quanta was already extensible with user defined toolbars, actions, documentation, script, templates and DTEP packages describing languages. It was a natural step to provide an interface from within the application so users can get the latest add-on packages, instead of needing to go to the website and download from there. To be honest, until now only some documentation packages were available for download, but now that the download is integrated we might get rid of some heavy DTEP packages that are shipped with Quanta and offer the rest as an add-on. It was also possible to send such packages in email, but this is also of limited use if you want to contribute back easily to the community. Due to the nature of packages, especially for scripts and toolbars getting new resources can pose a potential security problem, as they contain executable code, and nobody wants to run locally a script that deletes your home directory. Our solution was to use digital signing and md5sum verification. An innovative idea, isn't it? ;-) For this first I locally extended KNewStuff to support verification of the downloaded resources. The user is always warned about who created the resource and can decide to install it or not. If (signature of) the one who created is trusted, only an information dialog is shown. This doesn't rule out the possibility of user error and from this the local data stealing or corruption, the responsibility is completely the user's. The "secured" KNewStuff (KNewStuffSecure) code was contributed back to main KDE libraries and now it is available in 3.4.0, so other applications can use it as well. I tried to make it as easily usable as I could, the only thing that one must understand is how a secured resource looks like: a gziped tarball which has a gziped tarball (the real resource), a signature and an md5sum file. Luckily there is also code to create such secure resources. And this is the second step (and maybe the more important one) regarding KNewStuff usage. I think it's great to provide add-ons, but it's even better if those add-ons come from the users. With the upload feature they can easily share their toolbars, templates and whatever with the rest of the world. And here comes the "todo" part which we want to do on the server side (hopefully for will be ready around 3.4.0 is released, or shortly after), where the newstuff resources are uploaded and are provided for download. We want to set up some scripts on the site so whenever somebody uploads a resource it is handled either automatically (and provided for immediate download) or it's put in a review queue. The decision is again made based on (surprise) the signature of the uploader. If we (the Quanta team) trust him/her and he/she provided good resources it can be a trusted uploader and his work will be offered for download immediately. Resources uploaded by not trusted users are reviewed first and the reviewer can decide if it is accepted or not. So this is the short story. Ian, if you wanted a more technical description (maybe about the KNewStuffSecure), I can write one as well.