[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: KNewStuff and GPG question
From:       Frederik Gladhorn <gladhorn () kde ! org>
Date:       2010-07-23 6:39:44
Message-ID: 4c493932.ce7c0e0a.6a17.ffffff8f () mx ! google ! com
[Download RAW message or body]

Hi Andras,

Andras Mantia wrote:
> On Friday 23 July 2010, Frederik Gladhorn wrote:
>> If any sort of signing worked in knewstuff, that must have been in
>> KDE 3. I'm not aware where this was ever used.
> 
> It was used in Quanta in KDE3 (that's why I added to it;) ) and I think
> it makes a lot of sense for any "stuff" that can run on your computer,
> like scripts. If you have a GHNS provider site where you publish only
> review scripts that don't do any harm, it makes even more sense to sign
> them with a GPG key the users might trust.
> 
> Although Quanta4 porting was stalled, now we have a good progressing SoC
> student for it, so count another app that is interested to have signed
> stuff.

I am all for it, don't get me wrong. It's great to hear that you have 
experience with this. How did  you handle the signatures? Was there a sort 
of keyring?
My problem was that we had lots of cruft in knewstuff and I wanted to keep 
the api a little clean. So let's get this working now.
When starting knewstuff3 we discussed this quite a bit. It's imho not 
trivial to implement because in addition to the signature you need a way to 
sensibly check its validity. If we want user contributed content, how does 
it get signed? Or can only selected KDE people sign things? Another 
possibility would be the web of trust, similar to the way gpg and emails 
work. But then it only works for users that go to keysigning parties, 
doesn't it?
I'm really interested what you came up with.

Cheers
Frederik

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]