Thoughts about this Summer of Code :)

Yesterday I was thinking about my whole GSoC and what I learned and did during this period and, regardless the evaluation that Aaron will fill about my work, I must admit that this year I’m very excited about what I’ve done ๐Ÿ˜€

In fact, during these months, I :

  • learned the QCA framework, and wrote the authentication library on the top of it;
  • got in touch with their developers, and asked them for improvements;
  • recognized QCA limitations, took the decision to move to the GpgME++ library, learned it, and ported the authentication library to this new library;
  • debated with the open-collaboration-service guys both at #ghns and on their mailing list about adding gpg support;
  • took part in the drafting of the new Open Collaboration Service API;
  • learned how the Attica library works, and modified it in order to make it work with the testerver they put online;
  • improved the KNewStuff3 library to retrieve, process and show the authentication informations.

Compared with the last year, whenย  I worked on PlasMate, this year I really enjoyed my gsoc, had a lot of fun and met great people.

That’s why I want to thank Aaron for begin my mentor, Frederik Gladhorn and Frank Karlitschekย  for our talks about the open collaboration draft and their help with the testserver, Marc Mutz for his help on the GpgME++ library, Justin Karneges for his support with QCA, and Pinotree for his advices ๐Ÿ˜‰

Advertisements

Authentication framework: closing the circle (+ screencast)

As I promised more than a week ago, today I’ll show you the progress done with the authentication framework, starting with signing a plasmoid with PlasMate, uploading that plasmoid and its signature to opendesktop.org within PlasMate, and retrieve it with the Widget Explorerย  “Download widget dialog”.

Originally, I planned to show a more detailed screencast but, for an unfortunate serie of events, I started playing on a full functional opendesktop testserver just yesterday afternoon. However here it is the screencast, splitted in two pieces. Alas, I noticed too late that the screencast took so much time (the first part lasts about 14 minutes O.o, but you can skip the last 7 minutes because I’m repeatedly signing and sending some plasmoids on the server to show later the authentication process).ย  By the way, I hope you’ll enjoy these videos:

Part 1 (.ogv version):

[blip.tv ?posts_id=4019829&dest=-1]

Part 2 (.ogv version):

[blip.tv ?posts_id=4019854&dest=-1]

Cool, isn’t it? ๐Ÿ™‚

However, this is only the beginning: as I mentioned in my previous post, the KNewStuff maintainer (fregl) wants to extend that authenticatiom mechanism for every package exchanged with KNS, so I need to move the library from plasma libs to a more suitable place (perhaps kdelibs?). There is some work to do also in the Attica library, because the opendesktop specification describes multiple signatures and fingerprints (because of the collaboration stuff), and I did only a basic implementation in order to see if everything worked as expected. The KNewStuff3 download dialog needs some love too, because the detailed up to now shows only a string with the signer name and the trust level for each plasmoid; I didn’t implemented a widget with start ratings for the following reasons:

  • there is already a starred rating widget, used for the users rating:ย  showing two widgets with different star ratings will confuse the user in my opinion, so I opted for visualizing a simple text ;
  • lack of time ๐Ÿ˜›

The grid view is even more complex, because the same informations are condensed in less space, so I need to figure out how to show in a proper way also the authentication information.

PlasMate needs a lot of love too, and I realized it when playing on its code again; perhaps, after this summer of code, I’ll start on rewriting its internals and clean up the code.

That’s all, for now. Stay tuned ๐Ÿ˜‰

GSoC week #7 – Porting week :P

After spending lots of time trying to make the QCA GNUpg working by doing some workarounds and pushing some pressure on the developer, and seeing the midterm evaluation closer every day, I’ve taken the decision to move to GpgME++. So I’ve started porting some stuff on the PlasMate side in order to get my feet wet with this new library, and I have to admit: its really simple and effective ๐Ÿ™‚
Once ported PlasMate to gpgme++, I’ve ported the authentication library, and its on playground now ๐Ÿ™‚ I’ve to fix a bug that makes plasma crash sometimes, however now all the pieces are working, so yayy ๐Ÿ™‚

GSoC week #6 – It’s PlasMate time :)

During the past week, since the authentication library is working pretty good with the plasma widget explorer1 (although it still need to be polished and refined), I decided to get a little break with it and starting on improving PlasMate. As you should know, showing the trust level of a scripted plasmoid in the widget explorer is only one part of my whole GSoC: the goal is to provide a simple way to sign plasmoids, upload them with their signature via GHNS, retrieve them from the web (again, with GHNS), show their trust level before being downloaded, and finally display their trustlevel when browsing the plasma widget explorer.

Therefore, this week was PlasMate turn ๐Ÿ™‚ . In the screenshot below, you can see how the Publish widget looks now:

PlasMate with Signing option (open in a new window)

The interface is pretty simple and intuitive: to enable the plasmoid signing option, simply click on the corresponding checkbox. Then, you have to select one PGP private key from the list below, and that’s all. Every time the user clicks Export/Install/Publish, a new signature file will be calculated, and a dialog will popup and ask for the key password.

The widget has also two buttons used to create or delete the keys used for signing; however they’re disabled for now because the creation of a new pgp key pair is not implemented in the qca api and I have to manage it on my own(so, this time, everything is good ๐Ÿ˜› ), but the delete button is disabled because, yet an other bugโ„ข, the removeEntry() method calls the wrong command line switches, and I’m waiting for the fix2.

I’ve also managed to solve a serious bug which made PlasMate constantly crash whenever pressing the export, install or publish button. Seems like this bug affected PlasMate since alpha2, but I discovered it only few days ago when I started using these features. However, now it works like a charm ๐Ÿ˜€

Stay tuned for further updates, cheers !

____________________________________________________

1:For whose that missed the screencast, here it is the video.โ†‘

2: No, I’m not kidding you. I’ve even told the author why the actual command line fails, and a sensible way to fix it. And, after five days, I’m still waiting for this trivial fix…โ†‘

GSoC week #4 and #5, with screencast

[Update]: since the video on youtube still look like crap ( ๐Ÿ˜ฆ ), I’ve re-uploaded the video on blip.tv and embedded from it.

Two weeks are gone without blogging, and now it’s time to show to the Planet the progess I made during this weeks with my GSoC project.

During week #4 I was somewhat busy with a College exam, however I performed a lot of fixes to the Authentication API, and got lots of headaches because of the qca-gnupg, again :\

Basically, when calling the startVerify(QByteArray &detachedSig) function, it randomly hangs, causing the library to freeze ( and thus the application too). After struggling a lot on the possible reasons, I noticed that the gpg process spawned by qca sometimes didn’t end, causing the issue. I wrote in the QCA mailing list, where I sent some feedbacks about what’s happened, but the problem doesn’t seems to be easily fixable. So, in the meantime, I wrote an other workaround to launch gpg with aย  KProcess and parse its output, until the patch is released.

During week #5 I started to deeply integrate the authentication library into the widget explorer. When I made this screenshot, I basically setted a fixed TrustLevel for each scirpted plasmoid, as well for the rating icons, to test how these new informations will look once merged with the usual UI. Now, instead, the ratings are retrieved by verifying each plasmoid against its signature, if any, and the informations about the signer are showed in the tooltip. Moreover, compared to the screenshot I linked above, the icons which represents the rating and running plasmoid are now better placed in the layout, in order to save space on the bottom of the Plasma widget explorer.

Oh well, stop talking now, and let’s see the video I made ๐Ÿ™‚
[blip.tv ?posts_id=3835218&dest=-1]

.ogv version

Urghh, seems like Youtube is taking a lot to process my video…If tomorrow the condition is the same, I’ll re-upload on blip.tv .

GSoC week #3 && Heya PlanetKDE :)

The fourth week of Summer of Code started today: it’s time, as usual, to talk about the progress I made during the last week.

However, since this is my first post on PlanetKDE too, I’ll spend a couple of lines to introduce myself. I’m Diego Casella, a 24 years student inย  Engineering at the University of Padova ( major in Control Theory). In the 2009 edition of the GSoC I worked with Yuen Hoe and Shantanu within the PlasMate project and this year, inspired by some remarks about it, I’m developing an authentication library for plasmoids taking advantage of the QCA framework. A library on its own is not much useful of course, so I’m going to improve the Plasma widget explorer, its GHNS download widget and PlasMate as well in order to close the circle ๐Ÿ™‚

The authentication library itself is not much complicate: it keeps track, loads and monitors for changes on the keys saved in the user PGP keyring, plus it adds the public keys shipped with KDE. It performs a subdivision of the keys according with their trust level and provides a method – signedByKey()- to easily test if the plasmoid and signature file passed as parameter to the function, has been signed with the key provided. In the public API, all the keys are referenced by their unique string ID, without showing the presence of the QCA framework under the hood.

After this brief introduction, let’s talk about what I did this last week: except fixing some issues on the library, I was (actually I _am_) still waiting for a response from the QCA developer about an API change I need to complete the library. So I decided to move forward, and I started playing with the widget explorer in order to show properly the new informations about the trust level of the scripted plasmoids found in the computer. This is the result I achieved:

Widgets Explorer

As you can see, under the plasmoid name there are a number of stars corresponding to its trust level; for detailed informations about the signer and the trust level, the tooltip has been improved too ๐Ÿ™‚

However, I’m not really satisfied of this implementation: look at the amount of space wasted between the plasmoids names and the bottom of the widget due to a single scripted plasmoid. That’s why I’m considering to paint the rating starting from the bottom left corner of the plasmoid icon, and move the dialog-ok icon (used to advise that the current plasmoid is running) on the upper right corner in order to save space.

Oh well, that’s all for now. Stay tuned ๐Ÿ™‚

GSoC week#2

This week I improved the authentication library I began writing the previous week: more precisely, I’ve implemented the method responsible to verify the signature against the ID of the key passed as parameter, moved the key IDs from five QStringList objetcs to a single QMap< TrustLevel, QList< QCA::SecureArray > > object which reduces a little the lines of code and, more important,ย  increases its storage security.

However, I had a unhappy surprise when testing the library during this week: seems like the PGPKey class, which is widely used to load/save the keys from the local keystore, as well to verify the signature, lacks of a method call to retrieve all the IDs that signed the current key O.o

Is this method that essential for my library? Absolutely. Since I have to split the keys by their level of trust, first I save the KDE IDs, then I have to iterate all the PGPKeys remaining, and look if they are signed by a KDE key: these keys will build the second level of trust. Then, the library will load the user’s private key, and whose keys will create the user trusted keys; since we want to provide a certain degree of freedom on trustlevel, the user can also sign the keys he personally trusts, so here it is an other relationships check on the keys not processed yet. As you can see, I need to know which keys signed an other, so I spent some time on exploring the sourcecode of the GnuPG plugin to find out what went wrong, and I discovered that first, the API doesn’t expose that kind of call, and second, that the plugin doesn’t call the gpg command switches –list-signs or –check-signs at all! So I wrote to the QCA mantainer about my problem, and now we’re discussing about the implementation details on their mailinglist. My only hope is that they won’t take that much to implement this feature, I’ve got my first deadline in about one month, afterall!

Well, this is a brief summary of what I did on this second week of GSoC, stay tuned !

QMap< TrustLevel, QList< QCA::SecureArray > >