24

Hi!

Notice: This idea primarily wants to improve existing KNewStuff-use-cases like downloading Plasmoids and allow downloading other KDE-plugins like Konqueror-plugins. (which are primarily written in C++)

There could be a simple and secure way to allow packages written in C++ etc. in KNewStuff:
For compilation, analyze the package:
For installation as root (using kdesu) you could try all these commands:
1. ./install.sh
2. When there\'s CMakeLists.txt:
cmake . -DCMAKE_INSTALL_PREFIX=`kde4-config --prefix` -DCMAKE_PREFIX=`kde4-config --prefix`
make
make install
3. When there\'s a autogen.sh
./autogen.sh
continue with 4.
4. When there\'s a configure or configure.sh
./configure(.sh)
make
make install
5. When there\'s a .pro file
qmake
make
make install

There should be an alternative to install the package locally.

Store the sources in a folder, so you \'ll be able to uninstall the app. Maybe KNewStuff could use checkinstall.

Certification:
It would be good to be able to certificate applications. This doesn\'t provide full security, but it should be good enough:
1. First of all there are opendesktop-admins who can mantaine apps.
They - and maybe a few volunteers - could become certifiers.
2. When there\'s a new app, certifiers can say "this app is okay" (maybe from KNewStuff).
3. When an app is certified by 3 persons, it\'s marked as certified.
4. For uncertified apps there would be a warning. (you should have a look on the source-code) For certified apps there would only be a small warning in normal installation dialog.
5. Somebody who has created 5 certified apps would become a certifier.
6. After some time there would be enough certifiers, so it wouldn\'t take much time.
7. There should be a "report"-button in KNewStuff. Then an admin could delete it, when the software is really evil.

Of course this system couldn\'t provide full security, but it could provide more security than normal package-managers.
But first of all the support for compilation (and also binaries) should be implemented. The certification would be also useful for scripts.

The User

The compiling idea is great. But it isn't for KDE-apps.org only. KDE-look.org has got Plasmoids which have to be compiled, too.
The last thing is about openDesktop.org so you could report it there? (The Certification idea is great, too )

You're right. KDE-look.org is important.

This reminds me of OpenSuse\'s 1-click install idea. Of course, that is designed to be used with RPMs, not with source packages.

I think this would run into all sorts of problems, though:

1. It doesn\'t provide any way to handle dependencies.

2. It circumvents the distribution\'s normal packaging, which could leading to problems with PATH and other environment variables (i.e. the user thinks he\'s running the system-installed app, but is really running a locally installed package).

3. Even with certificates, this isn\'t that secure. It would be very easy to insert a trojan horse into the install script.

I think this could be a good idea if it were restricted to plasmoids or other KDE objects. There would be a much smaller chance of any of those problems happening and because there would be fewer packages, it would be easier for a small group of admins to validate and encrypt/sign them.

But it\'s more secure than normal package management.
And it\'s even more secure than blind, manual compilation.

Look at the existing implementation to download scripted Plasmoids: You can put evil code into your .rb or .py scripts, you don\'t have any dependency-resolution. But this system is accepted. So why not integrate such compilation.

KNewStuff needs support for non-scripted extensions like Plasmoids or Konqueror-addons.

Package management:
1. Package managers normally don\'t modify contents of $HOME. So for local installation there\'s never a package-manager.
2. For global installation you could run checkinstall, insert title and description from kde-look or kde-apps and install the package using packagekit.
3. When there\'s a package at kde-look or kde-apps for your distribution, KNewStuff could use it.

It is already restricted to few KDE object. Only few applications use KNewStuff - for example Plasma - and they would take advantages from certification and compilation. But it would also be useful for application which don\'t use KNewStuff yet. (for example Konqueror) But first of all those features should affect the existing use-cases.

this would end up being a _nightmare_ as you\'d have to deal with dependencies, devel headers and then the inevitable breakage when something underneath it updates.

scripts are manageable (and sandboxable, depending on the language), compiled code not so much.

And if there would be a standard to add files:
dependencies: kde4-workspace
installcommands: cmake . ; make ; kdesu make install

So that there is information to install which could be used by the computer.

Unfortunately different distributions use different names, so that may not always be correct.

And by library or headerfile names?

I don\'t understand your problems.
Also Ruby-packages can have dependencies. But you can install Ruby-Plasmoids and it just works.

I think it shold be possible with library and headerfile names. The "provide" information should be independent. Add library file names to checkinstall, then install it. But even without such information it should usually work.

The preferred form of scripting is QtScript which is a form of ECMAScript ( or Javascript ) which is safe and has access to most of the Plasma API, as well as being included in Qt directly.

Plasma and Ruby aren\'t safe and they can also be installed directly.

The User wrote:I don't understand your problems.
Also Ruby-packages can have dependencies. But you can install Ruby-Plasmoids and it just works.

I think it shold be possible with library and headerfile names. The "provide" information should be independent. Add library file names to checkinstall, then install it. But even without such information it should usually work.

Scanning dependencies by libraries or even header-file names is not possible because some (all?) package managers do not have lists of all files in all available packages. How should the package manager then know that "#include <Plasma/PopupApplet>" maps to kdelibs4?

checkinstall is also not an option, because newstuff should only install stuff for the current user, and therefore not fiddle around with the system-global package management.

Then, what are you going to do on Windows? There is nothing like a package management. The same is true for some Linux-based Live DVDs, where I still want to be able to test GetHotNewStuff.

The packages which have to be compiled aren't downloadable at the moment, as far as I know...