MAR
13
2005

KDE Technologies: Get Hot New Stuff

There has been some recent buzz around KDE's Get Hot New Stuff framework. As the first in a series looking into KDE technologies, KDE Dot News interviewed author Josef Spillner to find out what all this "stuff" was about... read on for the interview. You may also be interested in recent blog entries about KNewStuff: Kate, desktop backgrounds, Quanta, KNewStuffSecure, its user interface design and the HotStuff server setup.

Josef Spillner

Please introduce yourself and your role in KDE.

Hi, I'm Josef Spillner, a computer sciences student from Dresden in Germany.
About 6 years ago I saw KDE for the first time, and some months afterwards
the first application written by myself appeared on my desktop. It was a simple
KTMainWindow which controlled a voxel-space flight simulation on top of kdesktop.
Needless to say it was horribly slow. But I've been writing KDE games ever since.

What is Get Hot New Stuff and KNewStuff?

The GHNS concept describes a way to let users share their digital creations.
For example, user A is using a spreadsheet application and modifies a template
which comes with it. This template can then be uploaded to a server, and
eventually be downloaded by user B by checking the contents of the
"Get Hot New Stuff" download dialogue. In the context of companies, documents
can be distributed to all employees, and in the context of the internet,
a community sharing framework is built on top of all this.

The KNewStuff library is the KDE implementation for checking which file providers
support the requested data type, and which files are available, including their
version, popularity and preview information. Files can be up- and downloaded,
digitally signed, uncompressed on the fly and more.

Where are they in use today?

Inside KDE CVS, we have Quanta+, KOrganizer, several Edutainment apps and the
desktop configuration as our patient and proud users.
Outside of KDE CVS, a bunch of games of the GGZ Gaming Zone project uses
KNewStuff to keep levels and themes current, and the move of the library to
kdelibs should encourage more projects to follow this example.

Can you give us a brief technical overview of how GHNS works?

Each application can decide for itself whether it wants upload or download or
both of them, and which file providers should be used for these tasks. The
providers can be configured on the server side so a move or scheduled outage won't
harm any users.

A download task would check for all the available files for each provider,
and compare their versions with the locally installed ones, which appears as
green (already installed) or yellow (installed but can be updated) signs to
the user.

After the installation, a post-install script might be run, which can of course
include a DCOP call so the application can be notified. There are ready-to-run
KNewStuff classes available as part of kdelibs (KNewStuffGeneric and KNewStuffSecure),
but for more complex tasks it is possible to subclass KNewStuff.

Where did you come up with the idea for GHNS?

I didn't :-)

To be fair, I first implemented level sharing in 2001 or so, but the direct
ancestors to the current library were the "Hot New Stuff" download in KOrganizer and
the KDEShare library in kdenonbeta, both of which were inspired by Torsten Rahn
of kde-artist fame, at LinuxTag 2002.

Most of the integration work was done at the KDE Kastle conference one year later.

Where would you like to see GHNS used?

One candidate would be KOffice. Another one suggested already is KDevelop with its
templates, which can easily get out of date on the target systems.
And games. All KDE games should be extensible and be flexible enough to handle
data added at runtime.

Has there been any interest from other desktops to implement GHNS?

Sporadically yes, but I'm not yet aware of any actual implementation. It would really
increase the acceptance and the usefulness - think about an artist whipping up a nice
design in Gimp, uploading it, and voilà the users getting it onto the desktops.

There is however a (highly configurable) SDL implementation written in Python,
and a custom in-game download dialogue patch written in C. Using a decent XML library
makes it easy to add other GUI frontends, but this has yet to be done.

Have you considered hosting on freedesktop.org?

Yes I have. The legitimation of freedesktop.org standards always comes from previous
usage, and with KNewStuff we have a well-working example. So I'd see this as one of
the goals of the near future. The usage in GNOME/Gtk+ will likely depend on such a move.

Do you have any plans for KDE 4?

Sure, the README.knewstuff file is full of them, as is the patches/ directory in
KStuff CVS. First, there are always small nitpicks, like the ability to configure this
or configure that, without breaking the ABI. Second, there should be tighter integration
with the KDE privacy framework. Finally, the management of installed data could be
eased, without however converting KNewStuff into a full package installer.
But there are also others hacking on the library, so more features are to be expected.

Nice name, how long did you spend thinking that up?

The name was also adopted by me, but at least I defended it rigorously :-)
Seriously, there were discussions about how it could affect users negatively, but no
one came up with a better idea, and we managed to hide the name from the users who
do not want to see it.

A nice technical solution for a non-technical problem.

References

  1. KNewStuff API documentation

  2. KNewStuff and
    KNewStuffSecure tutorials

  3. GHNS backend reference implementation ("Hotstuff")

  4. "KDE: Conquer your networks", talk given at the 5th Fórum Internacional Software Livre 2004

  5. "The Dynamic Desktop", talk given at the KDE Contributors Conference 2003 "Kastle"

Comments

So I am allowed to upload an PNG wallpaper that exploits a recent libpng vulnerability?

There is no "secure content" unless it is 7bit standard ASCII.
libpng and libtiff have more often security vulnerabilities than khtml and konqueror. Those mp3 player libs and video libs normaly contain more buffer-overflows then there are mpeg4 codecs.

So I think there is a problem to be solved.


By Hans Chen at Mon, 2005/03/14 - 6:00am

> So I am allowed to upload an PNG wallpaper that exploits a recent libpng vulnerability?

And what prevents you to send this PNG wallpaper per email or to upload it to deviantart.com or ...


By ac at Mon, 2005/03/14 - 6:00am

Kamail warns me. With Konqueror you have to actively got to a webpage, select an image and download it.

The controlcenter only says: "Get new wallpapers". Have I overlooked the Popup which says that any wallpaper might be an jpeglib/libtiff/libpng-exploit?


By Hans Chen at Tue, 2005/03/15 - 6:00am

>With Konqueror you have to actively got to a webpage,
> select an image and download it.
Why do you think you have to download it? With such an exploit don't you think it's more than eunuch to let Konqueror display the image since it's using the same library to put the picture on screen as the desktop backround does. Downloading the image to local disk does not make any difference. As an example, I think it would be much more effective to attach a PNG like that to a posting on the dot, than trough some wallpaper. KHotNewStuff does not magically create new vulnerabilities.


By Morty at Tue, 2005/03/15 - 6:00am

>So I am allowed to upload an PNG wallpaper that exploits a recent libpng vulnerability?
As you today are allowed to mail the same wallpaper to lots of people and upload it to all kinds of wallpaper sites, or you may use the exploit in a PNG placed on a website.


By Morty at Mon, 2005/03/14 - 6:00am

I'm a little dissapointed in the creations of some of the KDE programmers.
What I've seen of KOffice just re-creates the wheel. sorry, that's my feeling.

Personally, when I'm creating a document I like to work "on the fly"--that's change the tools (possibly toolbars????--a challange for a games programmer maybe). The acient CanonCat Computer supported this--wordprocessing tools, then you could instantly--"on-the-fly" switch to spreadsheet tools (with calculated fields, but not grids), to draw (now picture)tools, to database tools. You could have the equivelaent of multiple windows open if you wanted to, but you did not have to in order to create a document. I would like to define the page size (and portr. or landscape) before I start though.

Is any team bright enough to create this? Or are we stuck with programmers just re-creating the same old thing???


By John F wiley at Tue, 2005/03/15 - 6:00am

awesome guys...

can't wait to see this running and get everything updated through it.


By Mathieu Jobin at Sat, 2005/03/19 - 6:00am

Pages