[Qgis-developer] Plugin [1102] AequilibraE approval notification.

Luigi Pirelli luipir at gmail.com
Mon Dec 19 00:25:29 PST 2016


Hi Pedro,

Nothing personal, your case is a common case due the fact to many
cases where to integrate external executables or shared objects.

we can have a way to certificate this binary (e.g. signing process but
could become harder develop plugins, checksums). In the meantime, I
strongly suggest to a have a two phase plugin. A first phase that
prepare running environment downloading so or dll from someware with
the user consensous, and then the running phase.

in this way you can facilitate users to access plugin thanks to qgis
repo, and turn around plugin limitations that community gave for user
security.

regards
Luigi Pirelli

**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************


On 19 December 2016 at 08:25, Pedro Camargo <veigacamargo at gmail.com> wrote:
> Hi Luigi and Paolo,
>
>            I corrected the problems you pointed out with AequilibraE and
> re-uploaded it.
>
> Luigi's concern with malicious code is a very valid one, and I would
> actually appreciate to have a manner to have it checked. However, I would
> appreciate if we could find a solution that does not prevent us from having
> plugins that are compiled.
>
> As Luigi pointed out, the code is written in Cython to increase performance
> of the software, but it is still 5.5x slower than the proprietary software
> that I used as a benchmark. In a nutshell, if it cannot be compiled, it will
> never fly. So I would ask you guys to be considerate of this point.
>
> My concerns might not even be valid, and I do apologize if that is the case.
> I just must admit that, as an amateur software developer, I miss some of the
> jargon used here when talking about more technical issues on software
> development.
>
> Cheers,
> Pedro
>
> On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli <luipir at gmail.com> wrote:
>>
>> Hi List
>>
>> The Binary problem (?):
>> In this recently added plugin I can find cython modules precompiled in
>> forms odf pyd, or so. (and relative cython code)
>> Following the presentation in: https://www.youtube.com/watch?v=zz3jbM_JBTo
>> I understand that the reason is performance, but how to prevent
>> loading malicious shared objects?
>>
>> * probably we should start to plan a safe infrastructure to allow
>> uploading plugin with compiled modules... any idea other than a simple
>> checksum?
>>
>> The license problem (?):
>> other question is regarding the cython algorithm. I can read in
>>
>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L23
>> "Codes for route ennumeration, DAG construction and Link nesting were
>> written by Pedro Camargo (2013) and have all their rights reserved to
>> the author"
>>
>> Obviously the author has right reserved, an in the same code the
>> author refer to the LICENSE.txt that is a standard GPL license:
>> here:
>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L18
>> and here:
>> https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT
>>
>> how should we have to read the "right reserved" sencence by the author?
>>
>> regards
>> Luigi Pirelli
>>
>>
>> **************************************************************************************************
>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>> * GitHub: https://github.com/luipir
>> * Mastering QGIS 2nd Edition:
>> *
>> https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
>>
>> **************************************************************************************************
>>
>>
>> On 18 December 2016 at 14:28,  <noreply at qgis.org> wrote:
>> >
>> > Plugin AequilibraE approval by pcav.
>> > The plugin version "[1102] AequilibraE 0.3.3" is now approved
>> > Link: http://plugins.qgis.org/plugins/AequilibraE/
>> > _______________________________________________
>> > Qgis-developer mailing list
>> > Qgis-developer at lists.osgeo.org
>> > List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>> > Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>


More information about the Qgis-developer mailing list