[QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Luigi Pirelli luipir at gmail.com
Thu Jan 25 15:22:32 PST 2018 

good question that can be discussed in the PR. IMHO it's not a heavy
feature request that could affect usability, but it's the opinion of a
dev with low UX capabilities.
Luigi Pirelli

**************************************************************************************************
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
* Hire me: http://goo.gl/BYRQKg
**************************************************************************************************


On 25 January 2018 at 23:37, Daniel Silk <dsilk at linz.govt.nz> wrote:
> From: Luigi Pirelli [luipir at gmail.com]
> Sent: Thursday, January 25, 2018 10:38 PM
> To: Daniel Silk
> Cc: qgis-developer at lists.osgeo.org
> Subject: Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository
>
>> as you can see reading the code in
>> https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326
>>
>> repos are get from Settings (that you can install a custom one via
>> custom post install scripts) and repos are compared with officialRepo
>> array that is global scope var that you can and set via python
>>
>> import pyplugin_installer
>> print pyplugin_installer.installer_data.officialRepo
>> (u'QGIS Official Plugin Repository',
>> 'https://plugins.qgis.org/plugins/plugins.xml',
>> 'https://plugins.qgis.org/plugins')
>>
>> because it's python you can overload/alias almost everithing, also
>> that function that have hardcoded params
>
> Thanks Luigi,
>
> If I do:
>
> import pyplugin_installer
>
> pyplugin_installer.installer_data.officialRepo = (
>     QCoreApplication.translate(
>         'QgsPluginInstaller',
>         'QGIS Official Plugin Repository'),
>     new_url,
>     deprecated_url,
> )
>
> and also:
>
> QSettings().setValue('Qgis/plugin-repos/QGIS Official Plugin Repository/url', new_url)
>
> in my startup script then the official repository is successfully
> replaced by our internal repository. Great!
>
>> btw If you find useful an enhancement, please file a PR with you
>> general solution that can be useful to other users.
>
> If I submitted a PR that added a filter for trusted plugins similar to
> the filters for experimental and deprecated plugins, could that only
> be added to QGIS 3.2 (as a new feature)? Not 2.18?
>
> Cheers
> Daniel
>
> ________________________________
>
> This message contains information, which may be in confidence and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info at linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank You.

More information about the QGIS-Developer mailing list