<div dir="ltr">I think we have to put a level of trust in here. If the source is available (ship it with the plugin please) and the user is trustworthy I don't see a lot of harm here.<div><br></div><div>It's not ideal to have binary downloads however there are some use cases for that so I would hate to not allow it when the rest is still valid e.g valid license etc.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 19, 2016 at 9:49 PM, Luigi Pirelli <span dir="ltr"><<a href="mailto:luipir@gmail.com" target="_blank">luipir@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In this case the problem is security<br>
<br>
code is available and compiled for most used platforms... but hard to<br>
certify the content of the so/dll.<br>
<br>
any opinion?<br>
<span class="">Luigi Pirelli<br>
<br>
******************************<wbr>******************************<wbr>******************************<wbr>********<br>
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com<br>
* LinkedIn: <a href="https://www.linkedin.com/in/luigipirelli" rel="noreferrer" target="_blank">https://www.linkedin.com/in/<wbr>luigipirelli</a><br>
* Stackexchange: <a href="http://gis.stackexchange.com/users/19667/luigi-pirelli" rel="noreferrer" target="_blank">http://gis.stackexchange.com/<wbr>users/19667/luigi-pirelli</a><br>
* GitHub: <a href="https://github.com/luipir" rel="noreferrer" target="_blank">https://github.com/luipir</a><br>
* Mastering QGIS 2nd Edition:<br>
* <a href="https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition" rel="noreferrer" target="_blank">https://www.packtpub.com/big-<wbr>data-and-business-<wbr>intelligence/mastering-qgis-<wbr>second-edition</a><br>
******************************<wbr>******************************<wbr>******************************<wbr>********<br>
<br>
<br>
</span><div><div class="h5">On 19 December 2016 at 09:40, Matthias Kuhn <<a href="mailto:matthias@opengis.ch">matthias@opengis.ch</a>> wrote:<br>
> Hi all<br>
><br>
> What's the main goal? Code availability? Security? Platform independency?<br>
> Just curious.<br>
><br>
> All the best<br>
> Matthias<br>
><br>
> On December 19, 2016 9:25:29 AM GMT+01:00, Luigi Pirelli <<a href="mailto:luipir@gmail.com">luipir@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Hi Pedro,<br>
>><br>
>> Nothing personal, your case is a common case due the fact to many<br>
>> cases where to integrate external executables or shared objects.<br>
>><br>
>> we can have a way to certificate this binary (e.g. signing process but<br>
>> could become harder develop plugins, checksums). In the meantime, I<br>
>> strongly suggest to a have a two phase plugin. A first phase that<br>
>> prepare running environment downloading so or dll from someware with<br>
>> the user consensous, and then the running phase.<br>
>><br>
>> in this way you can facilitate users to access plugin thanks to qgis<br>
>> repo, and turn around plugin limitations that community gave for user<br>
>> security.<br>
>><br>
>> regards<br>
>> Luigi Pirelli<br>
>><br>
>><br>
>> ******************************<wbr>******************************<wbr>******************************<wbr>********<br>
>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com<br>
>> * LinkedIn: <a href="https://www.linkedin.com/in/luigipirelli" rel="noreferrer" target="_blank">https://www.linkedin.com/in/<wbr>luigipirelli</a><br>
>> * Stackexchange: <a href="http://gis.stackexchange.com/users/19667/luigi-pirelli" rel="noreferrer" target="_blank">http://gis.stackexchange.com/<wbr>users/19667/luigi-pirelli</a><br>
>> * GitHub: <a href="https://github.com/luipir" rel="noreferrer" target="_blank">https://github.com/luipir</a><br>
>> * Mastering QGIS 2nd Edition:<br>
>> *<br>
>> <a href="https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition" rel="noreferrer" target="_blank">https://www.packtpub.com/big-<wbr>data-and-business-<wbr>intelligence/mastering-qgis-<wbr>second-edition</a><br>
>><br>
>> ******************************<wbr>******************************<wbr>******************************<wbr>********<br>
>><br>
>><br>
>> On 19 December 2016 at 08:25, Pedro Camargo <<a href="mailto:veigacamargo@gmail.com">veigacamargo@gmail.com</a>><br>
>> wrote:<br>
>>><br>
>>> Hi Luigi and Paolo,<br>
>>><br>
>>> I corrected the problems you pointed out with AequilibraE and<br>
>>><br>
>>> re-uploaded it.<br>
>>><br>
>>> Luigi's concern with malicious code is a very valid one, and I would<br>
>>> actually appreciate to have a manner to have it checked. However, I<br>
>>> would<br>
>>> appreciate if we could find a solution that does not prevent us from<br>
>>> having<br>
>>> plugins that are compiled.<br>
>>><br>
>>> As Luigi pointed out, the code is written in Cython to increase<br>
>>> performance<br>
>>> of the software, but it is still 5.5x slower than the proprietary<br>
>>> software<br>
>>> that I used as a benchmark. In a nutshell, if it cannot be compiled, it<br>
>>> will<br>
>>> never fly. So I would ask you guys to be considerate of this point.<br>
>>><br>
>>> My concerns might not even be valid, and I do apologize if that is the<br>
>>> case.<br>
>>> I just must admit that, as an amateur software developer, I miss some of<br>
>>> the<br>
>>> jargon used here when talking about more technical issues on software<br>
>>> development.<br>
>>><br>
>>> Cheers,<br>
>>> Pedro<br>
>>><br>
>>> On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli<br>
>>> <<a href="mailto:luipir@gmail.com">luipir@gmail.com</a>> wrote:<br>
>>>><br>
>>>><br>
>>>> Hi List<br>
>>>><br>
>>>> The Binary problem (?):<br>
>>>> In this recently added plugin I can find cython modules precompiled in<br>
>>>> forms odf pyd, or so. (and relative cython code)<br>
>>>> Following the presentation in:<br>
>>>> <a href="https://www.youtube.com/watch?v=zz3jbM_JBTo" rel="noreferrer" target="_blank">https://www.youtube.com/watch?<wbr>v=zz3jbM_JBTo</a><br>
>>>> I understand that the reason is performance, but how to prevent<br>
>>>> loading malicious shared objects?<br>
>>>><br>
>>>> * probably we should start to plan a safe infrastructure to allow<br>
>>>> uploading plugin with compiled modules... any idea other than a simple<br>
>>>> checksum?<br>
>>>><br>
>>>> The license problem (?):<br>
>>>> other question is regarding the cython algorithm. I can read in<br>
>>>><br>
>>>><br>
>>>> <a href="https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L23" rel="noreferrer" target="_blank">https://github.com/<wbr>AequilibraE/AequilibraE/blob/<wbr>master/aequilibrae/paths/AoN.<wbr>pyx#L23</a><br>
>>>> "Codes for route ennumeration, DAG construction and Link nesting were<br>
>>>> written by Pedro Camargo (2013) and have all their rights reserved to<br>
>>>> the author"<br>
>>>><br>
>>>> Obviously the author has right reserved, an in the same code the<br>
>>>> author refer to the LICENSE.txt that is a standard GPL license:<br>
>>>> here:<br>
>>>><br>
>>>> <a href="https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L18" rel="noreferrer" target="_blank">https://github.com/<wbr>AequilibraE/AequilibraE/blob/<wbr>master/aequilibrae/paths/AoN.<wbr>pyx#L18</a><br>
>>>> and here:<br>
>>>> <a href="https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT" rel="noreferrer" target="_blank">https://github.com/<wbr>AequilibraE/AequilibraE/blob/<wbr>master/LICENSE.TXT</a><br>
>>>><br>
>>>> how should we have to read the "right reserved" sencence by the author?<br>
>>>><br>
>>>> regards<br>
>>>> Luigi Pirelli<br>
>>>><br>
>>>><br>
>>>><br>
>>>> ******************************<wbr>******************************<wbr>******************************<wbr>********<br>
>>>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com<br>
>>>> * LinkedIn: <a href="https://www.linkedin.com/in/luigipirelli" rel="noreferrer" target="_blank">https://www.linkedin.com/in/<wbr>luigipirelli</a><br>
>>>> * Stackexchange: <a href="http://gis.stackexchange.com/users/19667/luigi-pirelli" rel="noreferrer" target="_blank">http://gis.stackexchange.com/<wbr>users/19667/luigi-pirelli</a><br>
>>>> * GitHub: <a href="https://github.com/luipir" rel="noreferrer" target="_blank">https://github.com/luipir</a><br>
>>>> * Mastering QGIS 2nd Edition:<br>
>>>> *<br>
>>>><br>
>>>> <a href="https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition" rel="noreferrer" target="_blank">https://www.packtpub.com/big-<wbr>data-and-business-<wbr>intelligence/mastering-qgis-<wbr>second-edition</a><br>
>>>><br>
>>>><br>
>>>> ******************************<wbr>******************************<wbr>******************************<wbr>********<br>
>>>><br>
>>>><br>
>>>> On 18 December 2016 at 14:28, <<a href="mailto:noreply@qgis.org">noreply@qgis.org</a>> wrote:<br>
>>>>><br>
>>>>><br>
>>>>> Plugin AequilibraE approval by pcav.<br>
>>>>> The plugin version "[1102] AequilibraE 0.3.3" is now approved<br>
>>>>> Link: <a href="http://plugins.qgis.org/plugins/AequilibraE/" rel="noreferrer" target="_blank">http://plugins.qgis.org/<wbr>plugins/AequilibraE/</a><br>
>>>>> ______________________________<wbr>__<br>
>>>>><br>
>>>>> Qgis-developer mailing list<br>
>>>>> <a href="mailto:Qgis-developer@lists.osgeo.org">Qgis-developer@lists.osgeo.org</a><br>
>>>>> List info: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a><br>
>>>>> Unsubscribe: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a><br>
>><br>
>><br>
>> ______________________________<wbr>__<br>
>><br>
>> Qgis-developer mailing list<br>
>> <a href="mailto:Qgis-developer@lists.osgeo.org">Qgis-developer@lists.osgeo.org</a><br>
>> List info: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a><br>
>> Unsubscribe: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a><br>
><br>
><br>
> --<br>
> Sent from my Android device with K-9 Mail. Please excuse my brevity.<br>
</div></div>______________________________<wbr>_________________<br>
<div class="HOEnZb"><div class="h5">Qgis-developer mailing list<br>
<a href="mailto:Qgis-developer@lists.osgeo.org">Qgis-developer@lists.osgeo.org</a><br>
List info: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a><br>
Unsubscribe: <a href="http://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">http://lists.osgeo.org/<wbr>mailman/listinfo/qgis-<wbr>developer</a></div></div></blockquote></div><br></div>