[Qgis-psc] Blog post for trusted plugins

Tim Sutton tim at qgis.org
Sat Aug 20 10:49:08 PDT 2016 

Hi

Just following up on this Paolo - did you see my comments below?

Regards

Tim

> On 18 Aug 2016, at 8:58 PM, Tim Sutton <tim at qgis.org> wrote:
> 
> Hi Paolo
> 
> I did a pass over to mainly make it a little easier to read. Here is my edited version. My comments follow after:
> 
> -----
> 
> The core team of QGIS strives hard to provide the most advanced and
> user friendly GIS for free use by everyone. As a corollary, we are very
> careful about security, both of our source code and of the installers,
> using state of the art technology and practices to ensure no malicious
> or dangerous code ever hits end users.
> 
> The vast majority of our plugins (listed in http://plugins.qgis.org/ <http://plugins.qgis.org/> and
> inside your copy of QGIS) are however developed by third parties, either
> individuals, companies, and institutions. As such, they are outside our
> direct control, and might represent a security risk. We are convinced
> the risk is small, because of many factors including the "many eyes"
> principle (the code is visible to everybody, and in use by thousands of
> people), but cannot exclude it the possibility that someone tries to inject malicious code into a plugin.
> 
> In order to improve the situation, we looked into the opportunity of
> implementing automatic tools to scan plugins, before their publication,
> and spot potential problems. This approach would be very difficult and costly, and
> easy to circumvent. 
> 
> We decided therefore to implement a simple yet robust approach to
> security, based on the best available evidence: trust based on personal
> knowledge. The current implementation therefore lists all plugins by
> well known members of the QGIS community, that regularly meet twice a
> year on the QGIS developer meetings, and are in almost daily contact
> with the core team, as "trusted". All the rest (and there are wonderful,
> reliable, robust, and useful plugins in the list) miss the "trusted"
> label. We would like to stress this point, does not mean that they are
> not trusted, but only that we cannot reasonably guarantee they are.
> 
> Of course, we would be delighted if a side effect of this choice would
> be to stimulate a more active involvement of plugin developers in the
> community. All plugin developers are therefore invited to join us at one
> of the next developer meetings (AKA HackFest).
> 
> ---------
> 
> I agree with Anita - I don't think that attending Hackfest meetings is a fair requirement. If it is someone we know well via other channels (e.g. Mathieu Pellerin) I think we could quite comfortable give them trusted status.
> 
> I am also quite nervous about some of the statements about how much due diligence we due in terms of security checking. Maybe we could remove the first two paragraphs above and just use more generic phrasing like:
> 
> "In the core QGIS project, every line of code that gets committed is subject to peer review when contributed by a non code developer. This gives us an opportunity to identify and correct inadvertent or intentional security issues that a developer my introduce to the code base. By contrast, all of the plugins that are published via the QGIS plugin repository are reviewed by the plugin developers themselves and we don't have good insight into how much due diligence is applied to plugin code management."
> 
> What do you think?
> 
> Regards
> 
> Tim
> 
> 
>> On 18 Aug 2016, at 7:48 PM, Paolo Cavallini <cavallini at faunalia.it <mailto:cavallini at faunalia.it>> wrote:
>> 
>> Il 18/08/2016 19:33, Giovanni Manghi ha scritto:
>> 
>>> could someone then please tag as trusted
>>> 
>>> http://plugins.qgis.org/plugins/postgis_geoprocessing/ <http://plugins.qgis.org/plugins/postgis_geoprocessing/>
>>> http://plugins.qgis.org/plugins/ntv2_transformations/
>> 
>> Done, thanks Giovanni.
>> 
>> -- 
>> Paolo Cavallini - www.faunalia.eu <http://www.faunalia.eu/>
>> QGIS & PostGIS courses: http://www.faunalia.eu/training.html <http://www.faunalia.eu/training.html>
>> _______________________________________________
>> Qgis-psc mailing list
>> Qgis-psc at lists.osgeo.org <mailto:Qgis-psc at lists.osgeo.org>
>> http://lists.osgeo.org/mailman/listinfo/qgis-psc
> 
> <qgis_icon.jpg>
> 
> 
> ---
> 
> Tim Sutton
> QGIS Project Steering Committee Chair
> tim at qgis.org <mailto:tim at qgis.org>
> 
> 
> 
> 
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-psc




---

Tim Sutton
QGIS Project Steering Committee Chair
tim at qgis.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160820/e830ddf1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qgis_icon.jpg
Type: image/jpeg
Size: 4642 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160820/e830ddf1/attachment.jpg>

More information about the Qgis-psc mailing list