<div dir="ltr"><div>Dear Cynthia,</div><div><br></div><div>Thank you for your inquiry regarding QGIS software.</div><div><br></div><div>I am trying to answer your questions.</div><div><br></div><div>
Q: Is there an organization which sponsors/publishes the project ?</div><div>A1: organization: <a href="http://QGIS.ORG">QGIS.ORG</a> is an association domiciled in Switzerland - see <a href="https://www.qgis.org/en/site/getinvolved/governance/index.html">https://www.qgis.org/en/site/getinvolved/governance/index.html</a> - license wise, the project uses the GPL v2 or higher license you are probably familiar with from other open source software</div><div>A2: sponsors: we have sustaining members and donors who finance the project. You can find the lists of sustaining members in our financial reports at <a href="https://www.qgis.org/en/site/getinvolved/governance/finance/index.html">https://www.qgis.org/en/site/getinvolved/governance/finance/index.html</a> or at <a href="https://www.qgis.org/en/site/about/sustaining_members.html">https://www.qgis.org/en/site/about/sustaining_members.html</a> - in addition, most feature that find their way into QGIS are typically developed by one of our commercial support providers listed at <a href="https://www.qgis.org/en/site/forusers/commercial_support.html">https://www.qgis.org/en/site/forusers/commercial_support.html</a> - primarily the core contributors. And of course there are also individual contributions outside of such companies.<br></div><div><br></div><div>Q:
Is there a primary developer who audits the code for potential vulnerabilities, errors, or malicious code ?</div><div>A: we don't have a primary developer mainly responsible for security - but we have a small team of core developers dealing with security issues. You can reach out to them via the group email <a href="mailto:security@qgis.org">security@qgis.org</a>
</div><div><br></div><div>Q:
We have identified contributors on GitHub located in Lithuania,
Australia, Portugal, South Africa, the Netherlands, the United Kingdom,
Japan, Slovakia, Norway, France, Romania, Canada,
Italy, Brazil, Switzerland, Germany, New Zealand, Indonesia, Austria,
Tanzania, Bulgaria, Spain, the Czech Republic, and Algeria</div><div>A: This list is probably quite comprehensive but most likely not complete. We are a worldwide project - and there are almost certainly more contributing countries involved than you listed above. To get an idea who is contributing, you could start at <a href="https://github.com/qgis/QGIS/graphs/contributors">https://github.com/qgis/QGIS/graphs/contributors</a></div><div><br></div><div>We hope that this information helps you in your supply chain assessment? If you have additional questions, please reach out to us.</div><div><br></div><div>And of course - if security or other issues are of concern for NASA then we would welcome it if NASA becomes a sustaining member of <a href="http://QGIS.ORG">QGIS.ORG</a> - so that we can address such issues in a more comprehensive and thorough way.</div><div><br></div><div>Best regards,</div><div>Andreas Neumann</div><div><a href="http://QGIS.ORG">QGIS.ORG</a> PSC member<br>
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 26 Sept 2023 at 22:06, Zhang, Cynthia X. (GSFC-710.0)[KPMG LLP] <<a href="mailto:cynthia.x.zhang@nasa.gov">cynthia.x.zhang@nasa.gov</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-4125226576488012401">
<div lang="EN-US" style="overflow-wrap: break-word;">
<div class="m_-4125226576488012401WordSection1">
<p class="MsoNormal">Hello, my name is Cynthia Zhang and I am a Supply Chain Risk Management Analyst at NASA. NASA is currently conducting a supply chain assessment of<span style="font-size:10.5pt;font-family:"Lato",sans-serif;color:rgb(21,25,32)"> QGIS</span>. We
are interested in confirming the following information:<span style="font-size:10.5pt;font-family:"Lato",sans-serif;color:rgb(21,25,32)"><u></u><u></u></span></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoNormal">Is there an organization which sponsors/publishes the project, or a primary developer who audits the code for potential vulnerabilities, errors, or malicious code? Y/N<u></u><u></u></li><li class="m_-4125226576488012401MsoListParagraph" style="margin-left:0in">We have identified contributors on GitHub located in Lithuania, Australia, Portugal, South Africa, the Netherlands, the United Kingdom, Japan, Slovakia, Norway, France, Romania, Canada,
Italy, Brazil, Switzerland, Germany, New Zealand, Indonesia, Austria, Tanzania, Bulgaria, Spain, the Czech Republic, and Algeria.<u></u><u></u></li><ol style="margin-top:0in" start="1" type="a">
<li class="m_-4125226576488012401MsoListParagraph" style="margin-left:0in">If possible, could you please confirm this information?<u></u><u></u></li></ol>
</ol>
<p class="MsoNormal">Thank you for all your help,<u></u><u></u></p>
<p class="MsoNormal"><b><span style="color:rgb(47,84,150)">Cynthia Zhang<u></u><u></u></span></b></p>
<p class="MsoNormal">SCRM Analyst | NASA<u></u><u></u></p>
<p class="MsoNormal">Supply Chain Risk Management (SCRM)<u></u><u></u></p>
<p class="MsoNormal">Office of the Chief Information Officer (OCIO)<u></u><u></u></p>
<p class="MsoNormal"><b><span style="color:gray">Mobile:</span></b><span style="color:rgb(128,96,0)">
</span>301.500.6250 |<span style="color:gray"> <b>Email:</b> </span><a href="mailto:cynthia.x.zhang@nasa.gov" target="_blank">cynthia.x.zhang@nasa.gov</a><u></u><u></u></p>
<p class="MsoNormal"><a href="https://nasa.sharepoint.com/sites/ictscrm/" target="_blank">Website</a><u></u><u></u></p>
<p class="MsoNormal"><a href="https://nasa.sharepoint.com/sites/ictscrm/" target="_blank">ICT SCRM Knowledge Center</a><b><span style="color:rgb(47,84,150)"><u></u><u></u></span></b></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><img border="0" width="150" height="63" style="width: 1.5625in; height: 0.6597in;" id="m_-4125226576488012401Picture_x0020_2" src="cid:image001.png@01D9F093.69E67530"><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
</div></blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><br>--<br>Andreas Neumann<br></div><a href="http://QGIS.ORG" target="_blank">QGIS.ORG</a> board member (treasurer)<br></div></div>