<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi all, <br>
</p>
<p>I must say I am super happy to see some action in the field of
security. I totally share the analyze and the need to move
forward. <br>
</p>
<p>Like Andreas, this initiative can only be done under the umbrella
of QGIS.org, and I pledge that the consortium behind this stays
open to all the commercial entities or benevolent that want this
topic to be tackled in good coordination. <br>
</p>
<p>I see a lot of movement in Europe, currently, and we will have to
keep in lined with possible OSGeo coordination, and also keep a
close look at other initiatives. A common entity to emit and
codify CVE's for instance. We need common tools and working
groups like OpenSSF to have best practices evaluated. <br>
<br>
For instance a "CRA Expert Group on Cybersecurity of Products" is
currently being settled by the European Commission, where OpenSSF
was just selected with Apache software foundation. There seem to
be some coordination in openforumeurope.org around these topics. I
keep an eye on their lists. <br>
</p>
<p>But let's also stay pragmatic. As Even says, we could exhaust
ourselves and our budget trying to solve any potential
vulnerability raised. We will have to clarify a priority grid,
taking account of the real exposure. This is something that
frightens me in the Cyber security domain, unlike as in real life
risk assessment (I worked a lot on flooding or avalanche public
policies). Most IT departments I see asking us about a guarantee
of a "vulnerability free" software seem not mature at all, we
already have to spend a lot of time explaining this. The plan of
action should include pedagogic material that could land in our
website, to save us some time. <br>
</p>
<p>Anyhow, all this requires the same infrastructure and common
decision making process. Our IT world is full of ISO processes
already, we probably don't have to reivent that many wheels<b>, </b>but
we need to muscle up how we take decisions in that area. QGIS.org
is inevitable here. <br>
</p>
<p><b>Last point, let's not forget that we will need more funding of
QGIS.org, just because there will be more bureaucracy to handle.
</b>I find myself am at the upper limits of how much time I can
spend on security, sharing with Jurgen most of the answers on our
security mail. I hope your big corporations will also jump into
Sustaining Membership, and that all the commercial entities will
push forward this idea. We could that way maybe spend more time
on coordination there. <br>
</p>
<p>All in all, we will see some interesting years in the future for
the whole IT world :), let's work on this :) </p>
<p>Bye<br>
</p>
<p>Régis <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Le 29/11/2024 à 16:02, Andreas Neumann
via QGIS-PSC a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAB2Z92BRgGNDF3wPnx1S3vFqtjeJPBrMf9CzV18fJwkoMK0DbQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Dear Vincent,</div>
<div><br>
</div>
<div>I am responding with my personal opinion (and not
officially as the PSC).</div>
<div><br>
</div>
<div>I think it is a good initiative and necessary.</div>
<div><br>
</div>
<div>I would prefer, if this could be done "officially" by "<a
href="http://QGIS.ORG" moz-do-not-send="true">QGIS.ORG</a>"
itself, under the QGIS brand name. I want to avoid additional
fragmentation with QGIS versions only supported by certain
companies (like we had with QGIS Enterprise), or QField vs.
Mergin, Lizmap vs QGIS Web Client, etc. So I would really
prefer if this initiative would be fully endorsed by the QGIS
community and PSC, rather than being a project just by two
QGIS related companies.</div>
<div><br>
</div>
<div>Regarding financing:</div>
<div>- We could try to apply for funding from the german
"Sovereign Tech Fund". I think this security hardening is in
line with their goals.</div>
<div>- I am a bit reluctant about spending too much money from <a
href="http://QGIS.ORG" moz-do-not-send="true">QGIS.ORG</a>
on this issue, knowing that most donations to <a
href="http://QGIS.ORG" moz-do-not-send="true">QGIS.ORG</a>
are either from individual persons and small companies (1-10
employees, in some exceptions larger). Most large
multinational companies who complain about a lack of security
standards in QGIS are not donating towards <a
href="http://QGIS.ORG" moz-do-not-send="true">QGIS.ORG</a>
at all. So it would be quite unfair to use money from
individual persons and small businesses to fund the goals of
multinational corporations who have lots of funds available.</div>
<div><br>
</div>
<div>We should definitely endorse this initiative by PSC. Next
Tuesday evening is the next PSC meeting. Would be a good
opportunity for you to join and discuss the initiative.
Looking forward to further discussion.<br>
</div>
<div><br>
</div>
<div>Best regards,</div>
<div>Andreas<br>
</div>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Fri, 29 Nov 2024 at 11:12,
Vincent Picavet via QGIS-PSC <<a
href="mailto:qgis-psc@lists.osgeo.org"
moz-do-not-send="true" class="moz-txt-link-freetext">qgis-psc@lists.osgeo.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
PSC,<br>
<br>
Oslandia will be launching soon the "Security project for
QGIS". I explain the project in details below.<br>
<br>
New European regulations like NIS2 and CRA, as well as other
international or local regulations ( e.g. CISA ) will be
activated within the next couple of years. They require
software and software producers to rise their cybersecurity
practices. OpenSource softwares, while usually having a
special treatment, are concerned too.<br>
<br>
As for QGIS, we consider that we are behind what would be
sufficient to comply with these regulations. We also do not
fulfill requirements coming from our end-users, in terms of
overall software quality regarding security, processes in
place to ensure trust in the supply chain, and overall
security culture in the project.<br>
<br>
We have been discussing this topic with clients having large
deployments of QGIS and QGIS server, and they stressed the
issue, stating that cybersecurity was one of their primary
concerns, and that they are willing to see the QGIS project
move forward in this area as soon as possible.<br>
<br>
Oslandia, with other partners and backed by some of its
clients, intends to launch the "Security project for QGIS"
soon : we identified key topics where improvements can be
done, classified them, and created work packages to work on,
with budget estimations. We intend to do a call for funding
for this project, in order to get actual improvements over
2025 and 2026.<br>
<br>
We intend to work closely with the QGIS community, QGIS.org,
interested partners and users. Part of the work are
improvements over the current system, other require changes to
processes or developer's habits. Working closely with the user
and developer's community to raise our security awareness is
fully part of the project.<br>
<br>
You can see the current draft of the proposal here :<br>
<a
href="https://pad.oslandia.net/vas3e9TUTQKJVSjTseVXrQ?both#"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pad.oslandia.net/vas3e9TUTQKJVSjTseVXrQ?both#</a><br>
<br>
Please do not share this URL publicly, as it is still a draft,
and will be moved to an official web page soon.<br>
<br>
We know that this is an ambitious project, and that some parts
will be difficult to achieve, but we think that QGIS cannot
ignore the current trend in cybersecurity enforcement, and we
know that regulations and clients requirements will force us
to move forward anyway. Planning ahead and taking the issue
seriously with the right amount of resources and efforts seems
a better way to go than being constrained to do things in a
hurry later on.<br>
<br>
We intend to launch the project soon, as some clients want to
be able to fund it on 2024 budgets, and start working as early
as January. We will first have a direct approach to potential
funders and partners though, before making a public call for
funding ( most probably before end of 2024 ).<br>
<br>
Sponsors for this project will be QGIS users directly funding
the project.<br>
<br>
Partners for this project will be :<br>
- organizations officially supporting the project and help
communicate and raise funds<br>
- organizations contributing time, effort, expertise to help
the project<br>
- subcontractors for parts of the project<br>
<br>
As for subcontracting, some items are already identified and
dedicated to partners, most of them will still have to be
defined after.<br>
<br>
As for now, apart from Oslandia, OPENGIS.ch is already an
official partner.<br>
<br>
We wanted to let the PSC / QGIS.org know about the project
before enlarging the audience, so that :<br>
- A. you can give us feedback on the project globally, and the
content specifically<br>
- B. raise any questions you would like to be answered
privately or publicly<br>
- C. indicate your thoughts on how QGIS.org would want to be
integrated into the project<br>
- D. validate project name, logo and URL<br>
<br>
As for C, we will state clearly that this project is not a
QGIS.org initiative, but a project initiated by Oslandia and
partners. QGIS.org could be a partner though, and we would be
pleased if it is, but it is clearly not mandatory. Your
decision, without any pressure ( can be later on too ).<br>
As for budget as well, we do not ask for any contribution from
QGIS.org, but QGIS.org could allocate some funding, either as
sponsor for items already included in work packages, or for
additional complimentary items ( I would rather opt for this
option, e.g. everything related to external reviews, community
meetings, legal stuff…).<br>
Also, we will recommend for any sponsor willing to contribute
less than 5000€, to fund QGIS.org instead through donations,
as we do not want to deal with small contributions for this
project ( admin burden too high ).<br>
<br>
As for D, what we need from PSC ASAP is a validation for us to
be allowed to use the following :<br>
- the project name "Security project for QGIS". Note that we
avoided naming it "QGIS Security project", to better identify
that the project is not initiated by QGIS.org. As said above,
we will be clear in the project presentation about
affiliation.<br>
- the project logo : <a
href="https://pad.oslandia.net/uploads/68ed0fc7-a6e3-4a93-8b6a-34ba2335c7dc.png"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pad.oslandia.net/uploads/68ed0fc7-a6e3-4a93-8b6a-34ba2335c7dc.png</a><br>
- the url we intend to use : <a
href="http://security.qgis.oslandia.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">security.qgis.oslandia.com</a>
. Again, it makes no doubt on affiliation.<br>
<br>
Should you have any remark on these items, do not hesitate to
raise them.<br>
<br>
Next step are :<br>
- [x] contact QGIS PSC to present the initiative<br>
- [ ] integrate feedbacks into the project presentation<br>
- [ ] finish project presentation material<br>
- [ ] contact some more potential partners<br>
- [ ] get first pledges from users for WP1<br>
- [ ] launch public call for funding<br>
<br>
I am available to discuss the matter, do not hesitate to
contact me for further info or discussion.<br>
<br>
Best regards,<br>
Vincent<br>
<br>
<br>
<br>
-- <br>
Vincent Picavet<br>
Président @ oslandia<br>
News : <a href="http://oslandia.com/newsletter"
rel="noreferrer" target="_blank" moz-do-not-send="true">oslandia.com/newsletter</a><br>
20D3 5950 81EF AA17 0522 9F46 50E2 E4B6 EA67 A3B7<br>
<br>
_______________________________________________<br>
QGIS-PSC mailing list<br>
<a href="mailto:QGIS-PSC@lists.osgeo.org" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">QGIS-PSC@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/qgis-psc"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-psc</a><br>
</blockquote>
</div>
<div><br clear="all">
</div>
<br>
<span class="gmail_signature_prefix">-- </span><br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div><br>
--<br>
Andreas Neumann<br>
</div>
<a href="http://QGIS.ORG" target="_blank"
moz-do-not-send="true">QGIS.ORG</a> board member (treasurer)<br>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
QGIS-PSC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:QGIS-PSC@lists.osgeo.org">QGIS-PSC@lists.osgeo.org</a>
<a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-psc">https://lists.osgeo.org/mailman/listinfo/qgis-psc</a>
</pre>
</blockquote>
<div id="grammalecte_menu_main_button_shadow_host"
style="width: 0px; height: 0px;"></div>
</body>
</html>