[Qgis-developer] Plugins repository policy

Larry Shaffer larrys at dakotacarto.com
Sat Mar 10 10:43:42 EST 2012


On Sat, Mar 10, 2012 at 3:04 AM, Alexander Bruy
<alexander.bruy at gmail.com> wrote:
> ...
> We can't be sure that 3rd party binaries are safe and there are no security
> risks (especially on Windows). Python code can be verified by user. I know
> that not all users are programers but at least this is possible. But verifying
> binary file almost impossible.

I've been using the Mac version of QGIS, compiled and packaged by a
'third party' (Mr. Kyngesburye), for years. I have run his installers
and compiled programs countless times, just as any other regular Mac
QGIS user.

Almost all of his installers require administrator rights, including
the one for QGIS. I have no easy way of completely verifying his
installers and the compiled programs they install. I, as an admin
user, make the decision to install or not. I trust that Mr.
Kyngesburye compiles valid, useful gis tools, and is not installing
anything funky on my Mac.

This should be the same for plugins. Let the user decide. However, the
user should be informed, if a plugin requires additional software,
regardless of origin, at the appropriate time. I agree that the plugin
installer should not, by default, allow arbitrary installation of
compiled programs, but this shouldn't be a roadblock for potential

> 2012/3/10  <benoit-3 at bc-consult.com>:
>> ...
>> IMHO, a plugin should work out of the box, on all platforms.
>> The "Experimental" flag could be used for such plugins that require
>> compilation or other third parties elements that are not delivered in
>> standard.

There are many plugins that do not work 'out of the box.' IPython for
example. On my Mac, I recently had to compile the zeromq package to
get its python bindings to work. It was totally worth the effort,
though I doubt most regular Mac users would do this. This should not
mean that the plugin remain eternally stuck in the 'Experimental'
category, especially if it is stable for use otherwise.

I have spent many, many hours working on a plugin for QGIS that
requires the QScintilla PyQt binding. While this can be included in
the source builds for QGIS (which I'd like to see), I have, for now,
pre-compiled small versions of Qsci.so for both 10.6 and 10.7 Mac
OSes. I do not see my small 'third party' installer of compiled
software as anything different than what Mr. Kyngesburye is providing.
Nor do I see it as any different than explaining to a Ubuntu user to
run 'apt-get python-qscintilla2' (also requiring admin permission).

I agree there needs to be some modicum of control, but I can't image
the state of add-ons for Firefox, if Mozilla took the same tack. I
think having plugins not install binaries via the plugin installer,
and their developers clearly notifying the user of any extra installs
is enough. Let the users decide beyond that.


Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

More information about the Qgis-developer mailing list