[Qgis-developer] Plugins repository policy

Sat Mar 10 12:04:52 EST 2012

Hi Larry,

On Sat, Mar 10, 2012 at 4:43 PM, Larry Shaffer <larrys at dakotacarto.com> wrote:
> On Sat, Mar 10, 2012 at 3:04 AM, Alexander Bruy
> <alexander.bruy at gmail.com> wrote:
>> ...
>> We can't be sure that 3rd party binaries are safe and there are no security
>> risks (especially on Windows). Python code can be verified by user. I know
>> that not all users are programers but at least this is possible. But verifying
>> binary file almost impossible.
>
> I've been using the Mac version of QGIS, compiled and packaged by a
> 'third party' (Mr. Kyngesburye), for years. I have run his installers
> and compiled programs countless times, just as any other regular Mac
> QGIS user.

it's not the same...
If Kyngchaos were not Kyngchaos his packages would not be in the
QGis download page.

> This should be the same for plugins. Let the user decide.

I do not agree.
In the plugins repo anyone can create a new plugin then would
be very unsafe to allow compiled code which nobody can verify.

The user expects that a plugin in the QGis repository is safe,
otherwise this can strongly damage the QGis reputation.

> However, the
> user should be informed, if a plugin requires additional software,
> regardless of origin, at the appropriate time.

+1, this work is partially done from the plugins installer which shows
a message when a python module is missing, but the message not
enough intuitive for users.

Let's try to simplify the life to users:

if the plugin's author adds important information (e.g. required libs) to
a README file, the plugins repo may display them in the plugin
page (like GitHub does).

Wouldn't it be enough?

Regards.

>
>
>> 2012/3/10  <benoit-3 at bc-consult.com>:
>>> ...
>>> IMHO, a plugin should work out of the box, on all platforms.
>>> The "Experimental" flag could be used for such plugins that require
>>> compilation or other third parties elements that are not delivered in
>>> standard.
>
> There are many plugins that do not work 'out of the box.' IPython for
> example. On my Mac, I recently had to compile the zeromq package to
> get its python bindings to work. It was totally worth the effort,
> though I doubt most regular Mac users would do this. This should not
> mean that the plugin remain eternally stuck in the 'Experimental'
> category, especially if it is stable for use otherwise.
>
>
> I have spent many, many hours working on a plugin for QGIS that
> requires the QScintilla PyQt binding. While this can be included in
> the source builds for QGIS (which I'd like to see), I have, for now,
> pre-compiled small versions of Qsci.so for both 10.6 and 10.7 Mac
> OSes. I do not see my small 'third party' installer of compiled
> software as anything different than what Mr. Kyngesburye is providing.
> Nor do I see it as any different than explaining to a Ubuntu user to
> run 'apt-get python-qscintilla2' (also requiring admin permission).
>
> I agree there needs to be some modicum of control, but I can't image
> the state of add-ons for Firefox, if Mozilla took the same tack. I
> think having plugins not install binaries via the plugin installer,
> and their developers clearly notifying the user of any extra installs
> is enough. Let the users decide beyond that.
>
> Regards,
>
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer

-- 
Giuseppe Sucameli