[Qgis-developer] Plugins repository policy

Larry Shaffer larrys at dakotacarto.com
Sat Mar 10 13:41:35 EST 2012

Hi Giuseppe,

On Sat, Mar 10, 2012 at 10:04 AM, Giuseppe Sucameli
<brush.tyler at gmail.com> wrote:
> Hi Larry,
> On Sat, Mar 10, 2012 at 4:43 PM, Larry Shaffer <larrys at dakotacarto.com> wrote:
>> On Sat, Mar 10, 2012 at 3:04 AM, Alexander Bruy
>> <alexander.bruy at gmail.com> wrote:
>>> ...
>>> We can't be sure that 3rd party binaries are safe and there are no security
>>> risks (especially on Windows). Python code can be verified by user. I know
>>> that not all users are programers but at least this is possible. But verifying
>>> binary file almost impossible.
>> I've been using the Mac version of QGIS, compiled and packaged by a
>> 'third party' (Mr. Kyngesburye), for years. I have run his installers
>> and compiled programs countless times, just as any other regular Mac
>> QGIS user.
> it's not the same...
> If Kyngchaos were not Kyngchaos his packages would not be in the
> QGis download page.

Agreed, though I'm not sure how apparent this is to new Mac users. I
would venture to guess that some users are concerned when a fairly
large-scale open source project links to an individual's web site for
downloads. I certainly don't have any issues with it, but I haven't
been a regular Mac user for quite awhile, so my perspective may be off
the mark on this. Seems I remember a time when standalone versions of
QGIS were available via the qgis.org site as well. Like other users I
went with Kyngchaos.com because his installers offer more versatility,
e.g. frameworks, offer a more complete workflow, with GRASS, etc., and
are diligently prepared.

>> This should be the same for plugins. Let the user decide.
> I do not agree.
> In the plugins repo anyone can create a new plugin then would
> be very unsafe to allow compiled code which nobody can verify.
> The user expects that a plugin in the QGis repository is safe,
> otherwise this can strongly damage the QGis reputation.

I agree 100%. Sorry if my words may have implied I think compiled
software should be in the Official plugin repo. That would bad, as you
have noted. Let me clarify... by plugin installer, I, by proxy, guess
I meant the base repo as well. Isn't there a movement away from third
party repos entirely? When is that anticipated?

>> However, the
>> user should be informed, if a plugin requires additional software,
>> regardless of origin, at the appropriate time.
> +1, this work is partially done from the plugins installer which shows
> a message when a python module is missing, but the message not
> enough intuitive for users.
> Let's try to simplify the life to users:
> if the plugin's author adds important information (e.g. required libs) to
> a README file, the plugins repo may display them in the plugin
> page (like GitHub does).
> Wouldn't it be enough?

Yes. How about a bit further and have __init__.py/metadata sections
listing external dependencies and a description of what they are for?
(Or have I missed that option?) Then the user can be warned
programmatically even if they have downloaded and manually installed
the plugin. User warned on attempted load of plugin, regardless of how
installed. Similar to the notifications for dependencies in Linux
package managers, but not to the point of exhibiting loading errors,
like with missing Python modules.

Similar side note: Here is the not-quite-finished, 'component missing'
notification and link to small installer that I am planning for my
plugin release [0]. With my plugin's approach, a user can install the
base Python plugin, peruse the documentation, tutorial and partial
tool set, then judge if they want to download the additional installer
or uninstall the plugin.


Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

[0] http://dl.dropbox.com/u/4058089/qgis/qsci/help/qsci-missing.html

More information about the Qgis-developer mailing list