[Qgis-developer] Plugin [1102] AequilibraE approval notification.

Luigi Pirelli luipir at gmail.com
Mon Dec 19 03:49:22 PST 2016


In this case the problem is security

code is available and compiled for most used platforms... but hard to
certify the content of the so/dll.

any opinion?
Luigi Pirelli

**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************


On 19 December 2016 at 09:40, Matthias Kuhn <matthias at opengis.ch> wrote:
> Hi all
>
> What's the main goal? Code availability? Security? Platform independency?
> Just curious.
>
> All the best
> Matthias
>
> On December 19, 2016 9:25:29 AM GMT+01:00, Luigi Pirelli <luipir at gmail.com>
> wrote:
>>
>> Hi Pedro,
>>
>> Nothing personal, your case is a common case due the fact to many
>> cases where to integrate external executables or shared objects.
>>
>> we can have a way to certificate this binary (e.g. signing process but
>> could become harder develop plugins, checksums). In the meantime, I
>> strongly suggest to a have a two phase plugin. A first phase that
>> prepare running environment downloading so or dll from someware with
>> the user consensous, and then the running phase.
>>
>> in this way you can facilitate users to access plugin thanks to qgis
>> repo, and turn around plugin limitations that community gave for user
>> security.
>>
>> regards
>> Luigi Pirelli
>>
>>
>> **************************************************************************************************
>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>> * GitHub: https://github.com/luipir
>> * Mastering QGIS 2nd Edition:
>> *
>> https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
>>
>> **************************************************************************************************
>>
>>
>> On 19 December 2016 at 08:25, Pedro Camargo <veigacamargo at gmail.com>
>> wrote:
>>>
>>>  Hi Luigi and Paolo,
>>>
>>>             I corrected the problems you pointed out with AequilibraE and
>>>
>>> re-uploaded it.
>>>
>>>  Luigi's concern with malicious code is a very valid one, and I would
>>>  actually appreciate to have a manner to have it checked. However, I
>>> would
>>>  appreciate if we could find a solution that does not prevent us from
>>> having
>>>  plugins that are compiled.
>>>
>>>  As Luigi pointed out, the code is written in Cython to increase
>>> performance
>>>  of the software, but it is still 5.5x slower than the proprietary
>>> software
>>>  that I used as a benchmark. In a nutshell, if it cannot be compiled, it
>>> will
>>>  never fly. So I would ask you guys to be considerate of this point.
>>>
>>>  My concerns might not even be valid, and I do apologize if that is the
>>> case.
>>>  I just must admit that, as an amateur software developer, I miss some of
>>> the
>>>  jargon used here when talking about more technical issues on software
>>>  development.
>>>
>>>  Cheers,
>>>  Pedro
>>>
>>>  On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli
>>> <luipir at gmail.com> wrote:
>>>>
>>>>
>>>>  Hi List
>>>>
>>>>  The Binary problem (?):
>>>>  In this recently added plugin I can find cython modules precompiled in
>>>>  forms odf pyd, or so. (and relative cython code)
>>>>  Following the presentation in:
>>>> https://www.youtube.com/watch?v=zz3jbM_JBTo
>>>>  I understand that the reason is performance, but how to prevent
>>>>  loading malicious shared objects?
>>>>
>>>>  * probably we should start to plan a safe infrastructure to allow
>>>>  uploading plugin with compiled modules... any idea other than a simple
>>>>  checksum?
>>>>
>>>>  The license problem (?):
>>>>  other question is regarding the cython algorithm. I can read in
>>>>
>>>>
>>>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L23
>>>>  "Codes for route ennumeration, DAG construction and Link nesting were
>>>>  written by Pedro Camargo (2013) and have all their rights reserved to
>>>>  the author"
>>>>
>>>>  Obviously the author has right reserved, an in the same code the
>>>>  author refer to the LICENSE.txt that is a standard GPL license:
>>>>  here:
>>>>
>>>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L18
>>>>  and here:
>>>>  https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT
>>>>
>>>>  how should we have to read the "right reserved" sencence by the author?
>>>>
>>>>  regards
>>>>  Luigi Pirelli
>>>>
>>>>
>>>>
>>>> **************************************************************************************************
>>>>  * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>>>>  * LinkedIn: https://www.linkedin.com/in/luigipirelli
>>>>  * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>>>>  * GitHub: https://github.com/luipir
>>>>  * Mastering QGIS 2nd Edition:
>>>>  *
>>>>
>>>> https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
>>>>
>>>>
>>>> **************************************************************************************************
>>>>
>>>>
>>>>  On 18 December 2016 at 14:28,  <noreply at qgis.org> wrote:
>>>>>
>>>>>
>>>>>  Plugin AequilibraE approval by pcav.
>>>>>  The plugin version "[1102] AequilibraE 0.3.3" is now approved
>>>>>  Link: http://plugins.qgis.org/plugins/AequilibraE/
>>>>> ________________________________
>>>>>
>>>>>  Qgis-developer mailing list
>>>>>  Qgis-developer at lists.osgeo.org
>>>>>  List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>>>  Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>>
>> ________________________________
>>
>> Qgis-developer mailing list
>> Qgis-developer at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the Qgis-developer mailing list