[Qgis-developer] Plugin [1102] AequilibraE approval notification.
Luigi Pirelli
luipir at gmail.com
Mon Dec 19 03:49:22 PST 2016
In this case the problem is security
code is available and compiled for most used platforms... but hard to
certify the content of the so/dll.
any opinion?
Luigi Pirelli
**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS 2nd Edition:
* https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
**************************************************************************************************
On 19 December 2016 at 09:40, Matthias Kuhn <matthias at opengis.ch> wrote:
> Hi all
>
> What's the main goal? Code availability? Security? Platform independency?
> Just curious.
>
> All the best
> Matthias
>
> On December 19, 2016 9:25:29 AM GMT+01:00, Luigi Pirelli <luipir at gmail.com>
> wrote:
>>
>> Hi Pedro,
>>
>> Nothing personal, your case is a common case due the fact to many
>> cases where to integrate external executables or shared objects.
>>
>> we can have a way to certificate this binary (e.g. signing process but
>> could become harder develop plugins, checksums). In the meantime, I
>> strongly suggest to a have a two phase plugin. A first phase that
>> prepare running environment downloading so or dll from someware with
>> the user consensous, and then the running phase.
>>
>> in this way you can facilitate users to access plugin thanks to qgis
>> repo, and turn around plugin limitations that community gave for user
>> security.
>>
>> regards
>> Luigi Pirelli
>>
>>
>> **************************************************************************************************
>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>> * GitHub: https://github.com/luipir
>> * Mastering QGIS 2nd Edition:
>> *
>> https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
>>
>> **************************************************************************************************
>>
>>
>> On 19 December 2016 at 08:25, Pedro Camargo <veigacamargo at gmail.com>
>> wrote:
>>>
>>> Hi Luigi and Paolo,
>>>
>>> I corrected the problems you pointed out with AequilibraE and
>>>
>>> re-uploaded it.
>>>
>>> Luigi's concern with malicious code is a very valid one, and I would
>>> actually appreciate to have a manner to have it checked. However, I
>>> would
>>> appreciate if we could find a solution that does not prevent us from
>>> having
>>> plugins that are compiled.
>>>
>>> As Luigi pointed out, the code is written in Cython to increase
>>> performance
>>> of the software, but it is still 5.5x slower than the proprietary
>>> software
>>> that I used as a benchmark. In a nutshell, if it cannot be compiled, it
>>> will
>>> never fly. So I would ask you guys to be considerate of this point.
>>>
>>> My concerns might not even be valid, and I do apologize if that is the
>>> case.
>>> I just must admit that, as an amateur software developer, I miss some of
>>> the
>>> jargon used here when talking about more technical issues on software
>>> development.
>>>
>>> Cheers,
>>> Pedro
>>>
>>> On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli
>>> <luipir at gmail.com> wrote:
>>>>
>>>>
>>>> Hi List
>>>>
>>>> The Binary problem (?):
>>>> In this recently added plugin I can find cython modules precompiled in
>>>> forms odf pyd, or so. (and relative cython code)
>>>> Following the presentation in:
>>>> https://www.youtube.com/watch?v=zz3jbM_JBTo
>>>> I understand that the reason is performance, but how to prevent
>>>> loading malicious shared objects?
>>>>
>>>> * probably we should start to plan a safe infrastructure to allow
>>>> uploading plugin with compiled modules... any idea other than a simple
>>>> checksum?
>>>>
>>>> The license problem (?):
>>>> other question is regarding the cython algorithm. I can read in
>>>>
>>>>
>>>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L23
>>>> "Codes for route ennumeration, DAG construction and Link nesting were
>>>> written by Pedro Camargo (2013) and have all their rights reserved to
>>>> the author"
>>>>
>>>> Obviously the author has right reserved, an in the same code the
>>>> author refer to the LICENSE.txt that is a standard GPL license:
>>>> here:
>>>>
>>>> https://github.com/AequilibraE/AequilibraE/blob/master/aequilibrae/paths/AoN.pyx#L18
>>>> and here:
>>>> https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT
>>>>
>>>> how should we have to read the "right reserved" sencence by the author?
>>>>
>>>> regards
>>>> Luigi Pirelli
>>>>
>>>>
>>>>
>>>> **************************************************************************************************
>>>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>>>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>>>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>>>> * GitHub: https://github.com/luipir
>>>> * Mastering QGIS 2nd Edition:
>>>> *
>>>>
>>>> https://www.packtpub.com/big-data-and-business-intelligence/mastering-qgis-second-edition
>>>>
>>>>
>>>> **************************************************************************************************
>>>>
>>>>
>>>> On 18 December 2016 at 14:28, <noreply at qgis.org> wrote:
>>>>>
>>>>>
>>>>> Plugin AequilibraE approval by pcav.
>>>>> The plugin version "[1102] AequilibraE 0.3.3" is now approved
>>>>> Link: http://plugins.qgis.org/plugins/AequilibraE/
>>>>> ________________________________
>>>>>
>>>>> Qgis-developer mailing list
>>>>> Qgis-developer at lists.osgeo.org
>>>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>>
>> ________________________________
>>
>> Qgis-developer mailing list
>> Qgis-developer at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the Qgis-developer
mailing list