[Qgis-developer] Plugin [1102] AequilibraE approval notification.

Nathan Woodrow madmanwoo at gmail.com
Mon Dec 19 04:08:29 PST 2016 

I think we have to put a level of trust in here.  If the source is
available (ship it with the plugin please) and the user is trustworthy I
don't see a lot of harm here.

It's not ideal to have binary downloads however there are some use cases
for that so I would hate to not allow it when the rest is still valid e.g
valid license etc.

On Mon, Dec 19, 2016 at 9:49 PM, Luigi Pirelli <luipir at gmail.com> wrote:

> In this case the problem is security
>
> code is available and compiled for most used platforms... but hard to
> certify the content of the so/dll.
>
> any opinion?
> Luigi Pirelli
>
> ************************************************************
> **************************************
> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
> * LinkedIn: https://www.linkedin.com/in/luigipirelli
> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
> * GitHub: https://github.com/luipir
> * Mastering QGIS 2nd Edition:
> * https://www.packtpub.com/big-data-and-business-
> intelligence/mastering-qgis-second-edition
> ************************************************************
> **************************************
>
>
> On 19 December 2016 at 09:40, Matthias Kuhn <matthias at opengis.ch> wrote:
> > Hi all
> >
> > What's the main goal? Code availability? Security? Platform independency?
> > Just curious.
> >
> > All the best
> > Matthias
> >
> > On December 19, 2016 9:25:29 AM GMT+01:00, Luigi Pirelli <
> luipir at gmail.com>
> > wrote:
> >>
> >> Hi Pedro,
> >>
> >> Nothing personal, your case is a common case due the fact to many
> >> cases where to integrate external executables or shared objects.
> >>
> >> we can have a way to certificate this binary (e.g. signing process but
> >> could become harder develop plugins, checksums). In the meantime, I
> >> strongly suggest to a have a two phase plugin. A first phase that
> >> prepare running environment downloading so or dll from someware with
> >> the user consensous, and then the running phase.
> >>
> >> in this way you can facilitate users to access plugin thanks to qgis
> >> repo, and turn around plugin limitations that community gave for user
> >> security.
> >>
> >> regards
> >> Luigi Pirelli
> >>
> >>
> >> ************************************************************
> **************************************
> >> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
> >> * LinkedIn: https://www.linkedin.com/in/luigipirelli
> >> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
> >> * GitHub: https://github.com/luipir
> >> * Mastering QGIS 2nd Edition:
> >> *
> >> https://www.packtpub.com/big-data-and-business-
> intelligence/mastering-qgis-second-edition
> >>
> >> ************************************************************
> **************************************
> >>
> >>
> >> On 19 December 2016 at 08:25, Pedro Camargo <veigacamargo at gmail.com>
> >> wrote:
> >>>
> >>>  Hi Luigi and Paolo,
> >>>
> >>>             I corrected the problems you pointed out with AequilibraE
> and
> >>>
> >>> re-uploaded it.
> >>>
> >>>  Luigi's concern with malicious code is a very valid one, and I would
> >>>  actually appreciate to have a manner to have it checked. However, I
> >>> would
> >>>  appreciate if we could find a solution that does not prevent us from
> >>> having
> >>>  plugins that are compiled.
> >>>
> >>>  As Luigi pointed out, the code is written in Cython to increase
> >>> performance
> >>>  of the software, but it is still 5.5x slower than the proprietary
> >>> software
> >>>  that I used as a benchmark. In a nutshell, if it cannot be compiled,
> it
> >>> will
> >>>  never fly. So I would ask you guys to be considerate of this point.
> >>>
> >>>  My concerns might not even be valid, and I do apologize if that is the
> >>> case.
> >>>  I just must admit that, as an amateur software developer, I miss some
> of
> >>> the
> >>>  jargon used here when talking about more technical issues on software
> >>>  development.
> >>>
> >>>  Cheers,
> >>>  Pedro
> >>>
> >>>  On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli
> >>> <luipir at gmail.com> wrote:
> >>>>
> >>>>
> >>>>  Hi List
> >>>>
> >>>>  The Binary problem (?):
> >>>>  In this recently added plugin I can find cython modules precompiled
> in
> >>>>  forms odf pyd, or so. (and relative cython code)
> >>>>  Following the presentation in:
> >>>> https://www.youtube.com/watch?v=zz3jbM_JBTo
> >>>>  I understand that the reason is performance, but how to prevent
> >>>>  loading malicious shared objects?
> >>>>
> >>>>  * probably we should start to plan a safe infrastructure to allow
> >>>>  uploading plugin with compiled modules... any idea other than a
> simple
> >>>>  checksum?
> >>>>
> >>>>  The license problem (?):
> >>>>  other question is regarding the cython algorithm. I can read in
> >>>>
> >>>>
> >>>> https://github.com/AequilibraE/AequilibraE/blob/
> master/aequilibrae/paths/AoN.pyx#L23
> >>>>  "Codes for route ennumeration, DAG construction and Link nesting were
> >>>>  written by Pedro Camargo (2013) and have all their rights reserved to
> >>>>  the author"
> >>>>
> >>>>  Obviously the author has right reserved, an in the same code the
> >>>>  author refer to the LICENSE.txt that is a standard GPL license:
> >>>>  here:
> >>>>
> >>>> https://github.com/AequilibraE/AequilibraE/blob/
> master/aequilibrae/paths/AoN.pyx#L18
> >>>>  and here:
> >>>>  https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT
> >>>>
> >>>>  how should we have to read the "right reserved" sencence by the
> author?
> >>>>
> >>>>  regards
> >>>>  Luigi Pirelli
> >>>>
> >>>>
> >>>>
> >>>> ************************************************************
> **************************************
> >>>>  * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT
> com
> >>>>  * LinkedIn: https://www.linkedin.com/in/luigipirelli
> >>>>  * Stackexchange: http://gis.stackexchange.com/
> users/19667/luigi-pirelli
> >>>>  * GitHub: https://github.com/luipir
> >>>>  * Mastering QGIS 2nd Edition:
> >>>>  *
> >>>>
> >>>> https://www.packtpub.com/big-data-and-business-
> intelligence/mastering-qgis-second-edition
> >>>>
> >>>>
> >>>> ************************************************************
> **************************************
> >>>>
> >>>>
> >>>>  On 18 December 2016 at 14:28,  <noreply at qgis.org> wrote:
> >>>>>
> >>>>>
> >>>>>  Plugin AequilibraE approval by pcav.
> >>>>>  The plugin version "[1102] AequilibraE 0.3.3" is now approved
> >>>>>  Link: http://plugins.qgis.org/plugins/AequilibraE/
> >>>>> ________________________________
> >>>>>
> >>>>>  Qgis-developer mailing list
> >>>>>  Qgis-developer at lists.osgeo.org
> >>>>>  List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>>>>  Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>
> >>
> >> ________________________________
> >>
> >> Qgis-developer mailing list
> >> Qgis-developer at lists.osgeo.org
> >> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >
> >
> > --
> > Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20161219/151331a4/attachment.html>

More information about the Qgis-developer mailing list