[Qgis-developer] About my plugins ...

Tim Sutton tim at qgis.org
Sat Oct 15 15:07:46 PDT 2016 

Hi

Roberto I echo the comments from Victor and Nathan below - we are hosting executable code in the plugin repo and the approval process is only meant to protect our users and ourselves from people with malicious intent. The rationale is explained here:

http://blog.qgis.org/2016/08/26/what-are-trusted-plugins/

Note that the above article was heavily reviewed by myself and fellow members of the PSC before posting it. In my opinion we don't actually go far enough in the review process but unfortunately we don't have time and resources to do more. I think the review criteria are pretty minimal (contactable author, publicly hosted code, licensed under the GPL, not shipping binary blobs) etc. and should not prove to be a huge burden to any developer.

Could you share some specific ideas about how we could improve the process, whilst moving towards better security rather than away from it? Any reasonable and practical suggestions would be adopted without any issue I think...

Best Regards

Tim


> On 15 Oct 2016, at 4:59 PM, Nathan Woodrow <madmanwoo at gmail.com> wrote:
> 
> Thanks Even.  
> 
> Even is right. Security is the main reason that this is implemented this way, there was loads of discussion around this when we put it in place.
> Trusted authors have auto approved plugins but until that point it requires moderation by one of the team for now until a author gets to that point. 
> 
> There might be other things we can do to increase the level of security around this but these will also increase the level of complexity to the system, signed packages, etc. This all takes times, and effort.
> 
> - Nathan
> 
> 
> 
> On Sat, Oct 15, 2016 at 11:55 PM, Even Rouault <even.rouault at spatialys.com <mailto:even.rouault at spatialys.com>> wrote:
> Le samedi 15 octobre 2016 15:32:42, Geo DrinX a écrit :
> > 2016-10-14 8:42 GMT+02:00 Nathan Woodrow <madmanwoo at gmail.com <mailto:madmanwoo at gmail.com>>:
> > > Hey,
> > >
> > > Have you raised this as a issue with us. Can't really fix anything if
> > > it's not raised.
> > >
> > > What you suggest we do to make it better?
> > >
> > > Regards,
> > > Nathan
> >
> > Well, good question.  I thank you for making me the question.
> >
> > My opinion is :  There is no need to have an approval process.  What is it
> > for ?
> > Who judges the job, maybe months, another programmer, who is giving to the
> > community that has developed because of its usefulness ?
> > Maybe Richard Stallman ?   By chance Gary Sherman  ?
> > Probably would not do it even they.
> >
> > I think right now the approval of the plugin is only a manifestation of
> > power.
> >
> > It is nothing but this.
> >
> > Imagine Wikipedia and prior approval.   It would be composed of only ten
> > pages.
> > Imagine OpenStreetMap. Only two roads.  Other than free map of the world !
> >
> > Make free plugins. As long as you are on time.
> 
> There's an important difference. Neither contributing *data* to Wikipedia nor
> OpenStreetMap involves security risk for users of those databases. On the
> contrary contributing a plugin to QGIS is contributing *code* that will run
> with the privledges of the user running QGIS, so potentially thefting data /
> destroying data / installing malware / doing whatever nasty you can imagine.
> 
> Making a plugin available in the default repository is like accepting a code
> contribution to QGIS core. That involves some form of trust in the
> contributor.
> 
> >
> >
> > geodrinx
> >
> > > On Fri, Oct 14, 2016 at 4:35 PM, Geo DrinX <geodrinx at gmail.com <mailto:geodrinx at gmail.com>> wrote:
> > >> Good morning   :)
> > >>
> > >>
> > >> I am here to inform you that I just removed from the repository the
> > >> latest plugin version 3.0.4 of GEarthView, and also other my plugins.
> > >>
> > >> I have taken this decision to draw your attention on the mechanism of
> > >> the plugin approval, which I think is totally insufficient and
> > >> inadequate.
> > >>
> > >> I recommend you review this procedure and pay more attention to whom is
> > >> dealing, which should be a technical, and not another.
> > >>
> > >> I am sorry for the difficulties that my decision will cause to
> > >> unsuspecting users of my plugin, but they can continue to download my
> > >> plugin from my official repository on github.
> > >>
> > >> I thank you for your attention
> > >>
> > >>
> > >> Best Regards
> > >>
> > >> Roberto (geodrinx)
> > >>
> > >> _______________________________________________
> > >> Qgis-developer mailing list
> > >> Qgis-developer at lists.osgeo.org <mailto:Qgis-developer at lists.osgeo.org>
> > >> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer <http://lists.osgeo.org/mailman/listinfo/qgis-developer>
> > >> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer <http://lists.osgeo.org/mailman/listinfo/qgis-developer>
> 
> --
> Spatialys - Geospatial professional services
> http://www.spatialys.com <http://www.spatialys.com/>
> 
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer




---

Tim Sutton
QGIS Project Steering Committee Chair
tim at qgis.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20161016/c57cbfcc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qgis_icon.jpg
Type: image/jpeg
Size: 4642 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20161016/c57cbfcc/attachment-0001.jpg>

More information about the Qgis-developer mailing list