[QGIS-Developer] QGIS Plugin site

Dalheimer, Jan jan.dalheimer at sweco.se
Fri Feb 14 01:26:13 PST 2025 

Slightly related: https://github.com/qgis/QGIS-Enhancement-Proposals/issues/284

I think a good (although not necessarily easy) solution would be to introduce code signing. A first step could just be to enable signed plugins to be uploaded/downloaded and allowing users to trust a given public key, using something like OpenPGP. This would already provide a bit of additional security by ensuring that the code has not been tampered with between the developer and the user, and for example internal plugins could be signed using a key that's trusted organization-wide using some suitable configuration file. The next, and arguably harder, step would then be to introduce a list of pre-trusted keys.

Another aspect is that of responsibility and how deep the trust should go. If I have signed a plugin I've developed (or QGIS.org has set a certain quality level for a plugin, or something else), does that mean I've/QGIS.org have assumed responsibility in case the code does something bad? What if, to the best of my knowledge, it does not, but a user installs it in a QGIS environment with different versions of Python packages, which results in a massive data loss bug? Most likely the answer is a clear "there's no further responsibility than there already is today", but that should be made clear as there otherwise will be users who blindly trust something as long as there is a gold badge next to it.

Regards,
Jan Dalheimer
Sweco

-----Ursprungligt meddelande-----
Från: QGIS-Developer <qgis-developer-bounces at lists.osgeo.org> För Raymond Nijssen via QGIS-Developer
Skickat: den 14 februari 2025 08:41
Till: qgis-developer at lists.osgeo.org
Ämne: Re: [QGIS-Developer] QGIS Plugin site

Maybe this can be replaced by something similar, but more reliable and fair?

Recently, a customer of mine asked me if there was a list of plugins that can be trusted. They felt vulnerable having all QGIS users in the organisation downloading any plugin (= python code) and running it. On the other hand, QGIS without plugins is pretty useless.

I was thinking about an option for plugins to get a quality tag, for example when is has multiple developers reviewing each others code. Or a certified company reviewing plugin code. Like the certified companies for education? Or uploading/updating a "trusted plugin" cost 100 euros, and the one approving the plugin code gets that money?

All pretty hard to set up I think, but I also understand the need.

Maybe someone here has a better idea?

Raymond


On 2/14/25 08:23, Alessandro Pasotti via QGIS-Developer wrote:
> 
> 
> On Thu, Feb 13, 2025 at 1:02 AM Emma Hain via QGIS-Developer <qgis- 
> developer at lists.osgeo.org <mailto:qgis-developer at lists.osgeo.org>> wrote:
> 
>     Hi All
>     Lova, the site looks amazing and thanks for all of your work on it.
> 
>     I am asking on behalf of one of my clients how does a plugin become
>     featured?
> 
> 
> 
> Back in the days when the plugin site was designed and the plugins 
> were just a couple of dozen it seemed nice to have a way to showcase 
> what we (the small QGIS community) thought they were the most amazing, 
> it was an editorial choice.
> 
> I guess it doesn't make much sense to keep that list nowaday.
> 
> --
> Alessandro Pasotti
> QCooperative: 
> https://urldefense.com/v3/__http://www.qcooperative.net__;!!HBVxBjZwpQ
> !3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACXea
> oYZ1cVy6PtkCBP4SyOM3gNUv2Vg9A$  
> <https://urldefense.com/v3/__https://www.qcooperative.net__;!!HBVxBjZw
> pQ!3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACX
> eaoYZ1cVy6PtkCBP4SyOM3gPG7Olk3g$ >
> ItOpen: 
> https://urldefense.com/v3/__http://www.itopen.it__;!!HBVxBjZwpQ!3T7eoD
> DYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cVy
> 6PtkCBP4SyOM3gPG1k9bwA$  
> <https://urldefense.com/v3/__http://www.itopen.it__;!!HBVxBjZwpQ!3T7eo
> DDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cV
> y6PtkCBP4SyOM3gPG1k9bwA$ >
> 
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: 
> https://urldefense.com/v3/__https://lists.osgeo.org/mailman/listinfo/q
> gis-developer__;!!HBVxBjZwpQ!3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPd
> GoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cVy6PtkCBP4SyOM3gMlERajQg$
> Unsubscribe: 
> https://urldefense.com/v3/__https://lists.osgeo.org/mailman/listinfo/q
> gis-developer__;!!HBVxBjZwpQ!3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPd
> GoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cVy6PtkCBP4SyOM3gMlERajQg$

_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org
List info: https://urldefense.com/v3/__https://lists.osgeo.org/mailman/listinfo/qgis-developer__;!!HBVxBjZwpQ!3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cVy6PtkCBP4SyOM3gMlERajQg$
Unsubscribe: https://urldefense.com/v3/__https://lists.osgeo.org/mailman/listinfo/qgis-developer__;!!HBVxBjZwpQ!3T7eoDDYPAPBkM_ECG_AZOiHUOk72JZd8TFwgxSPdGoLsKYwbRIgprl5Bb3aSVdQACXeaoYZ1cVy6PtkCBP4SyOM3gMlERajQg$

More information about the QGIS-Developer mailing list