From harishkumar.jayakumar at springbord.com Wed Jul 1 22:47:46 2026 From: harishkumar.jayakumar at springbord.com (HarishKumar J, (Springbord)) Date: Thu, 2 Jul 2026 11:17:46 +0530 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: Hi There, I hope you are well! We are currently using QGIS version 4.0.3 and have identified that it comes bundled with PostgreSQL version 17.0.3. Our security monitoring has flagged multiple high-priority vulnerabilities within this version of PostgreSQL (including CVE-2025-4207 and others). According to PostgreSQL security recommendations, a secure version would be 17.10 or higher. Could you please confirm if there is a newer release of QGIS that bundles a secure version of PostgreSQL? Additionally, if a bundled update is not yet available, please advise on the recommended process for upgrading the internal PostgreSQL component to version 17.10 or above without impacting the QGIS application's stability. Thanks, Harish -------------- next part -------------- An HTML attachment was scrubbed... URL: From dror.bogin at gmail.com Wed Jul 1 23:47:10 2026 From: dror.bogin at gmail.com (Dror Bogin) Date: Thu, 2 Jul 2026 09:47:10 +0300 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: Hi Harish, Neither the standalone nor the OSGeo4W installations of QGIS come with a prebundled PostgreSQL installation. Since it sounds like you installed QGIS in an organization, it is mostly recommended to use the LTR (Long Term Release) version (currently 3.44) in that setting, not the newest version. The first LTR of QGIS 4.x is planned to release in October, with QGIS 4.2.4. On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via QGIS-Developer wrote: > Hi There, > > I hope you are well! > > We are currently using QGIS version 4.0.3 and have identified that it > comes bundled with PostgreSQL version 17.0.3. > > Our security monitoring has flagged multiple high-priority vulnerabilities > within this version of PostgreSQL (including CVE-2025-4207 and others). > According to PostgreSQL security recommendations, a secure version would be > 17.10 or higher. > > Could you please confirm if there is a newer release of QGIS that bundles > a secure version of PostgreSQL? Additionally, if a bundled update is not > yet available, please advise on the recommended process for upgrading the > internal PostgreSQL component to version 17.10 or above without impacting > the QGIS application's stability. > > Thanks, > Harish > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer > -------------- next part -------------- An HTML attachment was scrubbed... URL: From harishkumar.jayakumar at springbord.com Thu Jul 2 00:33:09 2026 From: harishkumar.jayakumar at springbord.com (HarishKumar J, (Springbord)) Date: Thu, 2 Jul 2026 13:03:09 +0530 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: Dear Dror, Thank you for the clarification regarding the bundled installations. Based on your recommendation to use the Long Term Release (LTR) version for organizational settings, we will look into the current LTR 3.44. We will also monitor the upcoming release of QGIS 4.2.4 in October. Since QGIS does not come with a prebundled PostgreSQL installation, we will investigate our internal deployment process to identify how PostgreSQL 17.0.3 was included and proceed with the necessary upgrades independently. Thanks Harish On Thu, Jul 2, 2026 at 12:17?PM Dror Bogin wrote: > Hi Harish, > > Neither the standalone nor the OSGeo4W installations of QGIS come with a > prebundled PostgreSQL installation. > Since it sounds like you installed QGIS in an organization, it is mostly > recommended to use the LTR (Long Term Release) version (currently 3.44) in > that setting, not the newest version. > The first LTR of QGIS 4.x is planned to release in October, with QGIS > 4.2.4. > > On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via > QGIS-Developer wrote: > >> Hi There, >> >> I hope you are well! >> >> We are currently using QGIS version 4.0.3 and have identified that it >> comes bundled with PostgreSQL version 17.0.3. >> >> Our security monitoring has flagged multiple high-priority >> vulnerabilities within this version of PostgreSQL (including CVE-2025-4207 >> and others). According to PostgreSQL security recommendations, a secure >> version would be 17.10 or higher. >> >> Could you please confirm if there is a newer release of QGIS that bundles >> a secure version of PostgreSQL? Additionally, if a bundled update is not >> yet available, please advise on the recommended process for upgrading the >> internal PostgreSQL component to version 17.10 or above without impacting >> the QGIS application's stability. >> >> Thanks, >> Harish >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer at lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From regis.haubourg at gmail.com Thu Jul 2 02:21:22 2026 From: regis.haubourg at gmail.com (=?UTF-8?Q?R=C3=A9gis_Haubourg?=) Date: Thu, 2 Jul 2026 11:21:22 +0200 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: <722c5837-0c90-4f42-b58d-ed926c04c9ea@gmail.com> Hi , Your scanner finds Postgres CVE because OSGEO4W ships clients for postgresql, ie psql, libpq and common libs. The CVE catalog often mix client and server together, which can be a reason for false positives. Please check if the CVE concerns the client, in which case, you can raise the issue on the security list security at qgis.org, which is private ... because security is one a the few reasons were we fix things privately and disclose them afterward . From what I read "Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected." , libpq is affected, so yes, this version is concerned. Please be all aware that the whole numeric ecosystems faces massive CVE disclosure because (or thanks to) AI helping security researchers. We do our best to upgrade libraries as soon as critical vulnerabilities are confirmed. For lower level vulnerabilities, we keep on track with our monthly release schedule. To sum up : - for production and IT deployment, please stick to LTR - please continue to raise your scanner issues on security at qgis.org, after having checked the latest installers before - please consider subscribing to a QGIS sustaining membership. We are trying to get enough fund so that permanent staff can handle this security and compliance wave. If you make value from QGIS, and consider security and digital strategic autonomy priorities , our membership is easy to find at https://www.qgis.org/#sustaining-members . Best regards Bien cordialement, R?gis Haubourg On 02/07/2026 09:33, HarishKumar J, (Springbord) via QGIS-Developer wrote: > Dear Dror, > > Thank you for the clarification regarding the bundled installations. > > Based on your recommendation to use the Long Term Release (LTR) > version for organizational settings, we will look into the current LTR > 3.44. We will also monitor the upcoming release of QGIS 4.2.4 in October. > > Since QGIS does not come with a prebundled PostgreSQL installation, we > will investigate our internal deployment process to identify how > PostgreSQL 17.0.3 was included and proceed with the necessary upgrades > independently. > > Thanks > Harish > > > On Thu, Jul 2, 2026 at 12:17?PM Dror Bogin wrote: > > Hi Harish, > > Neither the standalone nor the OSGeo4W installations of QGIS come > with a prebundled PostgreSQL installation. > Since it sounds like you installed QGIS in an organization, it is > mostly recommended to use the LTR (Long Term Release) version > (currently 3.44) in that setting, not the newest version. > The first LTR of QGIS 4.x is planned to release in October, with > QGIS 4.2.4. > > On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via > QGIS-Developer wrote: > > Hi There, > > I hope you are well! > > We are currently using QGIS version 4.0.3 and have identified > that it comes bundled with PostgreSQL version 17.0.3. > > Our security monitoring has flagged multiple high-priority > vulnerabilities within this version of PostgreSQL (including > CVE-2025-4207 and others). According to PostgreSQL security > recommendations, a secure version would be 17.10 or higher. > > Could you please confirm if there is a newer release of QGIS > that bundles a secure version of PostgreSQL? Additionally, if > a bundled update is not yet available, please advise on the > recommended process for upgrading the internal PostgreSQL > component to version 17.10 or above without impacting the QGIS > application's stability. > > Thanks, > Harish > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: > https://lists.osgeo.org/mailman/listinfo/qgis-developer > > > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer -------------- next part -------------- An HTML attachment was scrubbed... URL: From rdmailings at duif.net Thu Jul 2 02:30:15 2026 From: rdmailings at duif.net (Richard Duivenvoorde) Date: Thu, 2 Jul 2026 11:30:15 +0200 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: There is (for what I know) no PostgreSQL database server installation, but there IS a PostgreSQL-client(!) lib included. Not sure if we are talking about the same thing here? CVE-2025-4207 says it affects libpq, which I think is part of the client? According to the osgeo4w packager we are on 18.4 since (from 17.3)... yesterday... https://github.com/jef-n/OSGeo4W/blob/998472c3de1c3b51615033638c1910c5e5e28173/src/libpq/osgeo4w/package.sh Not exactly sure when this will be part of new installers. Regards, Richard Duivenvoorde On 7/2/26 09:33, HarishKumar J, (Springbord) via QGIS-Developer wrote: > Dear Dror, > > Thank you for the clarification regarding the bundled installations. > > Based on your recommendation to use the Long Term Release (LTR) version for organizational settings, we will look into the current LTR 3.44. We will also monitor the upcoming release of QGIS 4.2.4 in October. > > Since QGIS does not come with a prebundled PostgreSQL installation, we will investigate our internal deployment process to identify how PostgreSQL 17.0.3 was included and proceed with the necessary upgrades independently. > > Thanks > Harish > > > On Thu, Jul 2, 2026 at 12:17?PM Dror Bogin > wrote: > > Hi Harish, > > Neither the standalone nor the OSGeo4W installations of QGIS come with a prebundled PostgreSQL installation. > Since it sounds like you installed QGIS in an organization, it is mostly recommended to use the LTR (Long Term Release) version (currently 3.44) in that setting, not the newest version. > The first LTR of QGIS 4.x is planned to release in October, with QGIS 4.2.4. > > On Thu, 2 Jul 2026 at 08:48, HarishKumar J, (Springbord) via QGIS-Developer > wrote: > > Hi There, > > I hope you are well! > > We are currently using QGIS version 4.0.3 and have identified that it comes bundled with PostgreSQL version 17.0.3. > > Our security monitoring has flagged multiple high-priority vulnerabilities within this version of PostgreSQL (including CVE-2025-4207 and others). According to PostgreSQL security recommendations, a secure version would be 17.10 or higher. > > Could you please confirm if there is a newer release of QGIS that bundles a secure version of PostgreSQL? Additionally, if a bundled update is not yet available, please advise on the recommended process for upgrading the internal PostgreSQL component to version 17.10 or above without impacting the QGIS application's stability. > > Thanks, > Harish > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer > > > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer From gdt at lexort.com Thu Jul 2 05:02:22 2026 From: gdt at lexort.com (Greg Troxel) Date: Thu, 02 Jul 2026 08:02:22 -0400 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: (HarishKumar J.'s message of "Thu, 2 Jul 2026 11:17:46 +0530") References: Message-ID: "HarishKumar J, (Springbord) via QGIS-Developer" writes: > We are currently using QGIS version 4.0.3 and have identified that it comes > bundled with PostgreSQL version 17.0.3. You should understand that qgis is fundamentally a source code release, and that therefore it is incorrect in general to speak of it as having a specific associated postgresql version. It is likely that you are using some specific bundled installer that also contains dependencies, for a specific operating system -- but you did not give any information about that. > Could you please confirm if there is a newer release of QGIS that bundles a > secure version of PostgreSQL? Additionally, if a bundled update is not yet > available, please advise on the recommended process for upgrading the > internal PostgreSQL component to version 17.10 or above without impacting > the QGIS application's stability. This is open source, and you are (legally) able to modify the control files for the bundle and produce your own updated installers -- and then contribute changes back. Given your organization's security concerns, you may wish to hire an employee or consultant who can help with this. I would expect that the cost of consulting or a managed build service would be far below the cost of proprietary licenses for proprietary GIS software. Separately, if you are concerned about stability, it is a surprising and perhaps unwise choice to be using 4.0.3. qgis continues to recommend 3.44.x as the stable version. From andreaerdna at libero.it Sun Jul 5 23:34:17 2026 From: andreaerdna at libero.it (Andrea Giudiceandrea) Date: Mon, 6 Jul 2026 08:34:17 +0200 Subject: [QGIS-Developer] equals_exact confusion Message-ID: Hi Stefanos and list, I also have the feeling that the current implementation is not very clear. I apologise I cannot elaborate more since I'm travelling for a few weeks. Regards. Andrea Il 30/06/2026 20:27, Stefanos Natsis via QGIS-Developer ha scritto: > I'm afraid that the current implementation may lead to user confusion, > because now one can use: From lova at kartoza.com Mon Jul 6 01:11:50 2026 From: lova at kartoza.com (Lova Andriarimalala) Date: Mon, 6 Jul 2026 11:11:50 +0300 Subject: [QGIS-Developer] QGIS.org Website Maintenance tasks Message-ID: Hello everyone, We are planning maintenance tasks on the QGIS.org website today between 11:00 and 13:00 UTC; access to the website might be slightly disturbed during that time. We apologies for any inconvenience that this might cause. Thank you for your understanding. Best regards, Lova Andriarimalala *QGIS Full Stack Developer * *T *: +27(0) 87 809 2702 *E *: lova at kartoza.com *W* : kartoza.com *This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you * *have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying* *of the contents is prohibited.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From lova at kartoza.com Mon Jul 6 06:13:12 2026 From: lova at kartoza.com (Lova Andriarimalala) Date: Mon, 6 Jul 2026 16:13:12 +0300 Subject: [QGIS-Developer] Coming soon: QGIS Plugins Website v4.0.0 Message-ID: Hello everyone, We are getting ready to release version v4.0.0 of the QGIS Plugins Website ( plugins.qgis.org), planned for 13 July 2026. Here is a heads up on what is coming. This will be our first major release that adopts a proper announcement and release schedule. It will include major improvements and changes related to the security checks and plugins auto-approval; and a new feature for Qt6 compatibility check which was funded by Oslandia (oslandia.com) and developed by @florentfougeres . The full preview about the planned changes is on our blog: https://blog.qgis.org/2026/07/06/coming-soon-qgis-plugins-website-v4-0-0/. Please carefully review each point as there might be some actions required from your side. If anything here is a concern, please raise an issue at https://github.com/qgis/QGIS-Plugins-Website/issues before 13 July 2026 while we can still adjust. Thank you for being part of the QGIS plugin community. Best regards, The QGIS Plugins Website team Lova Andriarimalala *QGIS Full Stack Developer * *T *: +27(0) 87 809 2702 *E *: lova at kartoza.com *W* : kartoza.com *This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you * *have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying* *of the contents is prohibited.* -------------- next part -------------- An HTML attachment was scrubbed... URL: From bo.victor.thomsen at gmail.com Wed Jul 8 06:54:00 2026 From: bo.victor.thomsen at gmail.com (Bo Victor Thomsen) Date: Wed, 8 Jul 2026 15:54:00 +0200 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: Harish - As of today, You have 2 options to get the desired postgres upgrades (18.4.1): * Install the latest LTR version af QGIS, ver. 3.44.12. It comes with version 18.4.1 of pqlib (Postgres communication). * Install the newest version of QGIS, version 4.2.0 . It too, comes with pqlib version 18.4.1. Version 4.2.*0* is an "Early adopter" version -? not yet suited for enterprise use. However, If you can wait, version 4.2*.4*, will be the new LRT version around October 30, 2026. Med venlig hilsen / Best regards Bo Victor Thomsen On 02-07-2026 07:47, HarishKumar J, (Springbord) via QGIS-Developer wrote: > Hi There, > > I hope you are well! > > We are currently using QGIS version 4.0.3 and have identified that it > comes bundled with PostgreSQL version 17.0.3. > > Our security monitoring has flagged multiple high-priority > vulnerabilities within this version of PostgreSQL (including > CVE-2025-4207 and others). According to PostgreSQL security > recommendations, a secure version would be 17.10 or higher. > > Could you please confirm if there is a newer release of QGIS that > bundles a secure version of PostgreSQL? Additionally, if a bundled > update is not yet available, please advise on the recommended process > for upgrading the internal PostgreSQL component to version 17.10 or > above without impacting the QGIS application's stability. > > Thanks, > Harish > > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer -------------- next part -------------- An HTML attachment was scrubbed... URL: From gdt at lexort.com Wed Jul 8 08:36:21 2026 From: gdt at lexort.com (Greg Troxel) Date: Wed, 08 Jul 2026 11:36:21 -0400 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: (Bo Victor Thomsen via's message of "Wed, 8 Jul 2026 15:54:00 +0200") References: Message-ID: Bo Victor Thomsen via QGIS-Developer writes: > As of today, You have 2 options to get the desired postgres upgrades > (18.4.1): > > * Install the latest LTR version af QGIS, ver. 3.44.12. It comes with > version 18.4.1 of pqlib (Postgres communication). > * Install the newest version of QGIS, version 4.2.0 . It too, comes > with pqlib version 18.4.1. > > Version 4.2.*0* is an "Early adopter" version -? not yet suited for > enterprise use. However, If you can wait, version 4.2*.4*, will be > the new LRT version around October 30, 2026. But qgis *source code* does not come with postgresql at all. You are talking about a particular binary package, and I think it would be helpful if messages describing binary packages identify the binary package, every time. From bo.victor.thomsen at gmail.com Wed Jul 8 09:54:09 2026 From: bo.victor.thomsen at gmail.com (Bo Victor Thomsen) Date: Wed, 8 Jul 2026 18:54:09 +0200 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: References: Message-ID: <9c48647b-31bd-461a-bc5e-3925b1408c2b@gmail.com> Hi Greg - You're right about the source code distribution. What I was talking about - and didn't specifically explain - was the different? binary installation packages available through the QGIS.org homepage. Which is used by the large majority of QGIS-using organizations? to install QGIS. So here is information about the specific?QGIS installation packages?containing the latest PostgreSQL client version *18.4*: * QGIS LTR, version *3.44.12*. Long term release, suitable for enterprise use. * QGIS lastest version *4.2.0*. Early adapter version, not (yet) suitable for enterprise use. Both binary packages can be downloaded at QGIS.org homepage: https://qgis.org/download/ Med venlig hilsen / Best regards Bo Victor Thomsen On 08-07-2026 17:36, Greg Troxel via QGIS-Developer wrote: > Bo Victor Thomsen via QGIS-Developer > writes: > >> As of today, You have 2 options to get the desired postgres upgrades >> (18.4.1): >> >> * Install the latest LTR version af QGIS, ver. 3.44.12. It comes with >> version 18.4.1 of pqlib (Postgres communication). >> * Install the newest version of QGIS, version 4.2.0 . It too, comes >> with pqlib version 18.4.1. >> >> Version 4.2.*0* is an "Early adopter" version -? not yet suited for >> enterprise use. However, If you can wait, version 4.2*.4*, will be >> the new LRT version around October 30, 2026. > But qgis *source code* does not come with postgresql at all. You are > talking about a particular binary package, and I think it would be > helpful if messages describing binary packages identify the binary > package, every time. > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer at lists.osgeo.org > List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer -------------- next part -------------- An HTML attachment was scrubbed... URL: From gdt at lexort.com Wed Jul 8 11:41:18 2026 From: gdt at lexort.com (Greg Troxel) Date: Wed, 08 Jul 2026 14:41:18 -0400 Subject: [QGIS-Developer] PostgreSQL vulnerability in the QGIS application In-Reply-To: <9c48647b-31bd-461a-bc5e-3925b1408c2b@gmail.com> (Bo Victor Thomsen via's message of "Wed, 8 Jul 2026 18:54:09 +0200") References: <9c48647b-31bd-461a-bc5e-3925b1408c2b@gmail.com> Message-ID: Bo Victor Thomsen via QGIS-Developer writes: > Hi Greg - > > You're right about the source code distribution. > > What I was talking about - and didn't specifically explain - was the > different? binary installation packages available through the QGIS.org > homepage. Which is used by the large majority of QGIS-using > organizations? to install QGIS. > > So here is information about the specific?QGIS installation > packages?containing the latest PostgreSQL client version *18.4*: > > * QGIS LTR, version *3.44.12*. Long term release, suitable for > enterprise use. > * QGIS lastest version *4.2.0*. Early adapter version, not (yet) > suitable for enterprise use. > > Both binary packages can be downloaded at QGIS.org homepage: > https://qgis.org/download/ Sorry to seem difficult, but I can't reconcile the implied "there exist only two specific packages" with finding on the order of a dozen at that link. At that link, there are multiple operating systems, and multiple options. It's not clear to me if all of them are full bundles, vs normal packages with dependencies from the base system. There is Windows osgeo4w LTR and stable macOS LTR and stable Linux 7 distributions plus flatpack/spack BSD FreeBSD LTR and stable OpenBSD stable Container (hard to figure out) Are you saying that every single one of those options will use pgsql 18.4.1? I would think that the GNU/Linux (actual distributions not flat-ish) would be using what the distribution was on, and it's not up to qgis to fix that, vs installers that bundle everything (to remediate the problem of the base OS not having a high-functioning packaging system). For the BSD packaging systems pointed to, surely those are maintained by FreeBSD and OpenBSD people, just as I maintain the entries in pkgsrc (NetBSD, illumos, and many others). Thus qgis.org is not choosing pgsql versions. Or do you mean only the two Windows installers? What I'm asking is that if you are talking about two specific windows installers, to say that, to avoid people interpreting statements as applying to the N other ways one can get binary distributions, many of which have their own processes and change control. The assumption that "installing qgis" equals "installing qgis on windows" is not sound, even if it is often true. Thanks, Greg From gdt at lexort.com Fri Jul 10 09:17:56 2026 From: gdt at lexort.com (Greg Troxel) Date: Fri, 10 Jul 2026 12:17:56 -0400 Subject: [QGIS-Developer] anyone else get a vague github shakedown notice? is this about qgis? Message-ID: tl;dr: I got an email from github threatening to start billing me, and have eliminated most reasons why it would have arrived, and my qgis association is next. For background, I've had a github account for a long time, but never signed up for a paid plan or given them billing information. I have been a listed member of a few organizations, that I "left" a few months ago as the tone of paid services and AI increased, since they were defunct anyway. A few days ago I got email, purporting to be from github, delivered via sendgrid, and DKIM signed from github. So I suspect it's really from them. Trimming parts that aren't useful enough for anyone to read: You're receiving this because your organization is using the GitHub Code Quality public preview. As we shared on June 16, Code Quality moves to general availability on *July 20, 2026*. This email covers the details: what you'll pay, what's included, and how to prepare. *Pricing* Code Quality is priced as a *base subscription plus metered usage* : Component How it's billed What it covers *Per-committer license* $10 per active committer per month Enterprise access to Code Quality: findings, scoring, Rulesets integration, Security Overview, and org-level governance *AI-powered usage* Usage-based (AI Credits) Copilot code review on Code Quality-enabled repos, AI-assisted detection, Copilot Autofix generation *Deterministic analysis* GitHub Actions minutes CodeQL-powered maintainability and reliability scans ? fast, predictable, and token-free Active committers are counted on repositories where Code Quality is enabled, using the same active-committer methodology as GitHub Advanced Security. For more information, you can review our documentation here ( https://docs.github.com/billing/concepts/product-billing/github-code-quality ). *How to prepare* * If you have a GitHub or Microsoft account team, reach out to them with any questions. They have a pricing calculator and can model costs based on your actual usage. * Evaluate your repository coverage. Decide which repositories should continue with Code Quality enabled after July 20. Disabling Code Quality on a repository before July 20 means no charges for that repository. More details are available in our documentation ( https://docs.github.com/code-security/concepts/about-code-quality ). You are receiving this because you?re a part of GitHub Sponsors. As for sponsors, I am not enrolled, and I have not sponsored anyone. So their email is wrong. I wonder: - is qgis using "Code Quality" and somehow because I have a clone, have filed issues/etc. I got it? - did others get this? - any thoughts on whether this is confused, vs underhanded, and is anyone worried about surprise bills? From nyall.dawson at gmail.com Mon Jul 13 17:44:42 2026 From: nyall.dawson at gmail.com (Nyall Dawson) Date: Tue, 14 Jul 2026 10:44:42 +1000 Subject: [QGIS-Developer] QEP: Removal of deprecated Processing GUI API Message-ID: Hi lists, Following up the recent formalisation of a process for removal of deprecated API mid-release cycle (see https://github.com/qgis/QGIS-Enhancement-Proposals/pull/384), I've just submitted a proposal to remove the deprecated Python Processing "WidgetWrapper" API. As per clause 1.4.4 of the Stable API policy, this API should be removed on the grounds that maintaining backward compatibility both introduces an insurmountable maintenance burden and fundamentally blocks critical bug fixes (condition 1.4.4.1). This pure Python API is an ongoing source of unsolvable issues in the Processing framework, such as https://github.com/qgis/QGIS/issues/66282. It relies on a fragile memory management model, where the lifetime of objects created in C++ vs Python results in unpredictable object deletion or memory leakage. Over time the conclusion from QGIS developers familiar with this code is that this approach just cannot be fixed, and we need to move solely to the approach used elsewhere in QGIS, where Python is used solely to subclass C++ base classes, with all memory management living at the C++ level (either through direct C++ memory management or via C++ Qt parent/child associations). In addition, the old API predated major overhauls of Processing GUI components such as the model designer, and the assumptions used in that API no longer apply (such as existence of Python dialog classes). Working around these old assumptions is a considerable drain on QGIS developers, and is blocking further desirable revamps and modernisation of the QGIS model designer interface. This API has been marked as deprecated since QGIS 3.4, with developer-facing warnings being shown for over 7 years. See https://github.com/qgis/QGIS-Enhancement-Proposals/pull/386 for the proposed changes and a detailed write up on the plan for removal. Please give all feedback on this proposed change as comments on the PR itself (not direct email replies) to keep the discussion centralized. Kind regards, Nyall -------------- next part -------------- An HTML attachment was scrubbed... URL: From julien.cabieces at oslandia.com Wed Jul 15 03:10:23 2026 From: julien.cabieces at oslandia.com (Julien Cabieces) Date: Wed, 15 Jul 2026 12:10:23 +0200 Subject: [QGIS-Developer] Call for vote for coding style "Precise member prefix scope" Message-ID: <87qzl4r2b4.fsf@julienlaptop.home> Hi list, Please cast your vote regarding this coding standard modification Pull Request [0]?which explicit already existing naming convention for member variables. Kind regards, Julien [0] https://github.com/qgis/QGIS-Enhancement-Proposals/pull/383 -- Julien Cabieces Senior Developer at Oslandia julien.cabieces at oslandia.com