<div dir="ltr"><div>Hi Johannes,</div><div><br></div><div>Thanks for raising this issue.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">the plugins repository now *publicly* denounces plugins when its<span class="gmail-Apple-converted-space"> <br></span>security scan has flagged something.<br>I use the word "denounce" aggressively here because as a plugin<span class="gmail-Apple-converted-space"> <br></span>developer it is not nice to have plugins *which do not actually have<span class="gmail-Apple-converted-space"> <br></span>security issues* brandished insecure with a BIG RED WARNING, losing<span class="gmail-Apple-converted-space"> <br></span>trust of their users.</blockquote><div><br></div><div>Could we just hide the badge from public view and show it only for the plugin author/maintainer and, eventually, for staff/superusers? This feature was requested by Etienne (<a href="https://github.com/qgis/QGIS-Plugins-Website/issues/267">https://github.com/qgis/QGIS-Plugins-Website/issues/267</a>), but I think making it publicly visible wasn't really part of the scope in this case (so sorry for that). We could always show it in public view later when the checks reflect user cases.<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">The rules are not perfect and at least for plugins where I have insight<span class="gmail-Apple-converted-space"> <br></span>the false positive rate is higher than the correct flags...<br>For example it flags any requests.get() call without a timeout. The<span class="gmail-Apple-converted-space"> <br></span>worst that can happen is a hanging QGIS, big whoop...<br>It also flags hashes as secrets and I fail to see how this is helpful<span class="gmail-Apple-converted-space"> <br></span>for plugins that are *already published and accessible*.</blockquote><div><br></div><div>That's correct, and we are aware that there are some teething problems with the ruleset. I would be great if you could please raise an issue at <a href="https://github.com/qgis/QGIS-Plugins-Website/issues">https://github.com/qgis/QGIS-Plugins-Website/issues</a> about which case you think should be addressed by the checks.</div><div>Please also note that we have just published a blog article about the plugin checks implementation at <a href="https://blog.qgis.org/2026/04/23/plugin-repository-security-enhancements/">https://blog.qgis.org/2026/04/23/plugin-repository-security-enhancements/</a>.</div><div><br></div><div>Best regards,</div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(34,34,34)">Lova Andriarimalala</div><div style="color:rgb(34,34,34)"><b>QGIS Full Stack Developer <br><br></b></div><div style="color:rgb(34,34,34)"><b>T </b>: +27(0) 87 809 2702 <b>E </b>:<b> </b><a href="mailto:lova@kartoza.com" style="color:rgb(17,85,204)" target="_blank">lova@kartoza.com</a> <b>W</b> : <a href="http://kartoza.com" style="color:rgb(17,85,204)" target="_blank">kartoza.com</a><br></div><div style="color:rgb(34,34,34)"><br></div><div style="color:rgb(34,34,34)"><div><img src="https://erp.kartoza.com/files/KartozaEmailSignatureTest.gif"><br></div><div><br></div><i>This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you </i><div><i>have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying</i></div><div><i>of the contents is prohibited.</i></div></div></div></div></div><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Thu, 23 Apr 2026 at 15:59, Johannes Kröger (WhereGroup) via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
the plugins repository now *publicly* denounces plugins when its <br>
security scan has flagged something.<br>
I use the word "denounce" aggressively here because as a plugin <br>
developer it is not nice to have plugins *which do not actually have <br>
security issues* brandished insecure with a BIG RED WARNING, losing <br>
trust of their users.<br>
<br>
The rules are not perfect and at least for plugins where I have insight <br>
the false positive rate is higher than the correct flags...<br>
For example it flags any requests.get() call without a timeout. The <br>
worst that can happen is a hanging QGIS, big whoop...<br>
It also flags hashes as secrets and I fail to see how this is helpful <br>
for plugins that are *already published and accessible*.<br>
<br>
Please revert the public display of this badge for now. If it is planned <br>
to publicly flag existing plugin versions, give developers ample time to <br>
review, fix or dispute the findings.<br>
<br>
Sorry for the aggressive tone but this was unexpected and is very <br>
unpleasant to deal with.<br>
I do think that the scanning and potential blocking of new versions is a <br>
great feature (thank you for it!) but the retrospective scanning with <br>
public display without human validation is not.<br>
<br>
Cheers, Hannes<br>
<br>
<br>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote></div>