[Qgis-psc] Blog post for trusted plugins (was: Meeting tonight?)

Paolo Cavallini cavallini at faunalia.it
Thu Aug 18 03:40:16 PDT 2016 

Il 02/08/2016 09:33, Anita Graser ha scritto:

> ​I'd suggest a blog post as a start because these posts tend to show up
> higher on Google search results than some page we add to qgis.org
> <http://qgis.org>​

> IT departments are (rightfully?) scared to let users install "untrusted"
> plugins.

Hi all,
a first draft - improvements most welcome.
All the best.
==========================================
The core team of QGIS strives hard at providing the most advanced and
user friendly GIS for free use to everyone. As a corollary, we are very
careful about security, both of our source code and of the installers,
using state of the art technology and practices to ensure no malicious
or dangerous code ever hits end users.
The vast majority of our plugins (listed in http://plugins.qgis.org/ and
inside your copy of QGIS) are however developed by third parties, either
individuals, companies, and institutions. As such, they are outside our
direct control, and might represent a security risk. We are convinced
the risk is small, because of many factors including the "many eyes"
principle (the code is visible to everybody, and in use by thousands of
people), but cannot exclude it altogether.
In order to improve the situation, we analysed the opportunity of
implementing automatic tools to scan plugins, before their publication,
and spot potential problems. This proved very difficult and costly, and
easy to circumvent. Not by chance all major software developers do not
rely on this kind of tools.
We decided therefore to implement a simple yet robust approach to
security, based on the best available evidence: trust based on personal
knowledge. The current implementation therefore lists all plugins by
well known members of the QGIS community, that regularly meet twice a
year on the QGIS developer meetings, and are in almost daily contact
with the core team, as "trusted". All the rest (and there are wonderful,
reliable, robust, and useful plugins in the list) miss the "trusted"
label which, we would like to stress this point, does not mean they are
not trusted, but only that we cannot reasonably guarantee they are.
Of course, we would be delighted if a side effect of this choice would
be to favour a more active involvement of plugin developers in the
community. All plugin developers are therefore invited to join us at one
of the next developer meetings (AKA HackFest).
-- 
Paolo Cavallini - www.faunalia.eu
QGIS & PostGIS courses: http://www.faunalia.eu/training.html

More information about the Qgis-psc mailing list