[Qgis-psc] Blog post for trusted plugins

[Vincent Picavet (ml)]

Hello,

Globally LGTM.
A few comments below.

Le 18/08/2016 à 12:40, Paolo Cavallini a écrit :
..
> a first draft - improvements most welcome.
> All the best.
> ==========================================
> The core team of QGIS strives hard at providing the most advanced and
> user friendly GIS for free use to everyone. As a corollary, we are very
> careful about security, both of our source code and of the installers,
> using state of the art technology and practices to ensure no malicious
> or dangerous code ever hits end users.
> The vast majority of our plugins (listed in http://plugins.qgis.org/ and
> inside your copy of QGIS) are however developed by third parties, either
> individuals, companies, and institutions. As such, they are outside our
> direct control, and might represent a security risk. We are convinced
> the risk is small, because of many factors including the "many eyes"
> principle (the code is visible to everybody, and in use by thousands of
> people), but cannot exclude it altogether.
> In order to improve the situation, we analysed the opportunity of
> implementing automatic tools to scan plugins, before their publication,
> and spot potential problems. This proved very difficult and costly, and
> easy to circumvent. 

I would be more straightforward and say it is impossible.

> Not by chance all major software developers do not
> rely on this kind of tools.

I do not get this sentence. Too many negations ?

> We decided therefore to implement a simple yet robust approach to
> security, based on the best available evidence: trust based on personal
> knowledge. The current implementation therefore lists all plugins by
> well known members of the QGIS community, that regularly meet twice a
> year on the QGIS developer meetings, and are in almost daily contact
> with the core team, as "trusted". All the rest (and there are wonderful,
> reliable, robust, and useful plugins in the list) miss the "trusted"
> label which, we would like to stress this point, does not mean they are
> not trusted, but only that we cannot reasonably guarantee they are.
> Of course, we would be delighted if a side effect of this choice would
> be to favour a more active involvement of plugin developers in the
> community. All plugin developers are therefore invited to join us at one
> of the next developer meetings (AKA HackFest).

.. so they can be integrated as "trusted" plugin developers.

==
Otherwise, just try to put some air in the text so that it is more
easily readable, but the content is fine for me.

Thanks Paolo for this,

Vincent