[Qgis-psc] Blog post for trusted plugins

[Tim Sutton]

Hi

Following our verbal discussion here is my proposed update:

-------
The core team of QGIS strives hard to provide the most advanced and
user friendly GIS for free use by everyone. In the core QGIS project, every line of code that gets committed is
subject to peer review when contributed by a non core developer. This
gives us an opportunity to identify and correct inadvertent (or
intentional) security issues that a developer may introduce into the code
base. By contrast, all of the plugins that are published via the QGIS
plugin repository are reviewed by the plugin developers themselves and
we don't have good insight into how much due diligence is applied to
plugin code management.

The vast majority of our plugins (listed in http://plugins.qgis.org/ and
inside your copy of QGIS) are developed by third parties, either
individuals, companies, and institutions. As such, they are outside our
direct control and the developers often relatively unknown to the QGIS community.
We view this as a potential security risk. We are convinced
the risk is small, because of many factors including the "many eyes"
principle (the code is visible to everybody, and in use by thousands of
people), but cannot exclude the possibility that someone tries to
inject malicious code into a plugin.

In order to address this situation, we looked into the opportunity of
implementing automatic tools to scan plugins, before their publication,
and spot potential problems. Our research indicated that this approach would be
difficult and costly, and easy to circumvent.

We decided therefore to implement a simple yet robust approach to
security, based on the 'web of trust' principle: we trust people we know well in the community.
You will see on the http://plugins.qgis.org web site that there is a 'Trusted Author' tag has been applied to plugins
created by those members of the community that we know and trust.


The criteria for 'Trusted Authors' includes those community members that regularly
meet at our QGIS developer meetings, and and those that are in almost daily contact
with the core team via our developer mailing lists or background project discussions.
The remaining plugins (and there are wonderful,
reliable, robust, and useful plugins in the list) have not been given the 'trusted'
label.

We would be delighted if a side effect of this choice would
be to stimulate more active and direct involvement of plugin developers in the QGIS
community. All plugin developers are therefore invited to join us at one
of the next developer meetings (AKA HackFest), or otherwise become a
recognized, active member of the community, so they can be integrated as
'trusted' plugin developers.

---------

Regards

Tim



—









Tim Sutton

Co-founder: Kartoza
Project chair: QGIS.org

Visit http://kartoza.com <http://kartoza.com/> to find out about open source:

Desktop GIS programming services
Geospatial web development
GIS Training
Consulting Services

Skype: timlinux
IRC: timlinux on #qgis at freenode.net

Kartoza is a merger between Linfiniti and Afrispatial

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160822/7c2209bf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KartozaNewLogoThumbnail.jpg
Type: image/jpeg
Size: 6122 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160822/7c2209bf/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160822/7c2209bf/attachment.sig>