[Qgis-psc] Blog post for trusted plugins
Paolo Cavallini
cavallini at faunalia.it
Mon Aug 22 04:55:21 PDT 2016
Il 22/08/2016 13:47, Tim Sutton ha scritto:
> Hi
>
> Following our verbal discussion here is my proposed update:
>
> -------
> The core team of QGIS strives hard to provide the most advanced and
> user friendly GIS for free use by everyone. In the core QGIS project,
> every line of code that gets committed is
> subject to peer review when contributed by a non core developer. This
> gives us an opportunity to identify and correct inadvertent (or
> intentional) security issues that a developer may introduce into the code
> base. By contrast, all of the plugins that are published via the QGIS
> plugin repository are reviewed by the plugin developers themselves and
> we don't have good insight into how much due diligence is applied to
> plugin code management.
>
> The vast majority of our plugins (listed in http://plugins.qgis.org/ and
> inside your copy of QGIS) are developed by third parties, either
> individuals, companies, and institutions. As such, they are outside our
> direct control and the developers often relatively unknown to the QGIS
> community.
> We view this as a potential security risk. We are convinced
> the risk is small, because of many factors including the "many eyes"
> principle (the code is visible to everybody, and in use by thousands of
> people), but cannot exclude the possibility that someone tries to
> inject malicious code into a plugin.
>
> In order to address this situation, we looked into the opportunity of
> implementing automatic tools to scan plugins, before their publication,
> and spot potential problems. Our research indicated that this approach
> would be
> difficult and costly, and easy to circumvent.
>
> We decided therefore to implement a simple yet robust approach to
> security, based on the 'web of trust' principle: we trust people we know
> well in the community.
> You will see on the http://plugins.qgis.org web site that there is a
> 'Trusted Author' tag has been applied to plugins
> created by those members of the community that we know and trust.
>
>
> The criteria for 'Trusted Authors' includes those community members that
> regularly
> meet at our QGIS developer meetings, and and those that are in almost
> daily contact
> with the core team via our developer mailing lists or background project
> discussions.
> The remaining plugins (and there are wonderful,
> reliable, robust, and useful plugins in the list) have not been given
> the 'trusted'
> label.
>
> We would be delighted if a side effect of this choice would
> be to stimulate more active and direct involvement of plugin developers
> in the QGIS
> community. All plugin developers are therefore invited to join us at one
> of the next developer meetings (AKA HackFest), or otherwise become a
> recognized, active member of the community, so they can be integrated as
> 'trusted' plugin developers.
>
> ---------
+1 from me.
Thanks.
--
Paolo Cavallini - www.faunalia.eu
QGIS & PostGIS courses: http://www.faunalia.eu/training.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160822/03cffa57/attachment.sig>
More information about the Qgis-psc
mailing list