[Qgis-psc] Blog post for trusted plugins

Anita Graser anitagraser at gmx.at
Mon Aug 22 06:50:08 PDT 2016


+1
Anita

On Mon, Aug 22, 2016 at 1:55 PM, Paolo Cavallini <cavallini at faunalia.it>
wrote:

> Il 22/08/2016 13:47, Tim Sutton ha scritto:
> > Hi
> >
> > Following our verbal discussion here is my proposed update:
> >
> > -------
> > The core team of QGIS strives hard to provide the most advanced and
> > user friendly GIS for free use by everyone. In the core QGIS project,
> > every line of code that gets committed is
> > subject to peer review when contributed by a non core developer. This
> > gives us an opportunity to identify and correct inadvertent (or
> > intentional) security issues that a developer may introduce into the code
> > base. By contrast, all of the plugins that are published via the QGIS
> > plugin repository are reviewed by the plugin developers themselves and
> > we don't have good insight into how much due diligence is applied to
> > plugin code management.
> >
> > The vast majority of our plugins (listed in http://plugins.qgis.org/ and
> > inside your copy of QGIS) are developed by third parties, either
> > individuals, companies, and institutions. As such, they are outside our
> > direct control and the developers often relatively unknown to the QGIS
> > community.
> > We view this as a potential security risk. We are convinced
> > the risk is small, because of many factors including the "many eyes"
> > principle (the code is visible to everybody, and in use by thousands of
> > people), but cannot exclude the possibility that someone tries to
> > inject malicious code into a plugin.
> >
> > In order to address this situation, we looked into the opportunity of
> > implementing automatic tools to scan plugins, before their publication,
> > and spot potential problems. Our research indicated that this approach
> > would be
> > difficult and costly, and easy to circumvent.
> >
> > We decided therefore to implement a simple yet robust approach to
> > security, based on the 'web of trust' principle: we trust people we know
> > well in the community.
> > You will see on the http://plugins.qgis.org web site that there is a
> > 'Trusted Author' tag has been applied to plugins
> > created by those members of the community that we know and trust.
> >
> >
> > The criteria for 'Trusted Authors' includes those community members that
> > regularly
> > meet at our QGIS developer meetings, and and those that are in almost
> > daily contact
> > with the core team via our developer mailing lists or background project
> > discussions.
> > The remaining plugins (and there are wonderful,
> > reliable, robust, and useful plugins in the list) have not been given
> > the 'trusted'
> > label.
> >
> > We would be delighted if a side effect of this choice would
> > be to stimulate more active and direct involvement of plugin developers
> > in the QGIS
> > community. All plugin developers are therefore invited to join us at one
> > of the next developer meetings (AKA HackFest), or otherwise become a
> > recognized, active member of the community, so they can be integrated as
> > 'trusted' plugin developers.
> >
> > ---------
>
> +1 from me.
> Thanks.
>
> --
> Paolo Cavallini - www.faunalia.eu
> QGIS & PostGIS courses: http://www.faunalia.eu/training.html
>
>
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160822/f8d5f73a/attachment.html>


More information about the Qgis-psc mailing list