[Qgis-psc] Blog post for trusted plugins
Tim Sutton
tim at kartoza.com
Thu Aug 25 13:35:58 PDT 2016
Hi
Paolo will you actually post it or do you want one of us to do it?
Regards
Tim
> On 22 Aug 2016, at 3:50 PM, Anita Graser <anitagraser at gmx.at> wrote:
>
> +1
> Anita
>
> On Mon, Aug 22, 2016 at 1:55 PM, Paolo Cavallini <cavallini at faunalia.it <mailto:cavallini at faunalia.it>> wrote:
> Il 22/08/2016 13:47, Tim Sutton ha scritto:
> > Hi
> >
> > Following our verbal discussion here is my proposed update:
> >
> > -------
> > The core team of QGIS strives hard to provide the most advanced and
> > user friendly GIS for free use by everyone. In the core QGIS project,
> > every line of code that gets committed is
> > subject to peer review when contributed by a non core developer. This
> > gives us an opportunity to identify and correct inadvertent (or
> > intentional) security issues that a developer may introduce into the code
> > base. By contrast, all of the plugins that are published via the QGIS
> > plugin repository are reviewed by the plugin developers themselves and
> > we don't have good insight into how much due diligence is applied to
> > plugin code management.
> >
> > The vast majority of our plugins (listed in http://plugins.qgis.org/ <http://plugins.qgis.org/> and
> > inside your copy of QGIS) are developed by third parties, either
> > individuals, companies, and institutions. As such, they are outside our
> > direct control and the developers often relatively unknown to the QGIS
> > community.
> > We view this as a potential security risk. We are convinced
> > the risk is small, because of many factors including the "many eyes"
> > principle (the code is visible to everybody, and in use by thousands of
> > people), but cannot exclude the possibility that someone tries to
> > inject malicious code into a plugin.
> >
> > In order to address this situation, we looked into the opportunity of
> > implementing automatic tools to scan plugins, before their publication,
> > and spot potential problems. Our research indicated that this approach
> > would be
> > difficult and costly, and easy to circumvent.
> >
> > We decided therefore to implement a simple yet robust approach to
> > security, based on the 'web of trust' principle: we trust people we know
> > well in the community.
> > You will see on the http://plugins.qgis.org <http://plugins.qgis.org/> web site that there is a
> > 'Trusted Author' tag has been applied to plugins
> > created by those members of the community that we know and trust.
> >
> >
> > The criteria for 'Trusted Authors' includes those community members that
> > regularly
> > meet at our QGIS developer meetings, and and those that are in almost
> > daily contact
> > with the core team via our developer mailing lists or background project
> > discussions.
> > The remaining plugins (and there are wonderful,
> > reliable, robust, and useful plugins in the list) have not been given
> > the 'trusted'
> > label.
> >
> > We would be delighted if a side effect of this choice would
> > be to stimulate more active and direct involvement of plugin developers
> > in the QGIS
> > community. All plugin developers are therefore invited to join us at one
> > of the next developer meetings (AKA HackFest), or otherwise become a
> > recognized, active member of the community, so they can be integrated as
> > 'trusted' plugin developers.
> >
> > ---------
>
> +1 from me.
> Thanks.
>
> --
> Paolo Cavallini - www.faunalia.eu <http://www.faunalia.eu/>
> QGIS & PostGIS courses: http://www.faunalia.eu/training.html <http://www.faunalia.eu/training.html>
>
>
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org <mailto:Qgis-psc at lists.osgeo.org>
> http://lists.osgeo.org/mailman/listinfo/qgis-psc <http://lists.osgeo.org/mailman/listinfo/qgis-psc>
>
—
Tim Sutton
Co-founder: Kartoza
Project chair: QGIS.org
Visit http://kartoza.com <http://kartoza.com/> to find out about open source:
Desktop GIS programming services
Geospatial web development
GIS Training
Consulting Services
Skype: timlinux
IRC: timlinux on #qgis at freenode.net
Kartoza is a merger between Linfiniti and Afrispatial
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160825/7c054e75/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KartozaNewLogoThumbnail.jpg
Type: image/jpeg
Size: 6122 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160825/7c054e75/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20160825/7c054e75/attachment.sig>
More information about the Qgis-psc
mailing list