[Qgis-psc] Fwd: [Qgis-developer] AequilibraE

Thu Dec 22 02:35:07 PST 2016

Il 22/12/2016 11:03, Tim Sutton ha scritto:
> Hi
>
> I think this is easily resolved:
>
> 1) Add a guideline on the plugin page that we **prefer**  plugins to 
> be shipped without binary blobs, but if they are required they should 
> still adhere to our licensing requirements and other criteria as 
> referenced by Matthias below.
> 2) Evaluate plugins with binary blobs on a case by case basis and 
> simply accept them if they author appears bona fide.
>
> I would have also liked to have the following:
>
> 3) Have a tag in the metadata that indicates that the plugin contains 
> binary blobs so that the user can make up their own mind as to whether 
> they wish to install blobs or not. But this is not a blocker for me. 
> For double points use an icon like this 
> https://goo.gl/images/NYt3uE so you can see at a glance which plugins 
> are blobbified.
>
> I think guidelines and rules are great, but that we also should not 
> become so caught up in our rules that we lose sight of common sense - 
> people spend a lot of time and effort building their plugins and it is 
> a shame to turn them away if they had to blobbify their plugins for 
> good technical reasons...
>
>
> Regards
>
> Tim
>

Hi Tim,

I mildly disagree: there have been discussion on the ML about how to 
enforce the checks on the plugins for malicious code (none of the 
proposals is currently implemented though), by having source-only 
plugins we (and the users as well) can in theory check the code for any 
malicious activity, even if I doubt that we do it for real for all plugins.

If we allow binary blobs, provided that they are really cross platform 
(which is not the case for cython) we (and the users as well) will never 
know what's inside and there is no guarantee that the published sources 
match the blob.

So, I think that there is in fact an additional protection for the users 
by not allowing binary blobs in the plugins.

I understand the need for binary blobs in some cases, and I'd suggest 
that in those cases the plugin authors implement a system to install the 
missing blobs from within the plugin itself (after user authorization).

Regards.

>> On 22 Dec 2016, at 11:36 AM, Matthias Kuhn <matthias at opengis.ch 
>> <mailto:matthias at opengis.ch>> wrote:
>>
>> Hi Anita,
>>
>> On 12/21/2016 09:16 AM, Anita Graser wrote:
>>>
>>>
>>> http://anitagraser.com
>>>
>>> On Dec 21, 2016 7:07 AM, "Paolo Cavallini" <cavallini at faunalia.it
>>> <mailto:cavallini at faunalia.it>> wrote:
>>>
>>>    Hi all,
>>>    should we take a decision on this?
>>>
>>>
>>> Could you summarize the issue. I haven't been reading along all the 
>>> time.
>>
>> The question is, if it should be possible to deploy binaries (normally
>> additional libraries) through our plugin servers as part of a plugin.
>> Everyone agrees that if it should be allowed, only under the condition
>> that the source code is present as well and properly licensed.
>>
>> Contra:
>>
>> - We cannot verify if binary matches source
>> - Hosting binaries feels wrong
>>
>> Pro:
>>
>> - Plugin dev's life is easier (because sometimes using libs cannot be
>>   avoided)
>> - We have a higher chance of keeping track of the plugins and closer
>>   contact to the developers
>> - Less risk of having multiple plugin repositories out there
>> - There is no additional protection for the user by not allowing this
>>
>> Possible solutions are listed here:
>> https://lists.osgeo.org/pipermail/qgis-developer/2016-December/046247.html
>>
>> Best wishes
>> Matthias
>> _______________________________________________
>> Qgis-psc mailing list
>> Qgis-psc at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/qgis-psc
>
>
>
> ---
>
> *Tim Sutton*
> QGIS Project Steering Committee Chair
> tim at qgis.org <mailto:tim at qgis.org>
>
>
>
>
>
>
> _______________________________________________
> Qgis-psc mailing list
> Qgis-psc at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-psc

-- 
Alessandro Pasotti
w3: www.itopen.it