[Qgis-psc] Fwd: [Qgis-developer] AequilibraE

[Matthias Kuhn]

Hi Alessandro

>>
> 
> Hi Tim,
> 
> I mildly disagree: there have been discussion on the ML about how to
> enforce the checks on the plugins for malicious code (none of the
> proposals is currently implemented though), by having source-only
> plugins we (and the users as well) can in theory check the code for any
> malicious activity, even if I doubt that we do it for real for all plugins.

That's very true.

> If we allow binary blobs, provided that they are really cross platform
> (which is not the case for cython) we (and the users as well) will never
> know what's inside and there is no guarantee that the published sources
> match the blob.

I agree.
To quote Richard "It's all trust isn't it?"

> So, I think that there is in fact an additional protection for the users
> by not allowing binary blobs in the plugins.

I tend to disagree.

Plugins can just download binary blobs. With or without user
authorization. If I want to build a plugin to run malicious code, I
won't care about any no-blob-policy and just download the missing bits.

So we could theoretically insert some automated
"check-if-the-code-downloads-a-binary" (which is a hard enough task by
itself) ...

> I understand the need for binary blobs in some cases, and I'd suggest
> that in those cases the plugin authors implement a system to install the
> missing blobs from within the plugin itself (after user authorization).

... but with this additional policy in place we cannot even do the above
check and we will basically end up with the very same situation in
either case:
If there is bad code involved somewhere we need 1) someone to realize
this 2) someone to raise a flag and 3) a moderator to manually unapprove
the plugin.

So in my humble opinion
 * I think that such a policy does not make any difference at all for
the bad boys (and girls)
 * While it does make life harder for the good girls (and boys)

Best regards
Matthias