[Qgis-psc] Fwd: [Qgis-developer] AequilibraE

Tim Sutton tim at kartoza.com
Thu Dec 22 04:24:31 PST 2016 

hi

> 
> 
> I mildly disagree: there have been discussion on the ML about how to enforce the checks on the plugins for malicious code (none of the proposals is currently implemented though), by having source-only plugins we (and the users as well) can in theory check the code for any malicious activity, even if I doubt that we do it for real for all plugins.
> 
> If we allow binary blobs, provided that they are really cross platform (which is not the case for cython) we (and the users as well) will never know what's inside and there is no guarantee that the published sources match the blob.
> 
> So, I think that there is in fact an additional protection for the users by not allowing binary blobs in the plugins.
> 
> I understand the need for binary blobs in some cases, and I'd suggest that in those cases the plugin authors implement a system to install the missing blobs from within the plugin itself (after user authorization).

I get where you are coming from, but I think on the sum of things, if the blob is in our repo and we e.g. ask plugin developers to explain the provenance of these blobs in their READMEs, there is a lot more transparency than encouraging plugin authors to let their plugins go out and grab an execute binaries from random places on the internet.  I also see a place for both approaches and for Paolo (as Plugin repo guardian) to just use a bit of discretion in each case rather than trying to make a hard & fast rule about this...

Regards

Tim

—










Tim Sutton

Co-founder: Kartoza
Project chair: QGIS.org

Visit http://kartoza.com <http://kartoza.com/> to find out about open source:

Desktop GIS programming services
Geospatial web development
GIS Training
Consulting Services

Skype: timlinux 
IRC: timlinux on #qgis at freenode.net

Kartoza is a merger between Linfiniti and Afrispatial

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20161222/d851d023/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KartozaNewLogoThumbnail.jpg
Type: image/jpeg
Size: 6122 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20161222/d851d023/attachment.jpg>

More information about the Qgis-psc mailing list