[Qgis-psc] The security project for QGIS

Fri Nov 29 02:27:11 PST 2024

Hi Vincent,

Thank you very much for launching this initiative.
I believe that proactively handling this topic will help the QGIS project
and community to comply with regulations and prevent uncertainty with
professional end users.
I trust that the community (especially in enterprise environments) will
step up and support this !

Kind regards
Matthias

On Fri, Nov 29, 2024 at 11:12 AM Vincent Picavet via QGIS-PSC <
qgis-psc at lists.osgeo.org> wrote:

> Hi PSC,
>
> Oslandia will be launching soon the "Security project for QGIS". I explain
> the project in details below.
>
> New European regulations like NIS2 and CRA, as well as other international
> or local regulations ( e.g. CISA ) will be activated within the next couple
> of years. They require software and software producers to rise their
> cybersecurity practices. OpenSource softwares, while usually having a
> special treatment, are concerned too.
>
> As for QGIS, we consider that we are behind what would be sufficient to
> comply with these regulations. We also do not fulfill requirements coming
> from our end-users, in terms of overall software quality regarding
> security, processes in place to ensure trust in the supply chain, and
> overall security culture in the project.
>
> We have been discussing this topic with clients having large deployments
> of QGIS and QGIS server, and they stressed the issue, stating that
> cybersecurity was one of their primary concerns, and that they are willing
> to see the QGIS project move forward in this area as soon as possible.
>
> Oslandia, with other partners and backed by some of its clients, intends
> to launch the "Security project for QGIS" soon : we identified key topics
> where improvements can be done, classified them, and created work packages
> to work on, with budget estimations. We intend to do a call for funding for
> this project, in order to get actual improvements over 2025 and 2026.
>
> We intend to work closely with the QGIS community, QGIS.org, interested
> partners and users. Part of the work are improvements over the current
> system, other require changes to processes or developer's habits. Working
> closely with the user and developer's community to raise our security
> awareness is fully part of the project.
>
> You can see the current draft of the proposal here :
> https://pad.oslandia.net/vas3e9TUTQKJVSjTseVXrQ?both#
>
> Please do not share this URL publicly, as it is still a draft, and will be
> moved to an official web page soon.
>
> We know that this is an ambitious project, and that some parts will be
> difficult to achieve, but we think that QGIS cannot ignore the current
> trend in cybersecurity enforcement, and we know that regulations and
> clients requirements will force us to move forward anyway. Planning ahead
> and taking the issue seriously with the right amount of resources and
> efforts seems a better way to go than being constrained to do things in a
> hurry later on.
>
> We intend to launch the project soon, as some clients want to be able to
> fund it on 2024 budgets, and start working as early as January. We will
> first have a direct approach to potential funders and partners though,
> before making a public call for funding ( most probably before end of 2024
> ).
>
> Sponsors for this project will be QGIS users directly funding the project.
>
> Partners for this project will be :
> - organizations officially supporting the project and help communicate and
> raise funds
> - organizations contributing time, effort, expertise to help the project
> - subcontractors for parts of the project
>
> As for subcontracting, some items are already identified and dedicated to
> partners, most of them will still have to be defined after.
>
> As for now, apart from Oslandia, OPENGIS.ch is already an official partner.
>
> We wanted to let the PSC / QGIS.org know about the project before
> enlarging the audience, so that :
> - A. you can give us feedback on the project globally, and the content
> specifically
> - B. raise any questions you would like to be answered privately or
> publicly
> - C. indicate your thoughts on how QGIS.org would want to be integrated
> into the project
> - D. validate project name, logo and URL
>
> As for C, we will state clearly that this project is not a QGIS.org
> initiative, but a project initiated by Oslandia and partners. QGIS.org
> could be a partner though, and we would be pleased if it is, but it is
> clearly not mandatory. Your decision, without any pressure ( can be later
> on too ).
> As for budget as well, we do not ask for any contribution from QGIS.org,
> but QGIS.org could allocate some funding, either as sponsor for items
> already included in work packages, or for additional complimentary items (
> I would rather opt for this option, e.g. everything related to external
> reviews, community meetings, legal stuff…).
> Also, we will recommend for any sponsor willing to contribute less than
> 5000€, to fund QGIS.org instead through donations, as we do not want to
> deal with small contributions for this project ( admin burden too high ).
>
> As for D, what we need from PSC ASAP is a validation for us to be allowed
> to use the following :
> - the project name "Security project for QGIS". Note that we avoided
> naming it "QGIS Security project", to better identify that the project is
> not initiated by QGIS.org. As said above, we will be clear in the project
> presentation about affiliation.
> - the project logo :
> https://pad.oslandia.net/uploads/68ed0fc7-a6e3-4a93-8b6a-34ba2335c7dc.png
> - the url we intend to use : security.qgis.oslandia.com . Again, it makes
> no doubt on affiliation.
>
> Should you have any remark on these items, do not hesitate to raise them.
>
> Next step are :
> - [x] contact QGIS PSC to present the initiative
> - [ ] integrate feedbacks into the project presentation
> - [ ] finish project presentation material
> - [ ] contact some more potential partners
> - [ ] get first pledges from users for WP1
> - [ ] launch public call for funding
>
> I am available to discuss the matter, do not hesitate to contact me for
> further info or discussion.
>
> Best regards,
> Vincent
>
>
>
> --
> Vincent Picavet
> Président @ oslandia
> News : oslandia.com/newsletter
> 20D3 5950 81EF AA17 0522  9F46 50E2 E4B6 EA67 A3B7
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20241129/35ae6e05/attachment.htm>