[Qgis-psc] The security project for QGIS

Régis Haubourg regis at qgis.org
Sat Nov 30 06:37:35 PST 2024 

Hi all,

I must say I am super happy to see some action in the field of security. 
I totally share the analyze and the need to move forward.

Like Andreas, this initiative can only be done under the umbrella of 
QGIS.org, and I pledge that the consortium behind this stays open to all 
the commercial entities or benevolent that want this topic to be tackled 
in good coordination.

I see a lot of movement in Europe, currently, and we will have to keep 
in lined with possible OSGeo coordination, and also keep a close look at 
other initiatives. A common entity to emit and codify CVE's for 
instance.  We need common tools and working groups like OpenSSF  to have 
best practices evaluated.

For instance a "CRA Expert Group on Cybersecurity of Products"  is 
currently being settled by the European Commission, where OpenSSF was 
just selected with Apache software foundation. There seem to be some 
coordination in openforumeurope.org around these topics. I keep an eye 
on their lists.

But let's also stay pragmatic. As Even says, we could exhaust ourselves 
and our budget trying to solve any potential vulnerability raised. We 
will have to clarify a priority grid, taking account of the real 
exposure. This is something that frightens me in the Cyber security 
domain, unlike as in real life risk assessment (I worked a lot on 
flooding or avalanche public policies). Most IT departments I see asking 
us about a guarantee of a "vulnerability free" software seem not mature 
at all, we already have to spend a lot of time explaining this. The plan 
of action should include pedagogic material that could land in our 
website, to save us some time.

Anyhow, all this requires the same infrastructure and common decision 
making process.  Our IT world is full of ISO processes already, we 
probably don't have to reivent that many wheels*, *but we need to muscle 
up how we take decisions in that area. QGIS.org is inevitable here.

*Last point, let's not forget that we will need more funding of 
QGIS.org, just because there will be more bureaucracy to handle. *I find 
myself am at the upper limits of how much time I can spend on security, 
sharing with Jurgen most of the answers on our security mail. I hope 
your big corporations will also jump into Sustaining Membership, and 
that all the commercial entities will push forward this idea.  We could 
that way maybe spend more time on coordination there.

All in all, we will see some interesting years in the future for the 
whole IT world :), let's work on this :)

Bye

Régis






Le 29/11/2024 à 16:02, Andreas Neumann via QGIS-PSC a écrit :
> Dear Vincent,
>
> I am responding with my personal opinion (and not officially as the PSC).
>
> I think it is a good initiative and necessary.
>
> I would prefer, if this could be done "officially" by "QGIS.ORG 
> <http://QGIS.ORG>" itself, under the QGIS brand name. I want to avoid 
> additional fragmentation with QGIS versions only supported by certain 
> companies (like we had with QGIS Enterprise), or QField vs. Mergin, 
> Lizmap vs QGIS Web Client, etc. So I would really prefer if this 
> initiative would be fully endorsed by the QGIS community and PSC, 
> rather than being a project just by two QGIS related companies.
>
> Regarding financing:
> - We could try to apply for funding from the german "Sovereign Tech 
> Fund". I think this security hardening is in line with their goals.
> - I am a bit reluctant about spending too much money from QGIS.ORG 
> <http://QGIS.ORG> on this issue, knowing that most donations to 
> QGIS.ORG <http://QGIS.ORG> are either from individual persons and 
> small companies (1-10 employees, in some exceptions larger). Most 
> large multinational companies who complain about a lack of security 
> standards in QGIS are not donating towards QGIS.ORG <http://QGIS.ORG> 
> at all. So it would be quite unfair to use money from individual 
> persons and small businesses to fund the goals of multinational 
> corporations who have lots of funds available.
>
> We should definitely endorse this initiative by PSC. Next Tuesday 
> evening is the next PSC meeting. Would be a good opportunity for you 
> to join and discuss the initiative. Looking forward to further discussion.
>
> Best regards,
> Andreas
>
> On Fri, 29 Nov 2024 at 11:12, Vincent Picavet via QGIS-PSC 
> <qgis-psc at lists.osgeo.org> wrote:
>
>     Hi PSC,
>
>     Oslandia will be launching soon the "Security project for QGIS". I
>     explain the project in details below.
>
>     New European regulations like NIS2 and CRA, as well as other
>     international or local regulations ( e.g. CISA ) will be activated
>     within the next couple of years. They require software and
>     software producers to rise their cybersecurity practices.
>     OpenSource softwares, while usually having a special treatment,
>     are concerned too.
>
>     As for QGIS, we consider that we are behind what would be
>     sufficient to comply with these regulations. We also do not
>     fulfill requirements coming from our end-users, in terms of
>     overall software quality regarding security, processes in place to
>     ensure trust in the supply chain, and overall security culture in
>     the project.
>
>     We have been discussing this topic with clients having large
>     deployments of QGIS and QGIS server, and they stressed the issue,
>     stating that cybersecurity was one of their primary concerns, and
>     that they are willing to see the QGIS project move forward in this
>     area as soon as possible.
>
>     Oslandia, with other partners and backed by some of its clients,
>     intends to launch the "Security project for QGIS" soon : we
>     identified key topics where improvements can be done, classified
>     them, and created work packages to work on, with budget
>     estimations. We intend to do a call for funding for this project,
>     in order to get actual improvements over 2025 and 2026.
>
>     We intend to work closely with the QGIS community, QGIS.org,
>     interested partners and users. Part of the work are improvements
>     over the current system, other require changes to processes or
>     developer's habits. Working closely with the user and developer's
>     community to raise our security awareness is fully part of the
>     project.
>
>     You can see the current draft of the proposal here :
>     https://pad.oslandia.net/vas3e9TUTQKJVSjTseVXrQ?both#
>
>     Please do not share this URL publicly, as it is still a draft, and
>     will be moved to an official web page soon.
>
>     We know that this is an ambitious project, and that some parts
>     will be difficult to achieve, but we think that QGIS cannot ignore
>     the current trend in cybersecurity enforcement, and we know that
>     regulations and clients requirements will force us to move forward
>     anyway. Planning ahead and taking the issue seriously with the
>     right amount of resources and efforts seems a better way to go
>     than being constrained to do things in a hurry later on.
>
>     We intend to launch the project soon, as some clients want to be
>     able to fund it on 2024 budgets, and start working as early as
>     January. We will first have a direct approach to potential funders
>     and partners though, before making a public call for funding (
>     most probably before end of 2024 ).
>
>     Sponsors for this project will be QGIS users directly funding the
>     project.
>
>     Partners for this project will be :
>     - organizations officially supporting the project and help
>     communicate and raise funds
>     - organizations contributing time, effort, expertise to help the
>     project
>     - subcontractors for parts of the project
>
>     As for subcontracting, some items are already identified and
>     dedicated to partners, most of them will still have to be defined
>     after.
>
>     As for now, apart from Oslandia, OPENGIS.ch is already an official
>     partner.
>
>     We wanted to let the PSC / QGIS.org know about the project before
>     enlarging the audience, so that :
>     - A. you can give us feedback on the project globally, and the
>     content specifically
>     - B. raise any questions you would like to be answered privately
>     or publicly
>     - C. indicate your thoughts on how QGIS.org would want to be
>     integrated into the project
>     - D. validate project name, logo and URL
>
>     As for C, we will state clearly that this project is not a
>     QGIS.org initiative, but a project initiated by Oslandia and
>     partners. QGIS.org could be a partner though, and we would be
>     pleased if it is, but it is clearly not mandatory. Your decision,
>     without any pressure ( can be later on too ).
>     As for budget as well, we do not ask for any contribution from
>     QGIS.org, but QGIS.org could allocate some funding, either as
>     sponsor for items already included in work packages, or for
>     additional complimentary items ( I would rather opt for this
>     option, e.g. everything related to external reviews, community
>     meetings, legal stuff…).
>     Also, we will recommend for any sponsor willing to contribute less
>     than 5000€, to fund QGIS.org instead through donations, as we do
>     not want to deal with small contributions for this project ( admin
>     burden too high ).
>
>     As for D, what we need from PSC ASAP is a validation for us to be
>     allowed to use the following :
>     - the project name "Security project for QGIS". Note that we
>     avoided naming it "QGIS Security project", to better identify that
>     the project is not initiated by QGIS.org. As said above, we will
>     be clear in the project presentation about affiliation.
>     - the project logo :
>     https://pad.oslandia.net/uploads/68ed0fc7-a6e3-4a93-8b6a-34ba2335c7dc.png
>     - the url we intend to use : security.qgis.oslandia.com
>     <http://security.qgis.oslandia.com> . Again, it makes no doubt on
>     affiliation.
>
>     Should you have any remark on these items, do not hesitate to
>     raise them.
>
>     Next step are :
>     - [x] contact QGIS PSC to present the initiative
>     - [ ] integrate feedbacks into the project presentation
>     - [ ] finish project presentation material
>     - [ ] contact some more potential partners
>     - [ ] get first pledges from users for WP1
>     - [ ] launch public call for funding
>
>     I am available to discuss the matter, do not hesitate to contact
>     me for further info or discussion.
>
>     Best regards,
>     Vincent
>
>
>
>     -- 
>     Vincent Picavet
>     Président @ oslandia
>     News : oslandia.com/newsletter <http://oslandia.com/newsletter>
>     20D3 5950 81EF AA17 0522  9F46 50E2 E4B6 EA67 A3B7
>
>     _______________________________________________
>     QGIS-PSC mailing list
>     QGIS-PSC at lists.osgeo.org
>     https://lists.osgeo.org/mailman/listinfo/qgis-psc
>
>
>
> -- 
>
> --
> Andreas Neumann
> QGIS.ORG <http://QGIS.ORG> board member (treasurer)
>
> _______________________________________________
> QGIS-PSC mailing list
> QGIS-PSC at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/qgis-psc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20241130/84ac9606/attachment-0001.htm>

More information about the QGIS-PSC mailing list