[Qgis-psc] Existing plugin versions should not be marked with "security issues"

[Johannes Kröger (WhereGroup)]

Hi,

the plugins repository now *publicly* denounces plugins when its 
security scan has flagged something.
I use the word "denounce" aggressively here because as a plugin 
developer it is not nice to have plugins *which do not actually have 
security issues* brandished insecure with a BIG RED WARNING, losing 
trust of their users.

The rules are not perfect and at least for plugins where I have insight 
the false positive rate is higher than the correct flags...
For example it flags any requests.get() call without a timeout. The 
worst that can happen is a hanging QGIS, big whoop...
It also flags hashes as secrets and I fail to see how this is helpful 
for plugins that are *already published and accessible*.

Please revert the public display of this badge for now. If it is planned 
to publicly flag existing plugin versions, give developers ample time to 
review, fix or dispute the findings.

Sorry for the aggressive tone but this was unexpected and is very 
unpleasant to deal with.
I do think that the scanning and potential blocking of new versions is a 
great feature (thank you for it!) but the retrospective scanning with 
public display without human validation is not.

Cheers, Hannes