[Qgis-user] RE: Qgis-user Digest, Vol 72, Issue 43

Alister Hood Alister.Hood at synergine.com
Sun Feb 19 03:25:49 PST 2012 

Hi Richard,

If these same people currently use proprietary GIS they probably use all sorts of third party scripts and addons for it.  I'm interested - how do they cope with security for them?  I'm sure they don't usually read all the source code.  From what I can see, security in the proprietary world really comes down to trust and system administration.

> I don't know if there is any innate protection within QGIS or python
I'm far from an expert, but I wouldn't have thought it would really be practical to have such protection.  Does ArcGIS or something claim to have it?

I guess for QGIS it is some combination of:
- the "web of trust" in the QGIS community
- checking the code, since it is always available
- trusting that _someone_ else will probably look at the code, and even if they don't, the fact that they are likely to makes QGIS less of a target for malware authors (Also QGIS is not a prime target simply because it hasn't achieved world domination yet...)
- keeping backups and therefore not needing to worry as much about security

So far I'm pretty sure QGIS hasn't had any problems with malware etc.  The _real life_ problem is when plugins are broken by changes to QGIS, especially when they are orphaned (unmaintained).  Oh - and in some cases plugins not being compatible with Windows (or Mac) because nobody bothers to package the dependencies for Windows, or perhaps just because the plugins have only been tested on real operating systems ;) and they need changes to work around some "feature" in Windows...

With QGIS 2 I think the intention is to try to get people to all use the main repository, instead of a whole lot of third party repositories.  I don't know what people will have to do before they are allowed to upload their code to the repository.  Can anyone point us to the answer?


> Date: Sat, 18 Feb 2012 11:08:55 -0500
> From: Richard Males <rbmales at gmail.com>
> Subject: [Qgis-user] QGIS and Computer Security (Windows)
> To: qgis-user at lists.osgeo.org
> Message-ID:
>         <CAGwArwYi-mecHHmNU34ojKhGno=o_wTVcWFezEnpHZO19n0gUg at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I am interested in promoting the use of QGIS, but some users have
> expressed concern about computer security issues, particularly in
> respect to the use of plug-ins.  The concern is that a downloaded
> plugin may contain malware, activate malicious code, etc.  I don't
> know if there is any innate protection within QGIS or python against
> bad behavior on the part of plugins, or if this is a "trust" issue.
> 
> I have searched online and in the forums for a discussion of this
> issue.  I posted on the help forum, the responses were anecdotal in
> nature (e.g., "I have been using QGIS for a few years, never had a
> problem"), not technical.
> 
> I would very much appreciate any thoughts on if/how QGIS currently
> deals with this, or references to documentation or postings on the
> issue.
> 
> Thank you.
> 
> R. Males
> Cincinnati, Ohio, USA

More information about the Qgis-user mailing list