Hey Richard,<br><br><div class="gmail_quote">On Sun, Feb 19, 2012 at 2:08 AM, Richard Males <span dir="ltr"><<a href="mailto:rbmales@gmail.com">rbmales@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div id=":12m">I am interested in promoting the use of QGIS, but some users have<br>
expressed concern about computer security issues, particularly in<br>
respect to the use of plug-ins. The concern is that a downloaded<br>
plugin may contain malware, activate malicious code, etc. I don't<br>
know if there is any innate protection within QGIS or python against<br>
bad behavior on the part of plugins, or if this is a "trust" issue.<br><br></div></blockquote><div> </div><div>While I understand their concerns I do think it is over worrying. Can QGIS be used to download and run malicious code? Yes, but so can any non closed system (living behind Apples Iron Garden Wall is the exception). Ultimately it does come down to trust but there a few levels where there is protection.</div>
<div><br></div><div><ul><li>Python: Python, like any good programming language, provides no protection against malware or malicious code. It's job is not to care, and nor should it try and stop me. People can write malicious code in any language.<br>
<br></li><li>The QGIS plugin system has a line of defense when the user uploads a plugin to <a href="http://plugins.qgis.org">plugins.qgis.org</a>. All plugins, when uploaded by a new user, are by default unapproved. They have to be approved by an admin (there are a hand full of us around) before it will be publicly available to all QGIS users. However we don't normally check the code as the chance of something bad happening is low and we don't have the man power to check over everything. Plugins can also be unapproved if it does turn out something was bad, once unapproved it is no longer downloadable within QGIS via the Pluign Installer.<br>
<br></li><li>OS level protection. Most good operating systems these days have password protection for anything that is try to do something in a area it normally shouldn't, but if QGIS is run with elevated permissions it will have access to everything.<br>
<br></li><li>Open source. As QGIS, all its plugins, and components are open source there is nothing stopping the users (or IT) having a look over the code to make sure that it does what it says it does. However you still need to understand what you are looking for.</li>
</ul> </div><div>I have seen the "it's open source, therefore it is a security risk (or is less secure)" card played many times before I have always strongly disagreed. The fact that open source by design is open, everything is view-able by the outside user. Every time you download a Python plugin for QGIS you also get the source code, nothing is hidden, little trust needed. Compare this with other closed systems where it is impossible to tell what something is doing, you have to give full trust that the programmer and program no what they are doing. </div>
<div><br></div><div>Example:</div><div><br></div><div>I used to be a big user of MapInfo. MapInfo has its own programming language called MapBasic which is complied into a binary executable and run inside the MapInfo environment. I can ship a MapBasic app as a binary file without the need to give you the source code so you can see what I am doing. As MapBasic can access lower lever windows APIs I can do all sorts of damage to the users computer with no way of them checking before hand. If I can get the users to run MapInfo with admin rights (which it normally has to be in order for things to work right) I now have access to your systems32 or program files folder and can nuke them pretty easily (or mess with screen savers, install key loggers). What makes it worse it that MapBasic can call a C or C++ lib, so if I need more power I can create a C lib and just call that from MapBasic.</div>
<div><br></div><div>- Nathan</div></div><br>