Hmmm. On Sat, Mar 10, 2012 at 3:04 AM, Alexander Bruy <[email protected]> wrote: > ... > We can't be sure that 3rd party binaries are safe and there are no security > risks (especially on Windows). Python code can be verified by user. I know > that not all users are programers but at least this is possible. But verifying > binary file almost impossible.
I've been using the Mac version of QGIS, compiled and packaged by a 'third party' (Mr. Kyngesburye), for years. I have run his installers and compiled programs countless times, just as any other regular Mac QGIS user. Almost all of his installers require administrator rights, including the one for QGIS. I have no easy way of completely verifying his installers and the compiled programs they install. I, as an admin user, make the decision to install or not. I trust that Mr. Kyngesburye compiles valid, useful gis tools, and is not installing anything funky on my Mac. This should be the same for plugins. Let the user decide. However, the user should be informed, if a plugin requires additional software, regardless of origin, at the appropriate time. I agree that the plugin installer should not, by default, allow arbitrary installation of compiled programs, but this shouldn't be a roadblock for potential developers. > 2012/3/10 <[email protected]>: >> ... >> IMHO, a plugin should work out of the box, on all platforms. >> The "Experimental" flag could be used for such plugins that require >> compilation or other third parties elements that are not delivered in >> standard. There are many plugins that do not work 'out of the box.' IPython for example. On my Mac, I recently had to compile the zeromq package to get its python bindings to work. It was totally worth the effort, though I doubt most regular Mac users would do this. This should not mean that the plugin remain eternally stuck in the 'Experimental' category, especially if it is stable for use otherwise. I have spent many, many hours working on a plugin for QGIS that requires the QScintilla PyQt binding. While this can be included in the source builds for QGIS (which I'd like to see), I have, for now, pre-compiled small versions of Qsci.so for both 10.6 and 10.7 Mac OSes. I do not see my small 'third party' installer of compiled software as anything different than what Mr. Kyngesburye is providing. Nor do I see it as any different than explaining to a Ubuntu user to run 'apt-get python-qscintilla2' (also requiring admin permission). I agree there needs to be some modicum of control, but I can't image the state of add-ons for Firefox, if Mozilla took the same tack. I think having plugins not install binaries via the plugin installer, and their developers clearly notifying the user of any extra installs is enough. Let the users decide beyond that. Regards, Larry Shaffer Dakota Cartography Black Hills, South Dakota _______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
