Hi Giuseppe, On Sat, Mar 10, 2012 at 10:04 AM, Giuseppe Sucameli <[email protected]> wrote: > Hi Larry, > > On Sat, Mar 10, 2012 at 4:43 PM, Larry Shaffer <[email protected]> wrote: >> On Sat, Mar 10, 2012 at 3:04 AM, Alexander Bruy >> <[email protected]> wrote: >>> ... >>> We can't be sure that 3rd party binaries are safe and there are no security >>> risks (especially on Windows). Python code can be verified by user. I know >>> that not all users are programers but at least this is possible. But >>> verifying >>> binary file almost impossible. >> >> I've been using the Mac version of QGIS, compiled and packaged by a >> 'third party' (Mr. Kyngesburye), for years. I have run his installers >> and compiled programs countless times, just as any other regular Mac >> QGIS user. > > it's not the same... > If Kyngchaos were not Kyngchaos his packages would not be in the > QGis download page.
Agreed, though I'm not sure how apparent this is to new Mac users. I would venture to guess that some users are concerned when a fairly large-scale open source project links to an individual's web site for downloads. I certainly don't have any issues with it, but I haven't been a regular Mac user for quite awhile, so my perspective may be off the mark on this. Seems I remember a time when standalone versions of QGIS were available via the qgis.org site as well. Like other users I went with Kyngchaos.com because his installers offer more versatility, e.g. frameworks, offer a more complete workflow, with GRASS, etc., and are diligently prepared. >> This should be the same for plugins. Let the user decide. > > I do not agree. > In the plugins repo anyone can create a new plugin then would > be very unsafe to allow compiled code which nobody can verify. > > The user expects that a plugin in the QGis repository is safe, > otherwise this can strongly damage the QGis reputation. I agree 100%. Sorry if my words may have implied I think compiled software should be in the Official plugin repo. That would bad, as you have noted. Let me clarify... by plugin installer, I, by proxy, guess I meant the base repo as well. Isn't there a movement away from third party repos entirely? When is that anticipated? >> However, the >> user should be informed, if a plugin requires additional software, >> regardless of origin, at the appropriate time. > > +1, this work is partially done from the plugins installer which shows > a message when a python module is missing, but the message not > enough intuitive for users. > > Let's try to simplify the life to users: > > if the plugin's author adds important information (e.g. required libs) to > a README file, the plugins repo may display them in the plugin > page (like GitHub does). > > Wouldn't it be enough? > > Yes. How about a bit further and have __init__.py/metadata sections listing external dependencies and a description of what they are for? (Or have I missed that option?) Then the user can be warned programmatically even if they have downloaded and manually installed the plugin. User warned on attempted load of plugin, regardless of how installed. Similar to the notifications for dependencies in Linux package managers, but not to the point of exhibiting loading errors, like with missing Python modules. Similar side note: Here is the not-quite-finished, 'component missing' notification and link to small installer that I am planning for my plugin release [0]. With my plugin's approach, a user can install the base Python plugin, peruse the documentation, tutorial and partial tool set, then judge if they want to download the additional installer or uninstall the plugin. Regards, Larry Shaffer Dakota Cartography Black Hills, South Dakota [0] http://dl.dropbox.com/u/4058089/qgis/qsci/help/qsci-missing.html _______________________________________________ Qgis-developer mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/qgis-developer
