I think we have to put a level of trust in here. If the source is available (ship it with the plugin please) and the user is trustworthy I don't see a lot of harm here.
It's not ideal to have binary downloads however there are some use cases for that so I would hate to not allow it when the rest is still valid e.g valid license etc. On Mon, Dec 19, 2016 at 9:49 PM, Luigi Pirelli <[email protected]> wrote: > In this case the problem is security > > code is available and compiled for most used platforms... but hard to > certify the content of the so/dll. > > any opinion? > Luigi Pirelli > > ************************************************************ > ************************************** > * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com > * LinkedIn: https://www.linkedin.com/in/luigipirelli > * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli > * GitHub: https://github.com/luipir > * Mastering QGIS 2nd Edition: > * https://www.packtpub.com/big-data-and-business- > intelligence/mastering-qgis-second-edition > ************************************************************ > ************************************** > > > On 19 December 2016 at 09:40, Matthias Kuhn <[email protected]> wrote: > > Hi all > > > > What's the main goal? Code availability? Security? Platform independency? > > Just curious. > > > > All the best > > Matthias > > > > On December 19, 2016 9:25:29 AM GMT+01:00, Luigi Pirelli < > [email protected]> > > wrote: > >> > >> Hi Pedro, > >> > >> Nothing personal, your case is a common case due the fact to many > >> cases where to integrate external executables or shared objects. > >> > >> we can have a way to certificate this binary (e.g. signing process but > >> could become harder develop plugins, checksums). In the meantime, I > >> strongly suggest to a have a two phase plugin. A first phase that > >> prepare running environment downloading so or dll from someware with > >> the user consensous, and then the running phase. > >> > >> in this way you can facilitate users to access plugin thanks to qgis > >> repo, and turn around plugin limitations that community gave for user > >> security. > >> > >> regards > >> Luigi Pirelli > >> > >> > >> ************************************************************ > ************************************** > >> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com > >> * LinkedIn: https://www.linkedin.com/in/luigipirelli > >> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli > >> * GitHub: https://github.com/luipir > >> * Mastering QGIS 2nd Edition: > >> * > >> https://www.packtpub.com/big-data-and-business- > intelligence/mastering-qgis-second-edition > >> > >> ************************************************************ > ************************************** > >> > >> > >> On 19 December 2016 at 08:25, Pedro Camargo <[email protected]> > >> wrote: > >>> > >>> Hi Luigi and Paolo, > >>> > >>> I corrected the problems you pointed out with AequilibraE > and > >>> > >>> re-uploaded it. > >>> > >>> Luigi's concern with malicious code is a very valid one, and I would > >>> actually appreciate to have a manner to have it checked. However, I > >>> would > >>> appreciate if we could find a solution that does not prevent us from > >>> having > >>> plugins that are compiled. > >>> > >>> As Luigi pointed out, the code is written in Cython to increase > >>> performance > >>> of the software, but it is still 5.5x slower than the proprietary > >>> software > >>> that I used as a benchmark. In a nutshell, if it cannot be compiled, > it > >>> will > >>> never fly. So I would ask you guys to be considerate of this point. > >>> > >>> My concerns might not even be valid, and I do apologize if that is the > >>> case. > >>> I just must admit that, as an amateur software developer, I miss some > of > >>> the > >>> jargon used here when talking about more technical issues on software > >>> development. > >>> > >>> Cheers, > >>> Pedro > >>> > >>> On Mon, Dec 19, 2016 at 7:18 AM, Luigi Pirelli > >>> <[email protected]> wrote: > >>>> > >>>> > >>>> Hi List > >>>> > >>>> The Binary problem (?): > >>>> In this recently added plugin I can find cython modules precompiled > in > >>>> forms odf pyd, or so. (and relative cython code) > >>>> Following the presentation in: > >>>> https://www.youtube.com/watch?v=zz3jbM_JBTo > >>>> I understand that the reason is performance, but how to prevent > >>>> loading malicious shared objects? > >>>> > >>>> * probably we should start to plan a safe infrastructure to allow > >>>> uploading plugin with compiled modules... any idea other than a > simple > >>>> checksum? > >>>> > >>>> The license problem (?): > >>>> other question is regarding the cython algorithm. I can read in > >>>> > >>>> > >>>> https://github.com/AequilibraE/AequilibraE/blob/ > master/aequilibrae/paths/AoN.pyx#L23 > >>>> "Codes for route ennumeration, DAG construction and Link nesting were > >>>> written by Pedro Camargo (2013) and have all their rights reserved to > >>>> the author" > >>>> > >>>> Obviously the author has right reserved, an in the same code the > >>>> author refer to the LICENSE.txt that is a standard GPL license: > >>>> here: > >>>> > >>>> https://github.com/AequilibraE/AequilibraE/blob/ > master/aequilibrae/paths/AoN.pyx#L18 > >>>> and here: > >>>> https://github.com/AequilibraE/AequilibraE/blob/master/LICENSE.TXT > >>>> > >>>> how should we have to read the "right reserved" sencence by the > author? > >>>> > >>>> regards > >>>> Luigi Pirelli > >>>> > >>>> > >>>> > >>>> ************************************************************ > ************************************** > >>>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT > com > >>>> * LinkedIn: https://www.linkedin.com/in/luigipirelli > >>>> * Stackexchange: http://gis.stackexchange.com/ > users/19667/luigi-pirelli > >>>> * GitHub: https://github.com/luipir > >>>> * Mastering QGIS 2nd Edition: > >>>> * > >>>> > >>>> https://www.packtpub.com/big-data-and-business- > intelligence/mastering-qgis-second-edition > >>>> > >>>> > >>>> ************************************************************ > ************************************** > >>>> > >>>> > >>>> On 18 December 2016 at 14:28, <[email protected]> wrote: > >>>>> > >>>>> > >>>>> Plugin AequilibraE approval by pcav. > >>>>> The plugin version "[1102] AequilibraE 0.3.3" is now approved > >>>>> Link: http://plugins.qgis.org/plugins/AequilibraE/ > >>>>> ________________________________ > >>>>> > >>>>> Qgis-developer mailing list > >>>>> [email protected] > >>>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer > >>>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer > >> > >> > >> ________________________________ > >> > >> Qgis-developer mailing list > >> [email protected] > >> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer > >> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer > > > > > > -- > > Sent from my Android device with K-9 Mail. Please excuse my brevity. > _______________________________________________ > Qgis-developer mailing list > [email protected] > List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer >
_______________________________________________ Qgis-developer mailing list [email protected] List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
