Re: [Qgis-user] Risk of security vulnerability using older version of QGis
Hi Adam, thank you very much for your detailed information! Because i’m concerned with Software as an end-user only, your explanation gave me really helpful insight and further understanding of the circumstances under which security issues in a program like QGis may arise. As far as i understood, my concerns about security risks seem more or less negligible, if you work with your own projects mainly. On the other hand i now see that updating should not cause problems because, in case, there still is the option to switch back to the previously used version. I didn’t know about online vulnerability databases yet. In the future this will also be a helpful resource for me for issues like this! I really appreciate your help! Thanks and best wishes Max > Am 28.02.2024 um 00:37 schrieb Adam Nielsen : > > >> >> As a private and amateur end-user of QGis I would really like to know >> if not running the latest version of QGis is a (serious) security >> risk for my Computer? > > Do you open projects and data sources from untrusted people? If so > then it can be a security risk if you are opening a malicious data > file. If you trust the files and data sources then the risks are > minimal, although of course those people could be hacked so there's > always some unavoidable risk. > >> Because of concerns regarding the bug-less performance and >> compatibility of my old project files (albeit potentially >> unjustified) and the inconvenience resulting from a missing built in >> Update feature of QGis, I have not installed the latest version of >> the program yet. > > There's no harm in making a copy of your projects, upgrading QGIS, and > testing them out. If they break and you can't fix it, you can install > the old version and restore the project from the copy you made. > > I've only been using QGIS for a little over a year now, and kept > regularly up to date. I've never had a problem with upgrades and even > going backwards in versions. Different versions have different > features and bug fixes but so far the likelihood of breaking my projects > seems pretty low. Of course I still keep backups just in case, because > there are many other things that can go wrong as well (hardware failure, > ransomware, etc.) > >> As I am quite new to Mac computers and (as many people convinced me >> it is not necessary) I am not using extra anti-virus software, I have >> serious concerns if an older version of QGis could be a security risk >> for my computer. > > When security problems are discovered in popular programs like QGIS, > they are typically recorded in an online vulnerability database. You > can search this for your favourite programs to see how many > vulnerabilities there are and how old they are, then do your own > research to find out what version they were fixed in. The search for > QGIS shows no security issues found so far: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qgis > > It doesn't mean there aren't any security flaws, just that nobody has > found any yet. > > Often security issues will be in an obscure part of a program that you > are unlikely to use, so even if there are issues, they may not affect > you anyway. You'll have to read the details listed on the issue to find > that out. > > Cheers, > Adam. ___ QGIS-User mailing list QGIS-User@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Risk of security vulnerability using older version of QGis
> As a private and amateur end-user of QGis I would really like to know > if not running the latest version of QGis is a (serious) security > risk for my Computer? Do you open projects and data sources from untrusted people? If so then it can be a security risk if you are opening a malicious data file. If you trust the files and data sources then the risks are minimal, although of course those people could be hacked so there's always some unavoidable risk. > Because of concerns regarding the bug-less performance and > compatibility of my old project files (albeit potentially > unjustified) and the inconvenience resulting from a missing built in > Update feature of QGis, I have not installed the latest version of > the program yet. There's no harm in making a copy of your projects, upgrading QGIS, and testing them out. If they break and you can't fix it, you can install the old version and restore the project from the copy you made. I've only been using QGIS for a little over a year now, and kept regularly up to date. I've never had a problem with upgrades and even going backwards in versions. Different versions have different features and bug fixes but so far the likelihood of breaking my projects seems pretty low. Of course I still keep backups just in case, because there are many other things that can go wrong as well (hardware failure, ransomware, etc.) > As I am quite new to Mac computers and (as many people convinced me > it is not necessary) I am not using extra anti-virus software, I have > serious concerns if an older version of QGis could be a security risk > for my computer. When security problems are discovered in popular programs like QGIS, they are typically recorded in an online vulnerability database. You can search this for your favourite programs to see how many vulnerabilities there are and how old they are, then do your own research to find out what version they were fixed in. The search for QGIS shows no security issues found so far: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qgis It doesn't mean there aren't any security flaws, just that nobody has found any yet. Often security issues will be in an obscure part of a program that you are unlikely to use, so even if there are issues, they may not affect you anyway. You'll have to read the details listed on the issue to find that out. Cheers, Adam. ___ QGIS-User mailing list QGIS-User@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Risk of security vulnerability using older version of QGis
Hi Max, On Tue, 27. Feb 2024 at 18:04:30 +0100, Max via QGIS-User wrote: > I couldn’t find anything useful about my concerns but obviously this has also > happened to other QGis users > (https://www.reddit.com/r/QGIS/comments/s1be86/why_did_qgis_ask_to_record_my_screen/) But that also gives an sensible explanation - or didn't that also happen to you when using the color picker? Otherwise that warning would make sense: QGIS needs to "look" outside it's own window if you want to pick a color from elsewhere and macOS warns you about that "recording", because it cannot tell whether the application did that deliberately or upon your request. That "screen recording" is related to color picking and mac in some tickets. Eg. https://github.com/qgis/QGIS/issues/48030 https://github.com/qgis/QGIS/issues/51592 So I guess that's ok. But I've never seen it as I don't use a Mac. Jürgen -- Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31 Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50 Software Engineer D-26506 Nordenhttps://www.norbit.de QGIS release manager (PSC) Germany IRC: jef on Libera|OFTC signature.asc Description: PGP signature ___ QGIS-User mailing list QGIS-User@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user