Emma Hain via QGIS-Developer <qgis-developer@lists.osgeo.org> writes:
> I like this idea of having it reviewed for a cost! I am not really comfortable with that. It creates a bias to company-produced software. The costs really should be paid by the people that are relying on the safety judgements, not the ones producing open-source code. There is a real issue, and the reality of what people do and don't trust does not necessarily line up with what makes sense. qgis has review and a lot of eyes, so people presume that qgis is safe (from a "no malicious code" cyber-security viewpoint). Some plugins have known authors, and reputations. Others are new. Perhaps more plugins should get moved to core and maintained there by PR, but that is probably pushing work on existing people and not reasonable. It might be that a not-maintained label for plugins is in order, appplied one year after last update, with filtering those out by default. With respect to the organization, it seems they probably should develop a review process and an allowed list, no different than how they treat loading any other software onto company computers (or computers with company data, whatever). They could pay for support for review/advice. Right now individuals make these judgements; I certainly think about plugins before installing them. Longer term, I wonder about sandboxing plugins, android style, with limits on filesystem access and internet access. _______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
