Bug report #14022
Version check should be user-controlled
| Status: | Closed | ||
|---|---|---|---|
| Priority: | Normal | ||
| Assignee: | - | ||
| Category: | Unknown | ||
| Affected QGIS version: | master | Regression?: | No |
| Operating System: | Easy fix?: | No | |
| Pull Request or Patch supplied: | Yes | Resolution: | end of life |
| Crashes QGIS or corrupts data: | No | Copied to github as #: | 22035 |
Description
In 2.12 and later releases, it looks like on startup, QGIS phones home to check for a newer release and displays this information in a banner along the bottom edge of the screen. While being able to know that a newer release is available is a nice feature, as currently implemented I would consider this an anti-feature for these reasons:
- There is no user-facing control for setting this status check. In many packages which provide automatic checking for updates, the ability to control these updates is a UI preference pane, ideally one which also has a manual 'check now' button to force a manual check.
- On every startup of QGIS the software now phones home to qgis.org, which likely violates expectations of the user. Additionally, this connection is made over plain HTTP, which means the content can be manipulated in transit, and is a potential security issue depending on the robustness of the version parsing code.
- On most of the platforms listed (Linux, BSD, OS X), the releases are distributed by upstream providers. The version information presented is often incorrect, because for a user on one of these platforms, while there may be a newer release available to developers, they are dependent on updates to their upstream providers, which isn't information present in the versions.txt file.
If it's deemed still useful to notify users of a potential update (upstream provider issue aside), I would recommend a pop-up on initial installation which allows the user to configure their preferences for automatic updates. This minimizes the violation of expectations, and partially mitigates the above. I'd also recommend switching to https://qgis.org/version.txt as the source document, and verifying the integrity of the certificate.
The relevant changeset appears to be this one from 2015-07-18: bb69f166ad9990889212b246fc006616c889d2e0
History
#1
Updated by Shaun Walbridge almost 9 years ago
Here's the list of reasons correctly formatted for Textile:
- There is no user-facing control for setting this status check. In many packages which provide automatic checking for updates, the ability to control these updates is a UI preference pane, ideally one which also has a manual 'check now' button to force a manual check.
- On every startup of QGIS the software now phones home to qgis.org, which likely violates expectations of the user. Additionally, this connection is made over plain HTTP, which means the content can be manipulated in transit, and is a potential security issue depending on the robustness of the version parsing code.
- On most of the platforms listed (Linux, BSD, OS X), the releases are distributed by upstream providers. The version information presented is often incorrect, because for a user on one of these platforms, while there may be a newer release available to developers, they are dependent on updates to their upstream providers, which isn't information present in the versions.txt file.
#2
Updated by Giovanni Manghi almost 9 years ago
- Category deleted (
Browser)
#3
Updated by Sebastian Dietrich almost 9 years ago
- Affected QGIS version changed from 2.12.0 to master
Edited the description to be in the correct textile format.
Since bb69f166ad9990889212b246fc006616c889d2e0 the version check is done via HTTPS, not HTTP.
#4
Updated by Sebastian Dietrich almost 9 years ago
- % Done changed from 0 to 100
- Pull Request or Patch supplied changed from No to Yes
See PR 2790 for the implementation of a new setting in the options dialog allowing the user to decide whether the version check should be done at startup.
#5
Updated by Sebastian Dietrich almost 9 years ago
- % Done changed from 100 to 60
#6
Updated by Sebastian Dietrich almost 9 years ago
Maybe a solution for the third issue (upstream providers) could be to deactivate the version check in packaged versions of QGIS?
Any decent package manager checks for updates and informs the user if one is available, so QGIS does not have to check on its own and probably report back a version that is not (yet) available from the upstream provider.
#7
Updated by Nyall Dawson almost 9 years ago
Sebastian - perhaps the version checking could be wrapped in an #if with a configure variable (eg WITH_VERSION_CHECK). That should make it easy for distros to easily disable the checking in their packages.
#8
Updated by Sebastian Dietrich almost 9 years ago
Since the version check is configurable now, it makes me wondering:
Can a distro define the default settings? E.g. if I install QGIS from my upstream provider the new configuration option is already disabled, while it would be enabled (the default) if I download it from the QGIS website?
This might be interesting for other settings, too.
#9
Updated by Nyall Dawson almost 9 years ago
Possibly.... but a configure variable would be more robust and easier for packagers, IMO.
Maybe we should even default the version checking variable to false. It would only ever need to be enabled for selected packages (windows, osx), and makes no sense for self-compiled or distro-provided versions.
#10
Updated by Jürgen Fischer almost 9 years ago
And the version test wasn't adapted to our "new" scheme of ltr releases next to our regular releases...
#11
Updated by Giovanni Manghi over 7 years ago
- Regression? set to No
- Easy fix? set to No
#12
Updated by Jürgen Fischer about 7 years ago
- Category set to Unknown
#13
Updated by Giovanni Manghi over 5 years ago
- Status changed from Open to Closed
- Resolution set to end of life
End of life notice: QGIS 2.18 LTR
Source:
http://blog.qgis.org/2019/03/09/end-of-life-notice-qgis-2-18-ltr/