Feature request #14914

Add a warning to Plugin manager

Added by Paolo Cavallini about 4 years ago. Updated over 2 years ago.

Status:Closed
Priority:High
Assignee:Borys Jurgiel
Category:Plugin Manager
Pull Request or Patch supplied:No Resolution:
Easy fix?:No Copied to github as #:22866

Description

Users should be warned that external plugins may contain even serious errors and malicious code.


Related issues

Related to QGIS Application - Feature request #17349: Sort out the trusted/untrusted plugins/authors stuff Closed 2017-10-28

History

#1 Updated by Paolo Cavallini about 4 years ago

  • Operating System set to All
  • Category set to Plugin Manager

#2 Updated by Alexander Bruy about 4 years ago

Where is the best place for such warning? We can put in at the plugin description page shown on the right side of the Plugin Manager. E.g. under plugin title and description.

Also we need to agree about text of this warning. It can be something like "This is 3rd party plugin and QGIS team has no relation to it. Plugin may have bugs or even malicious code. Use at own risk". Or just simple "Use at own risk".

#3 Updated by Paolo Cavallini about 4 years ago

@tim, could you please suggest the best wording here?

#4 Updated by Tim Sutton about 4 years ago

"*Please Note:* Whilst the QGIS project provides a platform for creating and sharing plugins, we make not assertions as to the quality and security of these plugins. Plugins in the repository are developed by third parties and may have bugs, be non-functional or even contain malicious code. We recommend that you carefully review which plugins you install. You should understand that the use of contributed plugins is entirely at your own risk. If you wish to report an issue with any plugin, please contact us at "

#5 Updated by Alexander Bruy about 4 years ago

Where this warning should be shown: on each plugin page or somewhere else?

#6 Updated by Paolo Cavallini about 4 years ago

  • Subject changed from Add a warning to Plugn manager to Add a warning to Plugin manager

#7 Updated by Paolo Cavallini about 4 years ago

IMHO it is OK to add it to the setting tab of the plugin manager, besides the new option "Only trusted plugins", so users are warned before turning the option off.

#8 Updated by Tim Sutton about 4 years ago

I think we need to display it on the web site too since you can download them from there.

#9 Updated by Harrissou Santanna about 4 years ago

Tim sutton wrote:

If you wish to report an issue with any plugin, please contact us at

Isn't there a risk to have people reporting issue about plugin functionnality (i mean simple bug reports) to instead of plugin author?

#10 Updated by Paolo Cavallini about 4 years ago

Harissou, fully agreed, this is a big risk, who can lead to an unsustainable situation for the plugins manager

#11 Updated by Tim Sutton about 4 years ago

Hi Harissou

Yes - on the other hand it is common for sites to have a way to report issues with the content on the site. If you are trying to report a malicious plugin, writing to the plugin author obviously isn't the way to go and there should be some mechanism to do it. We could use the ticket system, but I think that just transfers the same problem somewhere else.

Do you have any alternative suggestion that might work?

Regards

Tim

#12 Updated by Harrissou Santanna about 4 years ago

Hi,
I realised after Paolo's message that i should have come with a solution. Tim, I'm ok with asking them to report to the plugin site if there's a malicious or no source provided with the plugin. What I meant was about the wording. With

If you wish to report an issue with any plugin, please contact us at

some people may report all kind of issues. Our warning should imho emphasize/be more precise on the kind of issues (malicious code, source not provided, something else?) we're expecting the report.

#13 Updated by Tim Sutton about 4 years ago

Hi Harrison

Ok thanks for your input! How about this revised text?:

"*Please Note:* Whilst the QGIS project provides a platform for creating and sharing plugins, we make not assertions as to the quality and security of these plugins. Plugins in the repository are developed by third parties and may have bugs, be non-functional or even contain malicious code. We recommend that you carefully review which plugins you install. You should understand that the use of contributed plugins is entirely at your own risk. If you wish to report an issue with any plugin that you believe may be a security issue, or that creates a poor experience for users in other ways, please contact the plugin creators directly. If you do not receive a response from the plugin author or you do not believe the author intends to correctly address a serious issue, please contact us at and we will consider delisting the plugins if needed."

#14 Updated by Harrissou Santanna about 4 years ago

LGTM. And sorry for my first unclear reaction.

#15 Updated by Paolo Cavallini about 4 years ago

Seems reasonable to me, thanks.

#16 Updated by Harrissou Santanna about 4 years ago

A side note about the warning: Does it mean that QGIS project no longer checks quality of the plugins?
Around me, I often praise the completeness of QGIS using (also) features, fiability, openness of its plugins infrastructure (Core or not). Every body is aware that bugs are inherent to a software project but malicious code is another thing.
I'm afraid that given that few people among QGIS users are able/willing to dig into plugins code and identify malicious code, the expression "malicious code" scares them and give a negative image of the QGIS plugin repo.

I remember a call from Paolo about an automatic tool from devs to check that side of the plugins. Couldn't that be in the Todo list and financed by QGIS.ORG (or did I miss something)?

#17 Updated by Paolo Cavallini about 4 years ago

Please use the mailing list for longer discussions.
Yes, same quality check in place, unchanged.

#18 Updated by Borys Jurgiel over 3 years ago

  • Assignee set to Borys Jurgiel

#19 Updated by Giovanni Manghi about 3 years ago

  • Easy fix? set to No

#21 Updated by Borys Jurgiel over 2 years ago

  • Status changed from Open to Closed

Superseded by #17349

#22 Updated by Borys Jurgiel over 2 years ago

Also available in: Atom PDF