Re: [Qgis-user] QGIS and Computer Security (Windows)
Hey Richard, On Sun, Feb 19, 2012 at 2:08 AM, Richard Males wrote: > I am interested in promoting the use of QGIS, but some users have > expressed concern about computer security issues, particularly in > respect to the use of plug-ins. The concern is that a downloaded > plugin may contain malware, activate malicious code, etc. I don't > know if there is any innate protection within QGIS or python against > bad behavior on the part of plugins, or if this is a "trust" issue. > > While I understand their concerns I do think it is over worrying. Can QGIS be used to download and run malicious code? Yes, but so can any non closed system (living behind Apples Iron Garden Wall is the exception). Ultimately it does come down to trust but there a few levels where there is protection. - Python: Python, like any good programming language, provides no protection against malware or malicious code. It's job is not to care, and nor should it try and stop me. People can write malicious code in any language. - The QGIS plugin system has a line of defense when the user uploads a plugin to plugins.qgis.org. All plugins, when uploaded by a new user, are by default unapproved. They have to be approved by an admin (there are a hand full of us around) before it will be publicly available to all QGIS users. However we don't normally check the code as the chance of something bad happening is low and we don't have the man power to check over everything. Plugins can also be unapproved if it does turn out something was bad, once unapproved it is no longer downloadable within QGIS via the Pluign Installer. - OS level protection. Most good operating systems these days have password protection for anything that is try to do something in a area it normally shouldn't, but if QGIS is run with elevated permissions it will have access to everything. - Open source. As QGIS, all its plugins, and components are open source there is nothing stopping the users (or IT) having a look over the code to make sure that it does what it says it does. However you still need to understand what you are looking for. I have seen the "it's open source, therefore it is a security risk (or is less secure)" card played many times before I have always strongly disagreed. The fact that open source by design is open, everything is view-able by the outside user. Every time you download a Python plugin for QGIS you also get the source code, nothing is hidden, little trust needed. Compare this with other closed systems where it is impossible to tell what something is doing, you have to give full trust that the programmer and program no what they are doing. Example: I used to be a big user of MapInfo. MapInfo has its own programming language called MapBasic which is complied into a binary executable and run inside the MapInfo environment. I can ship a MapBasic app as a binary file without the need to give you the source code so you can see what I am doing. As MapBasic can access lower lever windows APIs I can do all sorts of damage to the users computer with no way of them checking before hand. If I can get the users to run MapInfo with admin rights (which it normally has to be in order for things to work right) I now have access to your systems32 or program files folder and can nuke them pretty easily (or mess with screen savers, install key loggers). What makes it worse it that MapBasic can call a C or C++ lib, so if I need more power I can create a C lib and just call that from MapBasic. - Nathan ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Database Manager and service configuration
Hi Giuseppe, This is much appreciated - thanks! Let me know when I can test something. Andreas On 02/18/2012 04:51 PM, Giuseppe Sucameli wrote: > Hi Andreas, > > On Thu, Feb 16, 2012 at 5:59 PM, Andreas Neumann wrote: >> 1. >> One issue I have is that opening db-manager takes 1-2 minutes (on a >> rather fast machine). Why is it taking so long to open the connnection? >> In main QGIS the connection opens quickly. My db has hundreds of spatial >> tables and views in about 50 schemas. Is it scanning all schemas and >> tables at the initial connection? > > I'm noticing the same, it's slow when the db has a lot of tables. > I'm going deep inside the problem, I hope to fix it soon. > >> 2. >> I get an error message after the connection: >> --- >> Error: >> database "an" does not exist >> Query: >> SELECT has_database_privilege('an', 'CREATE'), >> has_database_privilege('an', 'TEMP') >> --- >> >> Why is it looking for a database named after the user connecting to the db? > > Because DBManager is trying to display information about the database > (permissions), but you have no dbname as you're using a service to > connect to it. > > Tickets opened for both the problems ([1] and [2]), > Regards. > > [1] http://hub.qgis.org/issues/5044 > [2] http://hub.qgis.org/issues/5045 > ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
[Qgis-user] QGIS and Computer Security (Windows)
I am interested in promoting the use of QGIS, but some users have expressed concern about computer security issues, particularly in respect to the use of plug-ins. The concern is that a downloaded plugin may contain malware, activate malicious code, etc. I don't know if there is any innate protection within QGIS or python against bad behavior on the part of plugins, or if this is a "trust" issue. I have searched online and in the forums for a discussion of this issue. I posted on the help forum, the responses were anecdotal in nature (e.g., "I have been using QGIS for a few years, never had a problem"), not technical. I would very much appreciate any thoughts on if/how QGIS currently deals with this, or references to documentation or postings on the issue. Thank you. R. Males Cincinnati, Ohio, USA ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Database Manager and service configuration
Hi Andreas, On Thu, Feb 16, 2012 at 5:59 PM, Andreas Neumann wrote: > 1. > One issue I have is that opening db-manager takes 1-2 minutes (on a > rather fast machine). Why is it taking so long to open the connnection? > In main QGIS the connection opens quickly. My db has hundreds of spatial > tables and views in about 50 schemas. Is it scanning all schemas and > tables at the initial connection? I'm noticing the same, it's slow when the db has a lot of tables. I'm going deep inside the problem, I hope to fix it soon. > 2. > I get an error message after the connection: > --- > Error: > database "an" does not exist > Query: > SELECT has_database_privilege('an', 'CREATE'), > has_database_privilege('an', 'TEMP') > --- > > Why is it looking for a database named after the user connecting to the db? Because DBManager is trying to display information about the database (permissions), but you have no dbname as you're using a service to connect to it. Tickets opened for both the problems ([1] and [2]), Regards. [1] http://hub.qgis.org/issues/5044 [2] http://hub.qgis.org/issues/5045 -- Giuseppe Sucameli ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
[Qgis-user] Plugin FastSQLLayer & pygments
Hi, using qgis-dev from osgeo-setup installation. I try to add the plugin Fast-Sql-Layer it ask me for python library pygments. So I add the pygments using osgeo-setup. It add the 1.4 version of that library. But after this again the plugin manager ask me the pygments library for install the FastSQLLayer plugin. Perhaps it need a more recent version of that library ? Thx, Andrea. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Re: [Qgis-community-team] Presence at AGIT conference
Hi, I think giving a workshop would be a good idea from the project point of view but also for the attendees at AGIT. I would propose to present something around "Programming QGIS-Applications for Beginners with Python Plugins", perhaps enhanced with a roundup of new features. I'm involved elsewhere at the conference but I could contribute a use case in environmental planning and a use case in emergency gis (see http://www.gis.hsr.ch/wiki/GIS_im_Rettungsdienst ). Yours, Stefan 2012/2/18 Werner Macho : > Am 17.02.2012 19:11, schrieb Anita Graser: > > Hi, > > I'll be at the AGIT but mostly stuck at my employer's booth. > > @Werner: Will you be there, maybe giving a presentation? > > Regards, > Anita > > Hi! > > I think I'll be at the agit .. depending on how much time I have .. > giving a presentation would be cool - but honestly - currently I do not have > any idea about what - and presenting new features (as every year) would > maybe a bit boring :) > But if you have any idea - I am open to suggestions > > kind regards > Werner > > > ___ > Qgis-user mailing list > Qgis-user@lists.osgeo.org > http://lists.osgeo.org/mailman/listinfo/qgis-user > ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
[Qgis-user] Re: [Qgis-community-team] Presence at AGIT conference
Am 17.02.2012 19:11, schrieb Anita Graser: Hi, I'll be at the AGIT but mostly stuck at my employer's booth. @Werner: Will you be there, maybe giving a presentation? Regards, Anita Hi! I think I'll be at the agit .. depending on how much time I have .. giving a presentation would be cool - but honestly - currently I do not have any idea about what - and presenting new features (as every year) would maybe a bit boring :) But if you have any idea - I am open to suggestions kind regards Werner ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user