Implement a system to inform users on plugin reliability

[aloboa]

Feature description

Many important tasks in QGIS are actually performed by plugins.
There is currently no appropriate way for users to know if a plugin is reliable.
For example, a few months ago the new version of a plugin that I often use was
crashing my QGIS session just by starting up the plugin.
Now, another plugin labeled as "stable" and in version 1.5 issues an error,
and the "bug tracker" link does not bring the user to any place where the bug
could be reported.
I understand the QGIS core devs cannot take responsibility, but as, from a user point of view, the reliability
of the entire QGIS depends on plugins as well, something has to be done.

I propose:

1. Include the statement
   "Plugins are developed by independent organizations and developers, the QGIS organization does not take any responsibility for them."
   (from https://plugins.qgis.org/)
   in QGIS itself, "Manage and Install plugins", as most users will never open the plugins page and are not
   aware of this fact.

2. According to a conversation with Alexander Neto in the qgis-users list,
   " there are few plugins that have the qgis.org "certification". They are called featured plugins."
   In that case, please change the term "featured" to "certified". For me, "featured" means just sallient.
   "Certified" implies reliable.

3. Let users report negative side-effects of a given plugin on QGIS, and keep some kind of
   system where other users can be aware of such problems.

4 Enforce that plugins do have a bug tracking system.

5. Let plugin developers apply for certification.

A discussion is needed to set the certification requirements.

Additional context

No response

[NyakudyaA]

I help out with plugins approvals and here are my observations

• All plugins should have a working bug tracker. If it doesn't it will /should not be approved.

• They are a lot of plugins in the registry and when plugins are uploaded for approval we do some basic checks i.e Does the plugin install, any issues related to the Metadata.txt, check binaries etc. But this is not exhaustive as we rarely go into depth to check if a plugin does what is says it does unless the plugin has a use case that we have a knowledge base about.

• What criteria would you use to describe a plugin as certified and what checks are available to determine that version 2.x that has been released to fix a bug covers all use cases. Plugin unit tests rarely exists

[gregorywaynepower]

@NyakudyaA , I'd be interested in knowing how plugins score on the OpenSSF Scorecard.

[andy778]

If I take a open source software supply chain view: (And issue tracker is assumed)
Is software is alive

• Scorecards, Maintained, contributors, Vulnerabilities gives a clue to this
  Is plugin something that one want to contribute to (Sponsoring, Work)
• Security.md and licence.md are initial checks (Part of scorecard also)

Can't one create a ticket under the Features plugins to add scorecard with instructions to start with ?