[QGIS-Developer] External python package dependency in plugins
Richard Duivenvoorde
rdmailings at duif.net
Mon Jul 9 23:03:37 PDT 2018
On 07/10/2018 06:15 AM, shiva reddy wrote:
> I don't think so. Since all plugins goes through approval mechanism, I
> think it is not unsafe. Rather increase the plugin user base.
> Even if we want to not allow this .In that case, We should have
> mechanism by which QGIS itself does installation of external
> dependencies based on approved plugin's metadata.
> It will ease the life of plugin developers for sure.
>
> Shiva
> Just taking a step back here -- is this something we actually want to
> support/allow in plugins?
>
> Seems to me like it opens the door for all sorts of security issues.
>
> Nyall
@shiva: the 'approval mechanism' is done by humans, and a lot of work,
as there are a lot of dev releasing small changes of their plugins...
So I would not count on that for security.
We have been talking about running some (security) rules over the plugin
sources before approval, but... nobody implemented it yet.
@nyall: as I said earlier in this thread, we have been talking about
adding the pip-command in the metadata.txt. That is better, yes?
I agree with you, Shiva's way has some security issues, but I was
thinking that we could do a grep on the sources of a plugin
automatically, to search for the subprocess line, and check if something
else then pip is called?
It IS a friendly way of installing (well, as we keep it in user space...).
If we could make it being installed in a QGIS Virtual Env or even in a
venv per plugin that would be safer?
Others?
Regards,
Richard Duivenvoorde
More information about the QGIS-Developer
mailing list