<div dir="ltr">Hi John,<div><br></div><div>A former colleague of mine developed "qpip".</div><div>This is meant as a pip dependency manager for plugins and will install any additional dependencies from a supplied requirements.txt in a controlled way into the user profile folder.</div><div><br></div><div>There has never been any big announcement done regarding this plugin, but it's the best "pip"-like integration into QGIS which I am aware of.</div><div><br></div><div><a href="https://github.com/opengisch/qpip">https://github.com/opengisch/qpip</a><br></div><div><br></div><div>Kind regards</div><div>Matthias</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jan 19, 2024 at 6:13 PM Greg Troxel via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">John Lindsay via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>> writes:<br>
<br>
> Besides, a better solution would be for the plugin to install this<br>
> package via pip when it is itself first installed and launched. I<br>
> tried to accomplish this with the following code:<br>
><br>
> <a href="https://github.com/jblindsay/whitebox_workflows_for_qgis/blob/4e463262f6cfd1987afa2f3f7e0e79656eb8d27e/whitebox_workflows_for_qgis_provider.py#L56" rel="noreferrer" target="_blank">https://github.com/jblindsay/whitebox_workflows_for_qgis/blob/4e463262f6cfd1987afa2f3f7e0e79656eb8d27e/whitebox_workflows_for_qgis_provider.py#L56</a><br>
><br>
> This code, which runs whenever the plugin is launched, first checks to<br>
> see if whitebox_workflows can be imported and if not, it runs pip from<br>
> the Python script to install it. Unfortunately, some users have<br>
> reported issues with this not working correctly:<br>
<br>
(Writing from the UNIX perspective.) <br>
<br>
Perhaps biased by my packaing background, I view any code that downloads<br>
other code at runtime (without an explicit user request) as a security<br>
bug. This is especially true if it isn't getting sources pinned to a<br>
version and validated by checksum.<br>
<br>
That said, there's a lot of interesting questions about how to deal with<br>
dependencies of plugins. For qgis itself, dependencies are properly<br>
dealt with by a packaging system and that seems ok.<br>
<br>
For plugins, I could see treating them as python modules and packaging<br>
them, but qgis wants to have its own package management system.<br>
<br>
qgis is usually installed, via packaging, globally (/usr or /usr/pkg, or<br>
similar). The immediate question is where plugins go. I'd expect them<br>
to be in the user's file area vs system, unless installing them in some<br>
administrator role. The next question is, if they depend on something,<br>
what prefixes and install methods are expected for those things, both<br>
regular packages (programs and shlibs) and python modules. Which is<br>
partly/mostly about what the search paths are in the plugin execution<br>
environment.<br>
<br>
Overall, I'd rather see plugins fail with a message and leave<br>
installation as a manual decision than have plugins run pip install.<br>
But I get it that most people probably don't see it that way.<br>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote></div>