<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta name="Generator" content="Microsoft Word 15 (filtered medium)">

<style><!--

/* Font Definitions */

@font-face

        {font-family:"Cambria Math";

        panose-1:2 4 5 3 5 4 6 3 2 4;}

@font-face

        {font-family:Calibri;

        panose-1:2 15 5 2 2 2 4 3 2 4;}

@font-face

        {font-family:Aptos;}

@font-face

        {font-family:"Segoe UI Emoji";

        panose-1:2 11 5 2 4 2 4 2 2 3;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        font-size:12.0pt;

        font-family:"Aptos",sans-serif;}

a:link, span.MsoHyperlink

        {mso-style-priority:99;

        color:blue;

        text-decoration:underline;}

span.EmailStyle19

        {mso-style-type:personal-reply;

        font-family:"Aptos",sans-serif;

        color:windowtext;}

.MsoChpDefault

        {mso-style-type:export-only;

        font-size:11.0pt;}

@page WordSection1

        {size:8.5in 11.0in;

        margin:1.0in 1.0in 1.0in 1.0in;}

div.WordSection1

        {page:WordSection1;}

--></style><!--[if gte mso 9]><xml>

<o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext="edit">

<o:idmap v:ext="edit" data="1" />

</o:shapelayout></xml><![endif]-->

</head>

<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="WordSection1">

<p class="MsoNormal">I have a possible idea for this problem. Since QGIS relies heavily on Python, it would be beneficial to integrate pip (and conda for conda builds) into QGIS. Maybe add a pip/conda section in the Plugin Manager so that people can easily

 install extra python packages? Now with this system, a plugin can be written which depends on a python package. And with the plugin would add metadata like the qgis-plugin-dev-tools toml file to specify library dependencies/requirements. In the plugins repo,

 the people reviewing the plugin would vet the list of required python packages to make sure it’s not requiring anything malicious (this replaces the need to maintain a list of “acceptable” packages). When a user goes to install a plugin that has python dependencies,

 they will be notified (aside from that information being presented in the plugin info) about additional dependencies which QGIS will automatically install for the user (if the user accepts).<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p class="MsoNormal">-Ethan<o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Joona Laine <joona.p.laine@gmail.com>

<br>

<b>Sent:</b> Wednesday, October 23, 2024 8:10 AM<br>

<b>To:</b> Matthias Kuhn <matthias@opengis.ch><br>

<b>Cc:</b> John Stevenson - BGS <jostev@bgs.ac.uk>; info@opengis.it; qgis-developer <qgis-developer@lists.osgeo.org><br>

<b>Subject:</b> Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages<o:p></o:p></span></p>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p style="margin:0in"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Qgis-plugin-dev-tools approach solves this problem by vendoring the packages and

</span><a href="https://github.com/nlsfi/qgis-plugin-dev-tools/blob/2df5c099c9c86700e0d323c67243902f1df46fce/src/qgis_plugin_dev_tools/build/rewrite_imports.py#L10"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">rewriting

</span></a><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">the imports so that "import module.x.y" imports are rewritten in a vendored format: "import something._vendor.module.x.y". Thus multiple plugins can have different versions

 of packages since they all import their own vendored versions.</span><o:p></o:p></p>

<p class="MsoNormal"><o:p> </o:p></p>

<p style="margin:0in"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Joona</span><o:p></o:p></p>

<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">ke 23. lokak. 2024 klo 14.58 Matthias Kuhn <<a href="mailto:matthias@opengis.ch">matthias@opengis.ch</a>> kirjoitti:<o:p></o:p></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<p class="MsoNormal">Hi,<o:p></o:p></p>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">This approach will work fine within limitations, as soon as multiple plugins ship the same library things become risky as there is no isolation between libraries.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal">For python libraries, this may be caused by singletons being used and for native libraries (as in this example), it's easy to cause crashes by multiple versions of the same library exporting the same symbols being loaded in parallel.<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal">That being said: it will work fine in many cases, but I wouldn't promote this as "best practice". After all, python invented virtualenvs for good reasons -- each process will always run one environment (potentially composed of multiple

 cascading virtual envs, but never multiple "parallel" envs).<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal"><o:p> </o:p></p>

</div>

<div>

<p class="MsoNormal">Cheers<o:p></o:p></p>

</div>

<div>

<p class="MsoNormal">Matthias<o:p></o:p></p>

</div>

</div>

<p class="MsoNormal"><o:p> </o:p></p>

<div>

<div>

<p class="MsoNormal">On Wed, Oct 23, 2024 at 1:31<span style="font-family:"Arial",sans-serif"> </span>PM John Stevenson - BGS via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>> wrote:<o:p></o:p></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif">Hi,<br>

<br>

Mergin Maps plugin also packages the dependencies (including the geodiff binary) into the plugin itself.  I’m not sure how it handles cross-platform differences, though.</span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>

Plugin:</span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"><a href="https://plugins.qgis.org/plugins/Mergin/#plugin-details" target="_blank">https://plugins.qgis.org/plugins/Mergin/#plugin-details</a></span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif">GitHub Actions code:

</span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"><a href="https://github.com/MerginMaps/qgis-plugin/blob/ef0b2502ddb4bcbc1670b0d82832e93b658c18b2/.github/workflows/packages.yml#L116" target="_blank">https://github.com/MerginMaps/qgis-plugin/blob/ef0b2502ddb4bcbc1670b0d82832e93b658c18b2/.github/workflows/packages.yml#L116</a></span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif"><br>

Cheers,<br>

John</span><span lang="EN-GB"><o:p></o:p></span></p>

<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> QGIS-Developer <<a href="mailto:qgis-developer-bounces@lists.osgeo.org" target="_blank">qgis-developer-bounces@lists.osgeo.org</a>>

<b>On Behalf Of </b>Joona Laine via QGIS-Developer<br>

<b>Sent:</b> 23 October 2024 10:58<br>

<b>To:</b> <a href="mailto:info@opengis.it" target="_blank">info@opengis.it</a><br>

<b>Cc:</b> qgis-developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>><br>

<b>Subject:</b> Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> <o:p></o:p></span></p>

<div>

<p style="margin:0in"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">One alternative way of managing the dependencies is to package the non-binary runtime dependencies (including licenses) with the plugin. This also tackles

 the problem with different versions of the same requirements between multiple plugins. There is a tool for that

</span><span lang="EN-GB"><a href="https://github.com/nlsfi/qgis-plugin-dev-tools" target="_blank"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">https://github.com/nlsfi/qgis-plugin-dev-tools</span></a></span><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">

 which also has many more useful features for developing QGIS plugins. </span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> <o:p></o:p></span></p>

<p style="margin:0in"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">One example of plugins using this tool is pickLayer (</span><span lang="EN-GB"><a href="https://plugins.qgis.org/plugins/pickLayer/" target="_blank"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">https://plugins.qgis.org/plugins/pickLayer/</span></a></span><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">)

 which bundles </span><span lang="EN-GB"><a href="https://github.com/GispoCoding/qgis_plugin_tools" target="_blank"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#1155CC">https://github.com/GispoCoding/qgis_plugin_tools</span></a></span><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">

 with it. </span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> <o:p></o:p></span></p>

<p style="margin:0in"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">What do you think about this approach?</span><span lang="EN-GB"><o:p></o:p></span></p>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> <o:p></o:p></span></p>

<p style="margin:0in"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Regards,</span><span lang="EN-GB"><o:p></o:p></span></p>

<p style="margin:0in"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Arial",sans-serif;color:black">Joona</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"> <o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">ke 23. lokak. 2024 klo 12.01 Info O.GIS via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>>

 kirjoitti:<o:p></o:p></span></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">I also did a similar thing in qgis2web plugin.</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">I explained to the user that he can install qtwebengine to get the latest features and to do so he will have to click on

 a button that indicates that an installation will start.</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Here is the screen:</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Could it be okay?</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">The code:</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">try:</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">        if system == 'Windows':</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            env = os.environ.copy()</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            if full_proxy_url:</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">                env['http_proxy'] = full_proxy_url</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">                env['https_proxy'] = full_proxy_url</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            subprocess.check_call([pip_exec, "install", "--upgrade", "PyQtWebEngine==5.15.6"], env=env)</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">        elif system == 'Linux':</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            subprocess.check_call(["sudo", "apt-get", "install", "python3-pyqt5.qtwebengine"])</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">        elif system == 'Darwin':  # macOS</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><i><span lang="EN-GB" style="font-family:"Arial",sans-serif">            subprocess.check_call(["brew", "install", "pyqt5"])</span></i><span lang="EN-GB"><o:p></o:p></span></p>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div>

<div>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-GB" style="font-family:"Calibri",sans-serif;color:#0059B3">Andrea Ordonselli</span></b><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="EN-GB" style="font-size:10.0pt;font-family:"Calibri",sans-serif;color:#0059B3">O.GIS - <a href="http://opengis.it" target="_blank">opengis.it</a></span></b><span lang="EN-GB"><o:p></o:p></span></p>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div style="border:none;border-left:solid black 2.25pt;padding:0in 0in 0in 8.0pt">

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Da</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#5F5F5F">

 "QGIS-Developer" <a href="mailto:qgis-developer-bounces@lists.osgeo.org" target="_blank">

qgis-developer-bounces@lists.osgeo.org</a></span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">A</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#5F5F5F">

 "Matthias Kuhn" <a href="mailto:matthias@opengis.ch" target="_blank">matthias@opengis.ch</a></span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Cc</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#5F5F5F">

 "Thomas B via QGIS-Developer" <a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">

qgis-developer@lists.osgeo.org</a></span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Data</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#5F5F5F">

 Wed, 23 Oct 2024 16:16:43 +1000</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#5F5F5F">Oggetto</span><span lang="EN-GB" style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#5F5F5F">

 Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <<a href="mailto:matthias@opengis.ch" target="_blank">matthias@opengis.ch</a>>

 wrote:</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>>

 wrote:</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

</div>

<div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>>

 wrote:</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Thomas B via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>>

 writes:<br>

<br>

> Dear QGIS-Developers,<br>

><br>

> Are there any guidelines from the QGIS project regarding whether a QGIS<br>

> plugin is allowed to autonomously install required packages using PIP or<br>

> similar tools without manual installation by the user?<br>

><br>

> While this might seem convenient, I see it as a potential security risk,<br>

> especially if the user is not explicitly informed about what is happening<br>

> in the background.<br>

<br>

Agreed this is not ok.  I think a plugin downloading anything to be<br>

executed or interpreted should be entirely prohibited.</span><span lang="EN-GB"><o:p></o:p></span></p>

</blockquote>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">+1 . This practice should lead to a plugin being removed from the repositories.</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">(Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking

 execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...)</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

</div>

</blockquote>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">We've tried to come up with a more transparent approach with support for requirements.txt (see

<a href="https://github.com/opengisch/qpip" target="_blank">https://github.com/opengisch/qpip</a>). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation.</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Is this approach generally acceptable?</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

</div>

</div>

</blockquote>

</div>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers

</span><span lang="EN-GB" style="font-family:"Segoe UI Emoji",sans-serif">👍</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages.</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Nyall</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Matthias</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">Nyall</span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif"> </span><span lang="EN-GB"><o:p></o:p></span></p>

</div>

<div>

<div>

<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">_______________________________________________<br>

QGIS-Developer mailing list<br>

<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>

List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>

Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></span><span lang="EN-GB"><o:p></o:p></span></p>

</blockquote>

</div>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB" style="font-family:"Arial",sans-serif">_______________________________________________<br>

QGIS-Developer mailing list<br>

<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>

List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>

Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></span><span lang="EN-GB"><o:p></o:p></span></p>

</blockquote>

</div>

</div>

</blockquote>

</div>

</div>

</div>

</div>

</div>

</div>

<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-GB">_______________________________________________<br>

QGIS-Developer mailing list<br>

<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>

List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>

Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><o:p></o:p></span></p>

</blockquote>

</div>

</div>

<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-GB"><br>

<br>

This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete

 this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before

 opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.<o:p></o:p></span></p>

</div>

<p class="MsoNormal">_______________________________________________<br>

QGIS-Developer mailing list<br>

<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>

List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>

Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">

https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><o:p></o:p></p>

</div>

</blockquote>

</div>

</blockquote>

</div>

</div>

</div>

</div>

DISCLAIMER: This message and any documents attached may contain confidential information and are intended only for the individual(s) named. If you are not the intended recipient, or the employee or agent authorized to received for the intended recipient, you

 should not disseminate, distribute or copy this e-mail and any attached documents. If you have received this e-mail in error, please immediately notify the sender at Remington & Vernick Engineers by replying to this e-mail and delete the original e-mail and

 any reply e-mail messages from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept

 liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Thank you.

</body>

</html>