[QGIS-Developer] External python package dependency in plugins

Richard Duivenvoorde rdmailings at duif.net
Mon Jul 9 23:03:37 PDT 2018


On 07/10/2018 06:15 AM, shiva reddy wrote:
> I don't think so. Since all plugins goes through approval mechanism, I
> think  it is not unsafe. Rather increase the plugin user base.
> Even if we want to not allow this .In that case, We should have
> mechanism by which QGIS itself does installation of external
> dependencies based on approved plugin's metadata.
>  It will ease the life of plugin developers for sure.
> 
> Shiva

>     Just taking a step back here -- is this something we actually want to
>     support/allow in plugins?
> 
>     Seems to me like it opens the door for all sorts of security issues.
> 
>     Nyall

@shiva: the 'approval mechanism' is done by humans, and a lot of work,
as there are a lot of dev releasing small changes of their plugins...
So I would not count on that for security.
We have been talking about running some (security) rules over the plugin
sources before approval, but... nobody implemented it yet.

@nyall: as I said earlier in this thread, we have been talking about
adding the pip-command in the metadata.txt. That is better, yes?

I agree with you, Shiva's way has some security issues, but I was
thinking that we could do a grep on the sources of a plugin
automatically, to search for the subprocess line, and check if something
else then pip is called?
It IS a friendly way of installing (well, as we keep it in user space...).
If we could make it being installed in a QGIS Virtual Env or even in a
venv per plugin that would be safer?

Others?

Regards,

Richard Duivenvoorde



More information about the QGIS-Developer mailing list