[QGIS-Developer] QGIS plugin depends on pypi package
Greg Troxel
gdt at lexort.com
Fri Jan 19 09:13:16 PST 2024
John Lindsay via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
> Besides, a better solution would be for the plugin to install this
> package via pip when it is itself first installed and launched. I
> tried to accomplish this with the following code:
>
> https://github.com/jblindsay/whitebox_workflows_for_qgis/blob/4e463262f6cfd1987afa2f3f7e0e79656eb8d27e/whitebox_workflows_for_qgis_provider.py#L56
>
> This code, which runs whenever the plugin is launched, first checks to
> see if whitebox_workflows can be imported and if not, it runs pip from
> the Python script to install it. Unfortunately, some users have
> reported issues with this not working correctly:
(Writing from the UNIX perspective.)
Perhaps biased by my packaing background, I view any code that downloads
other code at runtime (without an explicit user request) as a security
bug. This is especially true if it isn't getting sources pinned to a
version and validated by checksum.
That said, there's a lot of interesting questions about how to deal with
dependencies of plugins. For qgis itself, dependencies are properly
dealt with by a packaging system and that seems ok.
For plugins, I could see treating them as python modules and packaging
them, but qgis wants to have its own package management system.
qgis is usually installed, via packaging, globally (/usr or /usr/pkg, or
similar). The immediate question is where plugins go. I'd expect them
to be in the user's file area vs system, unless installing them in some
administrator role. The next question is, if they depend on something,
what prefixes and install methods are expected for those things, both
regular packages (programs and shlibs) and python modules. Which is
partly/mostly about what the search paths are in the plugin execution
environment.
Overall, I'd rather see plugins fail with a message and leave
installation as a manual decision than have plugins run pip install.
But I get it that most people probably don't see it that way.
More information about the QGIS-Developer
mailing list