[QGIS-Developer] How to deal with QGIS plugins which install additional packages

[Thomas B]

Dear QGIS-Developers,

Are there any guidelines from the QGIS project regarding whether a QGIS
plugin is allowed to autonomously install required packages using PIP or
similar tools without manual installation by the user?

While this might seem convenient, I see it as a potential security risk,
especially if the user is not explicitly informed about what is happening
in the background.

One Example:  https://plugins.qgis.org/plugins/StreetSmart/

( I don't intend to blame the author of this plugin. ... it's just an
example because I recently installed this plugin and noticed that it tried
to install additional packages.)

When I installed the plugin it opened two command line windows where no
output/echo was shown to the user, just a black window... so not very
transparent what’s happening.

I had a look at the source code and the plugin uses subprocess to install
packages with pip:

https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005

For one package the plugin only points to a download URL from which a wheel
file is downloaded (a self hosted version of cefpython3, because the one
that can be installed with pip is not compatible to Python 3.12)  :

https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90

This makes it challenging for the QGIS project to evaluate if the plugin
can cause a security threat, as the file that gets downloaded might differ
from the one checked before publishing.

>From my perspective, I believe QGIS plugins should at least always ask the
user for consent before installing additional modules, especially when the
modules are downloaded from the internet.

Prompted by this recent experience, I would like to ask you for some
feedback: How do you feel about this topic?

regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241022/576c8afe/attachment.htm>