[QGIS-Developer] How to deal with QGIS plugins which install additional packages
Thomas B
rdbath.regiodata at gmail.com
Tue Oct 22 07:37:48 PDT 2024
Dear QGIS-Developers,
Are there any guidelines from the QGIS project regarding whether a QGIS
plugin is allowed to autonomously install required packages using PIP or
similar tools without manual installation by the user?
While this might seem convenient, I see it as a potential security risk,
especially if the user is not explicitly informed about what is happening
in the background.
One Example: https://plugins.qgis.org/plugins/StreetSmart/
( I don't intend to blame the author of this plugin. ... it's just an
example because I recently installed this plugin and noticed that it tried
to install additional packages.)
When I installed the plugin it opened two command line windows where no
output/echo was shown to the user, just a black window... so not very
transparent what’s happening.
I had a look at the source code and the plugin uses subprocess to install
packages with pip:
https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005
For one package the plugin only points to a download URL from which a wheel
file is downloaded (a self hosted version of cefpython3, because the one
that can be installed with pip is not compatible to Python 3.12) :
https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90
This makes it challenging for the QGIS project to evaluate if the plugin
can cause a security threat, as the file that gets downloaded might differ
from the one checked before publishing.
>From my perspective, I believe QGIS plugins should at least always ask the
user for consent before installing additional modules, especially when the
modules are downloaded from the internet.
Prompted by this recent experience, I would like to ask you for some
feedback: How do you feel about this topic?
regards,
Thomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241022/576c8afe/attachment.htm>
More information about the QGIS-Developer
mailing list