[QGIS-Developer] How to deal with QGIS plugins which install additional packages
C Hamilton
adenaculture at gmail.com
Tue Oct 22 16:14:14 PDT 2024
Hi Thomas,
My personal feeling is that this is a very real security risk. I know that
it makes it easy to get the extra Python packages installed, but it is not
worth it. My plugins that require extra Python packages notifies the user
that they need to be installed and gives instructions on how to install
them.
I would caution the QGIS community from going down this road.
Best wishes,
Calvin
On Tue, Oct 22, 2024 at 10:45 AM Thomas B via QGIS-Developer <
qgis-developer at lists.osgeo.org> wrote:
> Dear QGIS-Developers,
>
> Are there any guidelines from the QGIS project regarding whether a QGIS
> plugin is allowed to autonomously install required packages using PIP or
> similar tools without manual installation by the user?
>
> While this might seem convenient, I see it as a potential security risk,
> especially if the user is not explicitly informed about what is happening
> in the background.
>
> One Example: https://plugins.qgis.org/plugins/StreetSmart/
>
> ( I don't intend to blame the author of this plugin. ... it's just an
> example because I recently installed this plugin and noticed that it tried
> to install additional packages.)
>
> When I installed the plugin it opened two command line windows where no
> output/echo was shown to the user, just a black window... so not very
> transparent what’s happening.
>
> I had a look at the source code and the plugin uses subprocess to install
> packages with pip:
>
> https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005
>
> For one package the plugin only points to a download URL from which a
> wheel file is downloaded (a self hosted version of cefpython3, because the
> one that can be installed with pip is not compatible to Python 3.12) :
>
> https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90
>
> This makes it challenging for the QGIS project to evaluate if the plugin
> can cause a security threat, as the file that gets downloaded might differ
> from the one checked before publishing.
>
> From my perspective, I believe QGIS plugins should at least always ask the
> user for consent before installing additional modules, especially when the
> modules are downloaded from the internet.
>
> Prompted by this recent experience, I would like to ask you for some
> feedback: How do you feel about this topic?
>
> regards,
> Thomas
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241022/07e1f1a9/attachment.htm>
More information about the QGIS-Developer
mailing list