[QGIS-Developer] How to deal with QGIS plugins which install additional packages
Nyall Dawson
nyall.dawson at gmail.com
Tue Oct 22 17:49:26 PDT 2024
On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <
qgis-developer at lists.osgeo.org> wrote:
> Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>
> > Dear QGIS-Developers,
> >
> > Are there any guidelines from the QGIS project regarding whether a QGIS
> > plugin is allowed to autonomously install required packages using PIP or
> > similar tools without manual installation by the user?
> >
> > While this might seem convenient, I see it as a potential security risk,
> > especially if the user is not explicitly informed about what is happening
> > in the background.
>
> Agreed this is not ok. I think a plugin downloading anything to be
> executed or interpreted should be entirely prohibited.
>
+1 . This practice should lead to a plugin being removed from the
repositories.
(Possibly we could do something on the code side too, eg by monkey patching
over subprocess/etc and explicitly blocking execution of sip, with a
developer-friendly exception stating this policy. It'd be easy for someone
motivated to circumvent, but could at least be used to advise plugin
developers that this is not acceptable practice...)
Nyall
_______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/5c41d247/attachment.htm>
More information about the QGIS-Developer
mailing list