[QGIS-Developer] How to deal with QGIS plugins which install additional packages
Matthias Kuhn
matthias at opengis.ch
Tue Oct 22 23:07:23 PDT 2024
On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <
qgis-developer at lists.osgeo.org> wrote:
>
>
> On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <
> qgis-developer at lists.osgeo.org> wrote:
>
>> Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>>
>> > Dear QGIS-Developers,
>> >
>> > Are there any guidelines from the QGIS project regarding whether a QGIS
>> > plugin is allowed to autonomously install required packages using PIP or
>> > similar tools without manual installation by the user?
>> >
>> > While this might seem convenient, I see it as a potential security risk,
>> > especially if the user is not explicitly informed about what is
>> happening
>> > in the background.
>>
>> Agreed this is not ok. I think a plugin downloading anything to be
>> executed or interpreted should be entirely prohibited.
>>
>
> +1 . This practice should lead to a plugin being removed from the
> repositories.
>
> (Possibly we could do something on the code side too, eg by monkey
> patching over subprocess/etc and explicitly blocking execution of sip, with
> a developer-friendly exception stating this policy. It'd be easy for
> someone motivated to circumvent, but could at least be used to advise
> plugin developers that this is not acceptable practice...)
>
We've tried to come up with a more transparent approach with support for
requirements.txt (see https://github.com/opengisch/qpip). It is using pip
but with a frontend which informs the user and lets him confirm an eventual
installation.
Is this approach generally acceptable?
Matthias
>
> Nyall
>
> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/3f0e4daa/attachment.htm>
More information about the QGIS-Developer
mailing list