[QGIS-Developer] How to deal with QGIS plugins which install additional packages

Nyall Dawson nyall.dawson at gmail.com
Tue Oct 22 23:16:43 PDT 2024 

On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matthias at opengis.ch> wrote:

> On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <
> qgis-developer at lists.osgeo.org> wrote:
>
>>
>>
>> On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <
>> qgis-developer at lists.osgeo.org> wrote:
>>
>>> Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>>>
>>> > Dear QGIS-Developers,
>>> >
>>> > Are there any guidelines from the QGIS project regarding whether a QGIS
>>> > plugin is allowed to autonomously install required packages using PIP
>>> or
>>> > similar tools without manual installation by the user?
>>> >
>>> > While this might seem convenient, I see it as a potential security
>>> risk,
>>> > especially if the user is not explicitly informed about what is
>>> happening
>>> > in the background.
>>>
>>> Agreed this is not ok.  I think a plugin downloading anything to be
>>> executed or interpreted should be entirely prohibited.
>>>
>>
>> +1 . This practice should lead to a plugin being removed from the
>> repositories.
>>
>> (Possibly we could do something on the code side too, eg by monkey
>> patching over subprocess/etc and explicitly blocking execution of sip, with
>> a developer-friendly exception stating this policy. It'd be easy for
>> someone motivated to circumvent, but could at least be used to advise
>> plugin developers that this is not acceptable practice...)
>>
>
> We've tried to come up with a more transparent approach with support for
> requirements.txt (see https://github.com/opengisch/qpip). It is using pip
> but with a frontend which informs the user and lets him confirm an eventual
> installation.
> Is this approach generally acceptable?
>

Well, I definitely trust yourself/OpenGIS significantly more then other
random plugin developers 👍

I would personally feel safest if this was something officially endorsed,
with an explicit allow list of acceptable packages.



Nyall



> Matthias
>
>
>>
>> Nyall
>>
>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/7bcd99aa/attachment-0001.htm>

More information about the QGIS-Developer mailing list