[QGIS-Developer] How to deal with QGIS plugins which install additional packages

Info O.GIS info at opengis.it
Wed Oct 23 01:47:40 PDT 2024


   I also did a similar thing in qgis2web plugin.

   I explained to the user that he can install qtwebengine to get the latest features and to do so he will have to click on a button that indicates that an installation will start.

   Here is the screen:

   image.png

   Could it be okay?

   The code:

   try:
           if system == 'Windows':
               pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")
               env = os.environ.copy()
               if full_proxy_url:
                   env['http_proxy'] = full_proxy_url
                   env['https_proxy'] = full_proxy_url
               subprocess.check_call([pip_exec, "install", "--upgrade", "PyQtWebEngine==5.15.6"], env=env)
           elif system == 'Linux':
               subprocess.check_call(["sudo", "apt-get", "install", "python3-pyqt5.qtwebengine"])
           elif system == 'Darwin':  # macOS
               subprocess.check_call(["brew", "install", "pyqt5"])

   Andrea Ordonselli
   O.GIS - opengis.it

   Da "QGIS-Developer" qgis-developer-bounces at lists.osgeo.org
   A "Matthias Kuhn" matthias at opengis.ch
   Cc "Thomas B via QGIS-Developer" qgis-developer at lists.osgeo.org
   Data Wed, 23 Oct 2024 16:16:43 +1000
   Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages
   On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matthias at opengis.ch> wrote:

   On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:

   On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <qgis-developer at lists.osgeo.org> wrote:

     Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
     > Dear QGIS-Developers,
     >
     > Are there any guidelines from the QGIS project regarding whether a QGIS
     > plugin is allowed to autonomously install required packages using PIP or
     > similar tools without manual installation by the user?
     >
     > While this might seem convenient, I see it as a potential security risk,
     > especially if the user is not explicitly informed about what is happening
     > in the background.
     Agreed this is not ok.  I think a plugin downloading anything to be
     executed or interpreted should be entirely prohibited.

   +1 . This practice should lead to a plugin being removed from the repositories.
   (Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...)

   We've tried to come up with a more transparent approach with support for requirements.txt (see https://github.com/opengisch/qpip). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation.
   Is this approach generally acceptable?

   Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers 👍
   I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages.
   Nyall

   Matthias

   Nyall

     _______________________________________________
     QGIS-Developer mailing list
     QGIS-Developer at lists.osgeo.org
     List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
     Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

     _______________________________________________
     QGIS-Developer mailing list
     QGIS-Developer at lists.osgeo.org
     List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
     Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/2f649b29/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 00000ZD6.png
Type: image/png
Size: 12242 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/2f649b29/attachment-0001.png>


More information about the QGIS-Developer mailing list