[QGIS-Developer] How to deal with QGIS plugins which install additional packages
Info O.GIS
info at opengis.it
Wed Oct 23 01:47:40 PDT 2024
I also did a similar thing in qgis2web plugin.
I explained to the user that he can install qtwebengine to get the latest features and to do so he will have to click on a button that indicates that an installation will start.
Here is the screen:
image.png
Could it be okay?
The code:
try:
if system == 'Windows':
pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")
env = os.environ.copy()
if full_proxy_url:
env['http_proxy'] = full_proxy_url
env['https_proxy'] = full_proxy_url
subprocess.check_call([pip_exec, "install", "--upgrade", "PyQtWebEngine==5.15.6"], env=env)
elif system == 'Linux':
subprocess.check_call(["sudo", "apt-get", "install", "python3-pyqt5.qtwebengine"])
elif system == 'Darwin': # macOS
subprocess.check_call(["brew", "install", "pyqt5"])
Andrea Ordonselli
O.GIS - opengis.it
Da "QGIS-Developer" qgis-developer-bounces at lists.osgeo.org
A "Matthias Kuhn" matthias at opengis.ch
Cc "Thomas B via QGIS-Developer" qgis-developer at lists.osgeo.org
Data Wed, 23 Oct 2024 16:16:43 +1000
Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages
On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matthias at opengis.ch> wrote:
On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <qgis-developer at lists.osgeo.org> wrote:
Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
> Dear QGIS-Developers,
>
> Are there any guidelines from the QGIS project regarding whether a QGIS
> plugin is allowed to autonomously install required packages using PIP or
> similar tools without manual installation by the user?
>
> While this might seem convenient, I see it as a potential security risk,
> especially if the user is not explicitly informed about what is happening
> in the background.
Agreed this is not ok. I think a plugin downloading anything to be
executed or interpreted should be entirely prohibited.
+1 . This practice should lead to a plugin being removed from the repositories.
(Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...)
We've tried to come up with a more transparent approach with support for requirements.txt (see https://github.com/opengisch/qpip). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation.
Is this approach generally acceptable?
Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers 👍
I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages.
Nyall
Matthias
Nyall
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/2f649b29/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 00000ZD6.png
Type: image/png
Size: 12242 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/2f649b29/attachment-0001.png>
More information about the QGIS-Developer
mailing list