[QGIS-Developer] How to deal with QGIS plugins which install additional packages

Joona Laine joona.p.laine at gmail.com
Wed Oct 23 02:58:19 PDT 2024 

One alternative way of managing the dependencies is to package the
non-binary runtime dependencies (including licenses) with the plugin. This
also tackles the problem with different versions of the same requirements
between multiple plugins. There is a tool for that
https://github.com/nlsfi/qgis-plugin-dev-tools which also has many more
useful features for developing QGIS plugins.

One example of plugins using this tool is pickLayer (
https://plugins.qgis.org/plugins/pickLayer/) which bundles
https://github.com/GispoCoding/qgis_plugin_tools with it.

What do you think about this approach?

Regards,

Joona

ke 23. lokak. 2024 klo 12.01 Info O.GIS via QGIS-Developer <
qgis-developer at lists.osgeo.org> kirjoitti:

> I also did a similar thing in qgis2web plugin.
> I explained to the user that he can install qtwebengine to get the latest
> features and to do so he will have to click on a button that indicates that
> an installation will start.
> Here is the screen:
>
>
> Could it be okay?
>
> The code:
>
> *try:*
> *        if system == 'Windows':*
> *            pip_exec = os.path.join(sysconfig.get_path("scripts"),
> "pip3")*
> *            env = os.environ.copy()*
> *            if full_proxy_url:*
> *                env['http_proxy'] = full_proxy_url*
> *                env['https_proxy'] = full_proxy_url*
> *            subprocess.check_call([pip_exec, "install", "--upgrade",
> "PyQtWebEngine==5.15.6"], env=env)*
> *        elif system == 'Linux':*
> *            subprocess.check_call(["sudo", "apt-get", "install",
> "python3-pyqt5.qtwebengine"])*
> *        elif system == 'Darwin':  # macOS*
> *            subprocess.check_call(["brew", "install", "pyqt5"])*
>
>
> *Andrea Ordonselli*
> *O.GIS - **opengis.it <http://opengis.it>*
>
>
> Da "QGIS-Developer" qgis-developer-bounces at lists.osgeo.org
> A "Matthias Kuhn" matthias at opengis.ch
> Cc "Thomas B via QGIS-Developer" qgis-developer at lists.osgeo.org
> Data Wed, 23 Oct 2024 16:16:43 +1000
> Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install
> additional packages
>
>
>
> On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matthias at opengis.ch> wrote:
>
>> On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <
>> qgis-developer at lists.osgeo.org> wrote:
>>
>>>
>>>
>>> On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <
>>> qgis-developer at lists.osgeo.org> wrote:
>>>
>>>> Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org> writes:
>>>>
>>>> > Dear QGIS-Developers,
>>>> >
>>>> > Are there any guidelines from the QGIS project regarding whether a
>>>> QGIS
>>>> > plugin is allowed to autonomously install required packages using PIP
>>>> or
>>>> > similar tools without manual installation by the user?
>>>> >
>>>> > While this might seem convenient, I see it as a potential security
>>>> risk,
>>>> > especially if the user is not explicitly informed about what is
>>>> happening
>>>> > in the background.
>>>>
>>>> Agreed this is not ok.  I think a plugin downloading anything to be
>>>> executed or interpreted should be entirely prohibited.
>>>>
>>>
>>> +1 . This practice should lead to a plugin being removed from the
>>> repositories.
>>>
>>> (Possibly we could do something on the code side too, eg by monkey
>>> patching over subprocess/etc and explicitly blocking execution of sip, with
>>> a developer-friendly exception stating this policy. It'd be easy for
>>> someone motivated to circumvent, but could at least be used to advise
>>> plugin developers that this is not acceptable practice...)
>>>
>>
>> We've tried to come up with a more transparent approach with support for
>> requirements.txt (see https://github.com/opengisch/qpip). It is using
>> pip but with a frontend which informs the user and lets him confirm an
>> eventual installation.
>> Is this approach generally acceptable?
>>
>
> Well, I definitely trust yourself/OpenGIS significantly more then other
> random plugin developers 👍
>
> I would personally feel safest if this was something officially endorsed,
> with an explicit allow list of acceptable packages.
>
>
>
> Nyall
>
>
>
>> Matthias
>>
>>
>>>
>>> Nyall
>>>
>>> _______________________________________________
>>>> QGIS-Developer mailing list
>>>> QGIS-Developer at lists.osgeo.org
>>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>>
>>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>
>> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/fcf727f2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 00000ZD6.png
Type: image/png
Size: 12242 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/fcf727f2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 00000ZD6.png
Type: image/png
Size: 12242 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/fcf727f2/attachment-0003.png>

More information about the QGIS-Developer mailing list