[QGIS-Developer] How to deal with QGIS plugins which install additional packages

John Stevenson - BGS jostev at bgs.ac.uk
Wed Oct 23 04:31:42 PDT 2024 

Hi,

Mergin Maps plugin also packages the dependencies (including the geodiff binary) into the plugin itself.  I’m not sure how it handles cross-platform differences, though.

Plugin:

https://plugins.qgis.org/plugins/Mergin/#plugin-details

GitHub Actions code:

https://github.com/MerginMaps/qgis-plugin/blob/ef0b2502ddb4bcbc1670b0d82832e93b658c18b2/.github/workflows/packages.yml#L116

Cheers,
John

From: QGIS-Developer <qgis-developer-bounces at lists.osgeo.org> On Behalf Of Joona Laine via QGIS-Developer
Sent: 23 October 2024 10:58
To: info at opengis.it
Cc: qgis-developer <qgis-developer at lists.osgeo.org>
Subject: Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages


One alternative way of managing the dependencies is to package the non-binary runtime dependencies (including licenses) with the plugin. This also tackles the problem with different versions of the same requirements between multiple plugins. There is a tool for that https://github.com/nlsfi/qgis-plugin-dev-tools which also has many more useful features for developing QGIS plugins.


One example of plugins using this tool is pickLayer (https://plugins.qgis.org/plugins/pickLayer/) which bundles https://github.com/GispoCoding/qgis_plugin_tools with it.


What do you think about this approach?


Regards,

Joona

ke 23. lokak. 2024 klo 12.01 Info O.GIS via QGIS-Developer <qgis-developer at lists.osgeo.org<mailto:qgis-developer at lists.osgeo.org>> kirjoitti:
I also did a similar thing in qgis2web plugin.
I explained to the user that he can install qtwebengine to get the latest features and to do so he will have to click on a button that indicates that an installation will start.
Here is the screen:

[cid:1290437387]

Could it be okay?

The code:

try:
        if system == 'Windows':
            pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")
            env = os.environ.copy()
            if full_proxy_url:
                env['http_proxy'] = full_proxy_url
                env['https_proxy'] = full_proxy_url
            subprocess.check_call([pip_exec, "install", "--upgrade", "PyQtWebEngine==5.15.6"], env=env)
        elif system == 'Linux':
            subprocess.check_call(["sudo", "apt-get", "install", "python3-pyqt5.qtwebengine"])
        elif system == 'Darwin':  # macOS
            subprocess.check_call(["brew", "install", "pyqt5"])


Andrea Ordonselli
O.GIS - opengis.it<http://opengis.it>

Da "QGIS-Developer" qgis-developer-bounces at lists.osgeo.org<mailto:qgis-developer-bounces at lists.osgeo.org>
A "Matthias Kuhn" matthias at opengis.ch<mailto:matthias at opengis.ch>
Cc "Thomas B via QGIS-Developer" qgis-developer at lists.osgeo.org<mailto:qgis-developer at lists.osgeo.org>
Data Wed, 23 Oct 2024 16:16:43 +1000
Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages


On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matthias at opengis.ch<mailto:matthias at opengis.ch>> wrote:
On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <qgis-developer at lists.osgeo.org<mailto:qgis-developer at lists.osgeo.org>> wrote:

On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <qgis-developer at lists.osgeo.org<mailto:qgis-developer at lists.osgeo.org>> wrote:
Thomas B via QGIS-Developer <qgis-developer at lists.osgeo.org<mailto:qgis-developer at lists.osgeo.org>> writes:

> Dear QGIS-Developers,
>
> Are there any guidelines from the QGIS project regarding whether a QGIS
> plugin is allowed to autonomously install required packages using PIP or
> similar tools without manual installation by the user?
>
> While this might seem convenient, I see it as a potential security risk,
> especially if the user is not explicitly informed about what is happening
> in the background.

Agreed this is not ok.  I think a plugin downloading anything to be
executed or interpreted should be entirely prohibited.

+1 . This practice should lead to a plugin being removed from the repositories.

(Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...)

We've tried to come up with a more transparent approach with support for requirements.txt (see https://github.com/opengisch/qpip). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation.
Is this approach generally acceptable?

Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers 👍

I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages.



Nyall



Matthias


Nyall

_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org<mailto:QGIS-Developer at lists.osgeo.org>
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org<mailto:QGIS-Developer at lists.osgeo.org>
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
QGIS-Developer at lists.osgeo.org<mailto:QGIS-Developer at lists.osgeo.org>
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20241023/4dfbd264/attachment-0001.htm>

More information about the QGIS-Developer mailing list