[QGIS-Developer] Unblock legacy db-manager plugin
Nyall Dawson
nyall.dawson at gmail.com
Wed Jun 24 22:08:03 PDT 2026
On Wed, 24 Jun 2026 at 18:42, Julien Moura (Oslandia) via
QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
>
> Hi Nyall,
>
> Thank you for moving this issue forward to make QGIS more maintainable.
>
> However, unless I'm mistaken, I haven't received a response to my
> comment (https://github.com/qgis/QGIS-Enhancement-Proposals/pull/385#
> issue-comment-4657354328) on the QEP asking to follow a phased
> deprecation plan and to properly inform users and developers before it
> takes effect.
>
> I think this is really important, because as you yourself write here and
> there, QGIS is no longer a hobby project or one that can introduce
> breaking changes without considering end users.
>
> Can we please wait to establish a clear plan to communicate and make the
> removal progressive (and no merging
> https://github.com/qgis/QGIS/pull/66545 right now)?
I **strongly** feel that pre-4.x LTR is the right time for this
change. But in the interest of moving forward, how about this
approach:
For 4.2: the inbuilt db manager plugin becomes a shell plugin only,
which does one thing: it shows a message bar warning that the plugin
is no longer installed by default. There's action buttons in the
message bar item for "More Info" (shows an explanation message box),
"Ignore" (disables the message) and "Install Community Plugin" (which
opens the plugin manager, preloaded to search for the db manager
community plugin). The pre-installed inbuilt plugin is renamed to "DB
Manager (deprecated)" to differentiate it in the list. The community
plugin is renamed to "DB Manager (community)".
For 4.4: the shell plugin is removed.
Thoughts?
Nyall
>
> kind regards,
> Julien
>
> Le 24/06/2026 à 07:41, Nyall Dawson via QGIS-Developer a écrit :
> > On Wed, 24 Jun 2026 at 15:38, Lova Andriarimalala <lova at kartoza.com> wrote:
> >> Hi Nyall,
> >>
> >> I have unblocked the version from security flags and made it ready for review and approval. The "Security issue detected" badge is still shown but it won't block approval.
> >>
> >> Hopefully, we will deploy https://github.com/qgis/QGIS-Plugins-Website/pull/316 soon so plugins authors can properly skip specific checks. We are still waiting for some authors to confirm their email by the 10 July expiration date so we can communicate this properly.
> >> Until then, please let me know if a new version of this plugin is coming that needs to be unblocked from flagged security issues.
> > Thanks Lova, much appreciated!
> >
> > Nyall
> >
> >> Best regards,
> >>
> >> Lova Andriarimalala
> >> QGIS Full Stack Developer
> >>
> >> T : +27(0) 87 809 2702 E : lova at kartoza.com W : kartoza.com
> >>
> >>
> >>
> >> This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you
> >> have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying
> >> of the contents is prohibited.
> >>
> >>
> >> On Wed, 24 Jun 2026 at 01:40, Nyall Dawson via QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
> >>> Hi list,
> >>>
> >>> In order to implement the demotion of db manager to a community plugin (See https://github.com/qgis/QGIS-Enhancement-Proposals/blob/master/qep-426-demote_dbmanager.md) I need to be able to push a current version of that plugin to the plugin repository.
> >>>
> >>> I've tried this at https://plugins.qgis.org/plugins/db_manager/, but the plugin is flagged with over 100 security issues due to extensive use of exec and SQL injection risks.
> >>>
> >>> Short story: I'm not going to fix these. (And it's a little ironic that we've got more stringent requirements on 3rd party plugins then a previously default-installed official plugin 😂😂😂😂)
> >>>
> >>> Can someone with appropriate rights allow-list this plugin to skip the security scan for now?
> >>>
> >>> Nyall
> >>>
> >>> _______________________________________________
> >>> QGIS-Developer mailing list
> >>> QGIS-Developer at lists.osgeo.org
> >>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > _______________________________________________
> > QGIS-Developer mailing list
> > QGIS-Developer at lists.osgeo.org
> > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> --
> Oslandia
> <https://oslandia.com/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
> - Livre blanc pour migrer/hybrider son SIG
> <https://oslandia.com/livre-blanc-migration-sig-opensource/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
More information about the QGIS-Developer
mailing list