[QGIS-Developer] Unblock legacy db-manager plugin

Julien Moura (Oslandia) julien.moura at oslandia.com
Thu Jun 25 06:44:11 PDT 2026


Hello,

First of all, thank you for continuing the discussion; I was afraid it 
would end with a merge without any further discussion. Really 
appreciated. As a reminder, even though the scope of the DB Manager is 
far from being fully realized on the core side, I agree with removing 
this plugin to lighten the maintenance load. Similarly, I cant' wait for 
the "petite sœur" (in French in the text) to also demote MetaSearch or, 
at least, disable it by default.

 From my perspective, any change that introduces a breaking change, 
especially a regression, should at the very least be introduced first in 
a previous version along with an explanatory message. On a similar topic 
in the same QGIS ecosystem, a release workflow taking in account 
communication as a necessary step is being adopted on the official 
plugins repository thanks to Tim and Lova work: 
https://github.com/qgis/QGIS-Plugins-Website/pull/316#issuecomment-4788789714

I **strongly** believe that there is no emergency other than taking the 
time to inform, identify potential maintainers and continue to guide the 
community toward a smooth transition to QGIS 4.

I'm OK with the middle-ground solution proposed by Even in the PR: 
https://github.com/qgis/QGIS/pull/66545#issuecomment-4788076295. I can 
take the action to write the news and the blog post if it can help. 
Previously, I tried to broadcast the QEP outside the "insiders 
channels": 
https://discourse.osgeo.org/t/future-of-db-manager/149507/5?u=geojulien.

Furthermore, publishing the plugin on the official extensions repository 
with the same “id” will trigger update prompts for QGIS versions that 
are compatible with those listed in the metadata.txt file of the newly 
published plugin. I’m not sure what the unintended consequences might be.

Regards,
Julien

Le 25/06/2026 à 07:08, Nyall Dawson a écrit :
> On Wed, 24 Jun 2026 at 18:42, Julien Moura (Oslandia) via
> QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
>> Hi Nyall,
>>
>> Thank you for moving this issue forward to make QGIS more maintainable.
>>
>> However, unless I'm mistaken, I haven't received a response to my
>> comment (https://github.com/qgis/QGIS-Enhancement-Proposals/pull/385#
>> issue-comment-4657354328) on the QEP asking to follow a phased
>> deprecation plan and to properly inform users and developers before it
>> takes effect.
>>
>> I think this is really important, because as you yourself write here and
>> there, QGIS is no longer a hobby project or one that can introduce
>> breaking changes without considering end users.
>>
>> Can we please wait to establish a clear plan to communicate and make the
>> removal progressive (and no merging
>> https://github.com/qgis/QGIS/pull/66545 right now)?
> I **strongly** feel that pre-4.x LTR is the right time for this
> change. But in the interest of moving forward, how about this
> approach:
>
> For 4.2: the inbuilt db manager plugin becomes a shell plugin only,
> which does one thing: it shows a message bar warning that the plugin
> is no longer installed by default. There's action buttons in the
> message bar item for "More Info" (shows an explanation message box),
> "Ignore" (disables the message) and "Install Community Plugin" (which
> opens the plugin manager, preloaded to search for the db manager
> community plugin). The pre-installed inbuilt plugin is renamed to "DB
> Manager (deprecated)" to differentiate it in the list. The community
> plugin is renamed to "DB Manager (community)".
>
> For 4.4: the shell plugin is removed.
>
> Thoughts?
>
> Nyall
>
>
>
>
>> kind regards,
>> Julien
>>
>> Le 24/06/2026 à 07:41, Nyall Dawson via QGIS-Developer a écrit :
>>> On Wed, 24 Jun 2026 at 15:38, Lova Andriarimalala <lova at kartoza.com> wrote:
>>>> Hi Nyall,
>>>>
>>>> I have unblocked the version from security flags and made it ready for review and approval. The "Security issue detected" badge is still shown but it won't block approval.
>>>>
>>>> Hopefully, we will deploy https://github.com/qgis/QGIS-Plugins-Website/pull/316 soon so plugins authors can properly skip specific checks. We are still waiting for some authors to confirm their email by the 10 July expiration date so we can communicate this properly.
>>>> Until then, please let me know if a new version of this plugin is coming that needs to be unblocked from flagged security issues.
>>> Thanks Lova, much appreciated!
>>>
>>> Nyall
>>>
>>>> Best regards,
>>>>
>>>> Lova Andriarimalala
>>>> QGIS Full Stack Developer
>>>>
>>>> T : +27(0) 87 809 2702          E : lova at kartoza.com          W : kartoza.com
>>>>
>>>>
>>>>
>>>> This email and any attachments are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you
>>>> have received this email in error, please notify the sender immediately and delete it from your system. Unauthorised use, disclosure, or copying
>>>> of the contents is prohibited.
>>>>
>>>>
>>>> On Wed, 24 Jun 2026 at 01:40, Nyall Dawson via QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
>>>>> Hi list,
>>>>>
>>>>> In order to implement the demotion of db manager to a community plugin (See https://github.com/qgis/QGIS-Enhancement-Proposals/blob/master/qep-426-demote_dbmanager.md) I need to be able to push a current version of that plugin to the plugin repository.
>>>>>
>>>>> I've tried this at https://plugins.qgis.org/plugins/db_manager/, but the plugin is flagged with over 100 security issues due to extensive use of exec and SQL injection risks.
>>>>>
>>>>> Short story: I'm not going to fix these. (And it's a little ironic that we've got more stringent requirements on 3rd party plugins then a previously default-installed official plugin 😂😂😂😂)
>>>>>
>>>>> Can someone with appropriate rights allow-list this plugin to skip the security scan for now?
>>>>>
>>>>> Nyall
>>>>>
>>>>> _______________________________________________
>>>>> QGIS-Developer mailing list
>>>>> QGIS-Developer at lists.osgeo.org
>>>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> _______________________________________________
>>> QGIS-Developer mailing list
>>> QGIS-Developer at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> --
>> Oslandia
>> <https://oslandia.com/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
>> - Livre blanc pour migrer/hybrider son SIG
>> <https://oslandia.com/livre-blanc-migration-sig-opensource/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-- 
Oslandia 
<https://oslandia.com/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email> 
- Livre blanc pour migrer/hybrider son SIG 
<https://oslandia.com/livre-blanc-migration-sig-opensource/?utm_source=email&utm_campaign=signature_oslandia&utm_medium=email>


More information about the QGIS-Developer mailing list