[QGIS-Developer] Security issues with plugins
Greg Troxel
gdt at lexort.com
Sun May 24 16:36:12 PDT 2026
Pedro Camargo via QGIS-Developer <qgis-developer at lists.osgeo.org>
writes:
> I maintain a couple of plugins that require a substantial number of
> extra Python packages (many of which have compiled/binary
> components). Hence, those plugins install all such requirements in a
> folder directly inside the plugin itself, keeping it quite clean when
> the user wants to remove said plugins.
>
> I have been doing it this way for many years now, but this weekend I
> received security alerts that both plugins were taken down due to code
> that downloads extra dependencies (offending code at
> https://github.com/AequilibraE/qaequilibrae/blob/develop/qaequilibrae/download_extra_packages_class.py
> ).
>
> Does anyone have any recommendations on how to proceed? What is
> currently the recommended way for plugins to install further
> dependencies?
I'm not really sure about plugins, but as a general comment about
packaging, it's a bug for the build of any program to download anything.
The preferred approach is to have packages for things that are needed
and express a dependency within the packaging system. For example, qgis
depends on qt5 or qt6.
Plugins have a main conceptual path where they are just python code, and
only depend on qgis and things that are required by any qgis
installation. That's fine when it works.
I don't see how to address this without turning the qgis plugin system
into yet another full-blown packaging system.
The only safe and sound approach I see is to ask the user to install --
with OS packages -- the external python/C modules that your plugin
needs. But obviously that's not a good experience.
You can mitigate some of the risk by downloading only specific versions
identified by version number and hash, and checking the hash before
unpacking.
I wonder how many operating systems and CPUs your plugins work on.
Besides GNU/Linux, macOS, and Windows, qgis runs on various BSDs and
surely a few other systems, and likely a pretty large variety of cpu
types. This is an area where download/build can be problematic if what
is downloaded is not adequately portable.
I realize this is generalities and handwavy and it will be interesting
to see what others say.
More information about the QGIS-Developer
mailing list