[QGIS-Developer] Security issues with plugins
Even Rouault
even.rouault at spatialys.com
Sun May 24 17:32:36 PDT 2026
Le 25/05/2026 à 01:36, Greg Troxel via QGIS-Developer a écrit :
> Pedro Camargo via QGIS-Developer <qgis-developer at lists.osgeo.org>
> writes:
>
>> I maintain a couple of plugins that require a substantial number of
>> extra Python packages (many of which have compiled/binary
>> components). Hence, those plugins install all such requirements in a
>> folder directly inside the plugin itself, keeping it quite clean when
>> the user wants to remove said plugins.
>>
>> I have been doing it this way for many years now, but this weekend I
>> received security alerts that both plugins were taken down due to code
>> that downloads extra dependencies (offending code at
>> https://github.com/AequilibraE/qaequilibrae/blob/develop/qaequilibrae/download_extra_packages_class.py
>> ).
>>
>> Does anyone have any recommendations on how to proceed? What is
>> currently the recommended way for plugins to install further
>> dependencies?
> I'm not really sure about plugins,
Will not immediately help Pedro, but there have been past discussions
related to plugin dependency management:
- https://github.com/qgis/QGIS-Enhancement-Proposals/issues/202
- https://github.com/qgis/QGIS-Enhancement-Proposals/issues/179
--
Very grumpy about LLMs: FOSS is about increasing public capital,
not becoming enslaved to private equity of giga corporations
--
http://www.spatialys.com
My software is free, but my time generally not.
More information about the QGIS-Developer
mailing list