[QGIS-Developer] Security issues with plugins

[Nyall Dawson]

On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer <
qgis-developer at lists.osgeo.org> wrote:
>
> Hello fellow QGISrs,
>
>
>
> I maintain a couple of plugins that require a substantial number of extra
Python packages (many of which have compiled/binary components). Hence,
those plugins install all such requirements in a folder directly inside the
plugin itself, keeping it quite clean when the user wants to remove said
plugins.
>
>
> I have been doing it this way for many years now, but this weekend I
received security alerts that both plugins were taken down due to code that
downloads extra dependencies (offending code at
qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop ·
AequilibraE/qaequilibrae).
>
> Does anyone have any recommendations on how to proceed?  What is
currently the recommended way for plugins to install further dependencies?

My personal 2c: a plugin should NEVER automatically install dependencies
like this. Rather, you should detect missing dependencies, warn the user,
and point them to a documentation page directing them how to install the
missing libraries on different operating systems.

I think it's EXTREMELY dangerous for a plugin to assume that it can mess
with the user's operating system in this way, as it risks completely
breaking their QGIS install or even their wider python environment. I would
like to see us explicitly blocking all plugins from the repository that do
this in future. 👎

Nyall

>
> Cheers,
> Pedro
>
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260525/15933286/attachment.htm>