[QGIS-Developer] Security issues with plugins

Pedro Camargo c at margo.co
Sun May 24 20:35:35 PDT 2026 

Hey Nyall,



I hear you, but let me highlight two points of my original post.

       The plugin asks the user whether they want to install the dependencies. 

       The dependencies are installed in the plugin folder and can therefore be removed without causing any lasting damage to the user's QGIS installation.


Installing additional dependencies in QGIS remains a painful task for less technical users, adding another (somewhat unnecessary) hurdle to adoption.  



On that note, a fair question could be:  Is there a recommended low-effort (for users) path to install extra dependencies for plugins? 



If not, is that something being considered for the near future?





Cheers,

Pedro








From: Nyall Dawson <nyall.dawson at gmail.com>
To: "Pedro Camargo"<c at margo.co>
Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
Date: Mon, 25 May 2026 11:12:20 +1000
Subject: Re: [QGIS-Developer] Security issues with plugins







On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer < mailto:qgis-developer at lists.osgeo.org > wrote:

>

> Hello fellow QGISrs,

>

>

>

> I maintain a couple of plugins that require a substantial number of extra Python packages (many of which have compiled/binary components). Hence, those plugins install all such requirements in a folder directly inside the plugin itself, keeping it quite clean when the user wants to remove said plugins.

>

>

> I have been doing it this way for many years now, but this weekend I received security alerts that both plugins were taken down due to code that downloads extra dependencies (offending code at qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop · AequilibraE/qaequilibrae).

>

> Does anyone have any recommendations on how to proceed?  What is currently the recommended way for plugins to install further dependencies?



My personal 2c: a plugin should NEVER automatically install dependencies like this. Rather, you should detect missing dependencies, warn the user, and point them to a documentation page directing them how to install the missing libraries on different operating systems.



I think it's EXTREMELY dangerous for a plugin to assume that it can mess with the user's operating system in this way, as it risks completely breaking their QGIS install or even their wider python environment. I would like to see us explicitly blocking all plugins from the repository that do this in future. 👎



Nyall


>
> Cheers,
> Pedro
>
>
>
> _______________________________________________
> QGIS-Developer mailing list
> mailto:QGIS-Developer at lists.osgeo.org 
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer 
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260525/52b9f059/attachment-0001.htm>

More information about the QGIS-Developer mailing list