[QGIS-Developer] Security issues with plugins

Joona Laine joona.p.laine at gmail.com
Sun May 24 22:47:55 PDT 2026 

Hello Pedro,

qgis-plugin-dev-tools (https://github.com/nlsfi/qgis-plugin-dev-tools#setup)
solves the dependency issue by including the dependencies with the plugin
package.

It can easily handle most of (non-binary) requirements by automatically
rewriting the imports of theses vendored dependencies in the build process.
This way it is possible to have multiple plugins using different version of
the same requirement without any conflicts.
It is also possible to include binary dependencies but there is no
operation system specific logic built yet at the moment.

There is also a tool called qpip (https://github.com/opengisch/qpip) for
dependency management, which might be worth checking out.

Cheers,
Joona



ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer (
qgis-developer at lists.osgeo.org) kirjoitti:

> Hey Nyall,
>
> I hear you, but let me highlight two points of my original post.
>
>    -        The plugin asks the user whether they want to install the
>    dependencies.
>    -        The dependencies are installed in the plugin folder and can
>    therefore be removed without causing any lasting damage to the user's QGIS
>    installation.
>
> Installing additional dependencies in QGIS remains a painful task for less
> technical users, adding another (somewhat unnecessary) hurdle to adoption.
>
> On that note, a fair question could be:  Is there a recommended low-effort
> (for users) path to install extra dependencies for plugins?
>
> If not, is that something being considered for the near future?
>
>
> Cheers,
> Pedro
>
>
>
>
> From: Nyall Dawson <nyall.dawson at gmail.com>
> To: "Pedro Camargo"<c at margo.co>
> Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
> Date: Mon, 25 May 2026 11:12:20 +1000
> Subject: Re: [QGIS-Developer] Security issues with plugins
>
>
>
> On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer <
> qgis-developer at lists.osgeo.org> wrote:
> >
> > Hello fellow QGISrs,
> >
> >
> >
> > I maintain a couple of plugins that require a substantial number of
> extra Python packages (many of which have compiled/binary components).
> Hence, those plugins install all such requirements in a folder directly
> inside the plugin itself, keeping it quite clean when the user wants to
> remove said plugins.
> >
> >
> > I have been doing it this way for many years now, but this weekend I
> received security alerts that both plugins were taken down due to code that
> downloads extra dependencies (offending code at
> qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop ·
> AequilibraE/qaequilibrae).
> >
> > Does anyone have any recommendations on how to proceed?  What is
> currently the recommended way for plugins to install further dependencies?
>
> My personal 2c: a plugin should NEVER automatically install dependencies
> like this. Rather, you should detect missing dependencies, warn the user,
> and point them to a documentation page directing them how to install the
> missing libraries on different operating systems.
>
> I think it's EXTREMELY dangerous for a plugin to assume that it can mess
> with the user's operating system in this way, as it risks completely
> breaking their QGIS install or even their wider python environment. I would
> like to see us explicitly blocking all plugins from the repository that do
> this in future. 👎
>
> Nyall
>
> >
> > Cheers,
> > Pedro
> >
> >
> >
> > _______________________________________________
> > QGIS-Developer mailing list
> > QGIS-Developer at lists.osgeo.org
> > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260525/0c0afddb/attachment.htm>

More information about the QGIS-Developer mailing list