[QGIS-Developer] Security issues with plugins

David Marteau dmarteau at 3liz.com
Mon May 25 00:42:55 PDT 2026 

Imho,   (https://github.com/opengisch/qpip) is an elegant way for 
handling plugins dependencies.  You can manage isolation by using QGIS 
profiles.

David

Le 25/05/2026 à 07:47, Joona Laine via QGIS-Developer a écrit :
> Hello Pedro,
>
> qgis-plugin-dev-tools 
> (https://github.com/nlsfi/qgis-plugin-dev-tools#setup) solves the 
> dependency issue by including the dependencies with the plugin package.
>
> It can easily handle most of (non-binary) requirements by 
> automatically rewriting the imports of theses vendored dependencies in 
> the build process.
> This way it is possible to have multiple plugins using different 
> version of the same requirement without any conflicts.
> It is also possible to include binary dependencies but there is no 
> operation system specific logic built yet at the moment.
>
> There is also a tool called qpip (https://github.com/opengisch/qpip) 
> for dependency management, which might be worth checking out.
>
> Cheers,
> Joona
>
>
>
> ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer 
> (qgis-developer at lists.osgeo.org) kirjoitti:
>
>     Hey Nyall,
>
>     I hear you, but let me highlight two points of my original post.
>
>       *        The plugin asks the user whether they want to install
>         the dependencies.
>       *        The dependencies are installed in the plugin folder and
>         can therefore be removed without causing any lasting damage to
>         the user's QGIS installation.
>
>     Installing additional dependencies in QGIS remains a painful task
>     for less technical users, adding another (somewhat unnecessary)
>     hurdle to adoption.
>
>     On that note, a fair question could be:  Is there a recommended
>     low-effort (for users) path to install extra dependencies for
>     plugins?
>
>     If not, is that something being considered for the near future?
>
>
>     Cheers,
>     Pedro
>
>
>
>
>     From: Nyall Dawson <nyall.dawson at gmail.com>
>     To: "Pedro Camargo"<c at margo.co>
>     Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
>     Date: Mon, 25 May 2026 11:12:20 +1000
>     Subject: Re: [QGIS-Developer] Security issues with plugins
>
>
>
>         On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer
>         <qgis-developer at lists.osgeo.org> wrote:
>         >
>         > Hello fellow QGISrs,
>         >
>         >
>         >
>         > I maintain a couple of plugins that require a substantial
>         number of extra Python packages (many of which have
>         compiled/binary components). Hence, those plugins install all
>         such requirements in a folder directly inside the plugin
>         itself, keeping it quite clean when the user wants to remove
>         said plugins.
>         >
>         >
>         > I have been doing it this way for many years now, but this
>         weekend I received security alerts that both plugins were
>         taken down due to code that downloads extra dependencies
>         (offending code at
>         qaequilibrae/qaequilibrae/download_extra_packages_class.py at
>         develop · AequilibraE/qaequilibrae).
>         >
>         > Does anyone have any recommendations on how to proceed? 
>         What is currently the recommended way for plugins to install
>         further dependencies?
>
>         My personal 2c: a plugin should NEVER automatically install
>         dependencies like this. Rather, you should detect missing
>         dependencies, warn the user, and point them to a documentation
>         page directing them how to install the missing libraries on
>         different operating systems.
>
>         I think it's EXTREMELY dangerous for a plugin to assume that
>         it can mess with the user's operating system in this way, as
>         it risks completely breaking their QGIS install or even their
>         wider python environment. I would like to see us explicitly
>         blocking all plugins from the repository that do this in
>         future. 👎
>
>         Nyall
>
>         >
>         > Cheers,
>         > Pedro
>         >
>         >
>         >
>         > _______________________________________________
>         > QGIS-Developer mailing list
>         > QGIS-Developer at lists.osgeo.org
>         > List info:
>         https://lists.osgeo.org/mailman/listinfo/qgis-developer
>         > Unsubscribe:
>         https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
>
>     _______________________________________________
>     QGIS-Developer mailing list
>     QGIS-Developer at lists.osgeo.org
>     List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>     Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info:https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe:https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260525/a509d254/attachment-0001.htm>

More information about the QGIS-Developer mailing list