[QGIS-Developer] Security issues with plugins

Pedro Camargo c at margo.co
Mon May 25 15:07:48 PDT 2026 

Hey Joona,



I have looked into qpip, but it is not sufficient. Not only do most dependencies have binaries, but the process also creates a somewhat cumbersome installation workflow for non-technical users.



In the end, the problem seems to be that the plugins I am talking about are not really GIS plugins, but rather bigger pieces of software with a very significant QGIS component, mostly for visualization purposes, so I must grant that as a large part of the problem.



We will likely explore deploying custom plugin repositories and developing full installers. It's inconvenient for users, but there isn't another alternative I can see right now.



Cheers,

Pedro​







From: Joona Laine <joona.p.laine at gmail.com>
To: "Pedro Camargo"<c at margo.co>
Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
Date: Mon, 25 May 2026 15:47:55 +1000
Subject: Re: [QGIS-Developer] Security issues with plugins



Hello Pedro,

qgis-plugin-dev-tools ( https://github.com/nlsfi/qgis-plugin-dev-tools#setup ) solves the dependency issue by including the dependencies with the plugin package.



It can easily handle most of (non-binary) requirements by automatically rewriting the imports of theses vendored dependencies in the build process. 

This way it is possible to have multiple plugins using different version of the same requirement without any conflicts.

It is also possible to include binary dependencies but there is no operation system specific logic built yet at the moment.



There is also a tool called qpip ( https://github.com/opengisch/qpip ) for dependency management, which might be worth checking out.



Cheers,

Joona







ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer ( mailto:qgis-developer at lists.osgeo.org ) kirjoitti:





Hey Nyall,



I hear you, but let me highlight two points of my original post.

       The plugin asks the user whether they want to install the dependencies. 

       The dependencies are installed in the plugin folder and can therefore be removed without causing any lasting damage to the user's QGIS installation.


Installing additional dependencies in QGIS remains a painful task for less technical users, adding another (somewhat unnecessary) hurdle to adoption.  



On that note, a fair question could be:  Is there a recommended low-effort (for users) path to install extra dependencies for plugins? 



If not, is that something being considered for the near future?





Cheers,

Pedro









From: Nyall Dawson < mailto:nyall.dawson at gmail.com >
To: "Pedro Camargo"< mailto:c at margo.co >
Cc: "Qgis Developer"< mailto:qgis-developer at lists.osgeo.org >
Date: Mon, 25 May 2026 11:12:20 +1000
Subject: Re: [QGIS-Developer] Security issues with plugins







On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer < mailto:qgis-developer at lists.osgeo.org > wrote:

>

> Hello fellow QGISrs,

>

>

>

> I maintain a couple of plugins that require a substantial number of extra Python packages (many of which have compiled/binary components). Hence, those plugins install all such requirements in a folder directly inside the plugin itself, keeping it quite clean when the user wants to remove said plugins.

>

>

> I have been doing it this way for many years now, but this weekend I received security alerts that both plugins were taken down due to code that downloads extra dependencies (offending code at qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop · AequilibraE/qaequilibrae).

>

> Does anyone have any recommendations on how to proceed?  What is currently the recommended way for plugins to install further dependencies?



My personal 2c: a plugin should NEVER automatically install dependencies like this. Rather, you should detect missing dependencies, warn the user, and point them to a documentation page directing them how to install the missing libraries on different operating systems.



I think it's EXTREMELY dangerous for a plugin to assume that it can mess with the user's operating system in this way, as it risks completely breaking their QGIS install or even their wider python environment. I would like to see us explicitly blocking all plugins from the repository that do this in future. 👎



Nyall


>
> Cheers,
> Pedro
>
>
>
> _______________________________________________
> QGIS-Developer mailing list
> mailto:QGIS-Developer at lists.osgeo.org 
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer 
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer 









_______________________________________________
 QGIS-Developer mailing list
 mailto:QGIS-Developer at lists.osgeo.org 
 List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer 
 Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260526/522c2840/attachment-0001.htm>

More information about the QGIS-Developer mailing list