[QGIS-Developer] Security issues with plugins
Axel Hörteborn
axel.n.c.andersson at gmail.com
Wed May 27 13:25:53 PDT 2026
Hi,
I'm maintaing the geodatafarm plugin where I have a few dependencies.
Earlier it was a hassel for many less thechnical users to install the
plugin on different OS etc. I can only recommend using the QPIP plugin as a
dependent qgis plugin, since it have solved these issues.
Best regards
Axel
Den ons 27 maj 2026 14:50Pedro Camargo via QGIS-Developer <
qgis-developer at lists.osgeo.org> skrev:
> Hi Julien,
>
> This is indeed a possibility. However, there is one thing I do not
> understand.
>
> As far as I understand, the way qpip installs dependencies is very similar
> to what we do in AequilibraE (command system call). So why is that qpip is
> still available through the plugin store? Is there an important difference
> I am missing there?
>
> Cheers,
> Pedro
>
>
> From: Julien Cabieces <julien.cabieces at oslandia.com>
> To: "Pedro Camargo via QGIS-Developer"<qgis-developer at lists.osgeo.org>
> Cc: "Pedro Camargo"<c at margo.co>
> Date: Wed, 27 May 2026 20:27:52 +1000
> Subject: Re: [QGIS-Developer] Security issues with plugins
>
> >
> > Hi all,
> >
> > I think qpip is the best way to solve this particular matter. IMHO, The
> only
> > drawback now is that you have to add qpip as a plugin dependencies to
> > then declare your dependencies. So the first time, QGIS would display
> > a popup-up to propose the user to install qpip, and then qpip would
> > propose the user to install the dependencies.
> >
> > This is maybe what people consider combersome for users, but when it's
> > already installed, I think it's the proper way to go: We warn user that
> > something need to be installed, he agrees or not (just one click!), then
> > we install it or not.
> >
> > Maybe, we should consider integrate it in the core so we skip the first
> > step. There is already a plugin dependencies management in QGIS core, so
> > that's maybe relevant to extend it to what qpip can do.
> >
> > Regards,
> > Julien
> >
> >
> >
> > > Hey Joona,
> > >
> > > I have looked into qpip, but it is not sufficient. Not only do most
> dependencies have binaries, but the process also creates a somewhat
> > > cumbersome installation workflow for non-technical users.
> > >
> > > In the end, the problem seems to be that the plugins I am talking
> about are not really GIS plugins, but rather bigger pieces of software with
> a
> > > very significant QGIS component, mostly for visualization purposes,
> so I must grant that as a large part of the problem.
> > >
> > > We will likely explore deploying custom plugin repositories and
> developing full installers. It's inconvenient for users, but there isn't
> another
> > > alternative I can see right now.
> > >
> > > Cheers,
> > > Pedro
> > >
> > > From: Joona Laine <joona.p.laine at gmail.com>
> > > To: "Pedro Camargo"<c at margo.co>
> > > Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
> > > Date: Mon, 25 May 2026 15:47:55 +1000
> > > Subject: Re: [QGIS-Developer] Security issues with plugins
> > >
> > > Hello Pedro,
> > >
> > > qgis-plugin-dev-tools (
> https://github.com/nlsfi/qgis-plugin-dev-tools#setup) solves the
> dependency issue by including the dependencies
> > > with the plugin package.
> > >
> > > It can easily handle most of (non-binary) requirements by
> automatically rewriting the imports of theses vendored dependencies in the
> > > build process.
> > > This way it is possible to have multiple plugins using different
> version of the same requirement without any conflicts.
> > > It is also possible to include binary dependencies but there is no
> operation system specific logic built yet at the moment.
> > >
> > > There is also a tool called qpip (https://github.com/opengisch/qpip)
> for dependency management, which might be worth checking out.
> > >
> > > Cheers,
> > > Joona
> > >
> > > ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer (
> qgis-developer at lists.osgeo.org) kirjoitti:
> > >
> > > Hey Nyall,
> > >
> > > I hear you, but let me highlight two points of my original post.
> > >
> > > * The plugin asks the user whether they want to install the
> dependencies.
> > > * The dependencies are installed in the plugin folder and can
> therefore be removed without causing any lasting damage to the
> > > user's QGIS installation.
> > >
> > > Installing additional dependencies in QGIS remains a painful task
> for less technical users, adding another (somewhat unnecessary)
> > > hurdle to adoption.
> > >
> > > On that note, a fair question could be: Is there a recommended
> low-effort (for users) path to install extra dependencies for plugins?
> > >
> > > If not, is that something being considered for the near future?
> > >
> > > Cheers,
> > > Pedro
> > >
> > > From: Nyall Dawson <nyall.dawson at gmail.com>
> > > To: "Pedro Camargo"<c at margo.co>
> > > Cc: "Qgis Developer"<qgis-developer at lists.osgeo.org>
> > > Date: Mon, 25 May 2026 11:12:20 +1000
> > > Subject: Re: [QGIS-Developer] Security issues with plugins
> > >
> > > On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer <
> qgis-developer at lists.osgeo.org> wrote:
> > > >
> > > > Hello fellow QGISrs,
> > > >
> > > >
> > > >
> > > > I maintain a couple of plugins that require a substantial number
> of extra Python packages (many of which have
> > > compiled/binary components). Hence, those plugins install all such
> requirements in a folder directly inside the plugin itself,
> > > keeping it quite clean when the user wants to remove said plugins.
> > > >
> > > >
> > > > I have been doing it this way for many years now, but this weekend
> I received security alerts that both plugins were taken down
> > > due to code that downloads extra dependencies (offending code at
> > > qaequilibrae/qaequilibrae/download_extra_packages_class.py at
> develop · AequilibraE/qaequilibrae).
> > > >
> > > > Does anyone have any recommendations on how to proceed? What is
> currently the recommended way for plugins to install
> > > further dependencies?
> > >
> > > My personal 2c: a plugin should NEVER automatically install
> dependencies like this. Rather, you should detect missing
> > > dependencies, warn the user, and point them to a documentation page
> directing them how to install the missing libraries on
> > > different operating systems.
> > >
> > > I think it's EXTREMELY dangerous for a plugin to assume that it can
> mess with the user's operating system in this way, as it risks
> > > completely breaking their QGIS install or even their wider python
> environment. I would like to see us explicitly blocking all plugins
> > > from the repository that do this in future. 👎
> > >
> > > Nyall
> > >
> > > >
> > > > Cheers,
> > > > Pedro
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > QGIS-Developer mailing list
> > > > QGIS-Developer at lists.osgeo.org
> > > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > > Unsubscribe:
> https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >
> > > _______________________________________________
> > > QGIS-Developer mailing list
> > > QGIS-Developer at lists.osgeo.org
> > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > >
> > > _______________________________________________
> > > QGIS-Developer mailing list
> > > QGIS-Developer at lists.osgeo.org
> > > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> > > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >
> > --
> >
> > Julien Cabieces
> > Senior Developer at Oslandia
> > julien.cabieces at oslandia.com
> >
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260527/17cc60a9/attachment-0001.htm>
More information about the QGIS-Developer
mailing list