<div dir="ltr"> Hi Thomas,<div><br></div><div>My personal feeling is that this is a very real security risk. I know that it makes it easy to get the extra Python packages installed, but it is not worth it. My plugins that require extra Python packages notifies the user that they need to be installed and gives instructions on how to install them.</div><div><br></div><div>I would caution the QGIS community from going down this road.</div><div><div><br></div><div>Best wishes,</div><div>Calvin</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Oct 22, 2024 at 10:45 AM Thomas B via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Dear QGIS-Developers,<br><br>Are there any guidelines from the QGIS project regarding whether a QGIS plugin is allowed to autonomously install required packages using PIP or similar tools without manual installation by the user?<br><br>While this might seem convenient, I see it as a potential security risk, especially if the user is not explicitly informed about what is happening in the background.<br><br>One Example: <a href="https://plugins.qgis.org/plugins/StreetSmart/" target="_blank">https://plugins.qgis.org/plugins/StreetSmart/</a> <br><br>(
<span>I don't intend to blame the author of this plugin. </span>
... it's just an example because I recently installed this plugin and noticed that it tried to install additional packages.)<br><br>When I installed the plugin it opened two command line windows where no output/echo was shown to the user, just a black window... so not very transparent what’s happening.<br><br>I had a look at the source code and the plugin uses subprocess to install packages with pip:<br><div>
<br><a href="https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005" target="_blank">https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005</a> <br></div><br>For one package the plugin only points to a download URL from which a wheel file is downloaded (a self hosted version of cefpython3, because the one that can be installed with pip is not compatible to Python 3.12) :<br><br><a href="https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90" target="_blank">https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90</a><br><div><br></div><div>
<span>This makes it challenging for the QGIS project to evaluate if the plugin can cause a security threat, as the file that gets downloaded might differ from the one checked before publishing.</span></div><br>
<span>From my perspective, I believe QGIS plugins should at least always ask the user for consent before installing additional modules, especially when the modules are downloaded from the internet.</span>
<br><br>Prompted by this recent experience, I would like to ask you for some feedback: How do you feel about this topic?<br><div><br></div><div>regards,</div><div>Thomas<br></div><br></div>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote></div>