<div dir="ltr">Dear QGIS-Developers,<br><br>Are there any guidelines from the QGIS project regarding whether a QGIS plugin is allowed to autonomously install required packages using PIP or similar tools without manual installation by the user?<br><br>While this might seem convenient, I see it as a potential security risk, especially if the user is not explicitly informed about what is happening in the background.<br><br>One Example: <a href="https://plugins.qgis.org/plugins/StreetSmart/">https://plugins.qgis.org/plugins/StreetSmart/</a> <br><br>(
<span class="gmail-">I don't intend to blame the author of this plugin. </span>
... it's just an example because I recently installed this plugin and noticed that it tried to install additional packages.)<br><br>When I installed the plugin it opened two command line windows where no output/echo was shown to the user, just a black window... so not very transparent what’s happening.<br><br>I had a look at the source code and the plugin uses subprocess to install packages with pip:<br><div>
<br><a href="https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005">https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005</a> <br></div><br>For one package the plugin only points to a download URL from which a wheel file is downloaded (a self hosted version of cefpython3, because the one that can be installed with pip is not compatible to Python 3.12) :<br><br><a href="https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90">https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90</a><br><div><br></div><div>
<span class="gmail-">This makes it challenging for the QGIS project to evaluate if the plugin can cause a security threat, as the file that gets downloaded might differ from the one checked before publishing.</span></div><br>
<span class="gmail-">From my perspective, I believe QGIS plugins should at least always ask the user for consent before installing additional modules, especially when the modules are downloaded from the internet.</span>
<br><br>Prompted by this recent experience, I would like to ask you for some feedback: How do you feel about this topic?<br><div><br></div><div>regards,</div><div>Thomas<br></div><br></div>