<span style="font-family: Arial; font-size: small;" xam-editor-container="true"><div>I also did a similar thing in qgis2web plugin.</div><div>I explained to the user that he can install qtwebengine to get the latest features and to do so he will have to click on a button that indicates that an installation will start.</div><div>Here is the screen:</div><div><br /></div><div><img src="cid:1290437387" title="image.png" /></div><div><br /></div><div>Could it be okay?</div><div><br /></div><div>The code:</div><div><br /></div><div><div><i>try:</i></div><div><i> if system == 'Windows':</i></div><div><i> pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")</i></div><div><i> env = os.environ.copy()</i></div><div><i> if full_proxy_url:</i></div><div><i> env['http_proxy'] = full_proxy_url</i></div><div><i> env['https_proxy'] = full_proxy_url</i></div><div><i> subprocess.check_call([pip_exec, "install", "--upgrade", "PyQtWebEngine==5.15.6"], env=env)</i></div><div><i> elif system == 'Linux':</i></div><div><i> subprocess.check_call(["sudo", "apt-get", "install", "python3-pyqt5.qtwebengine"])</i></div><div><i> elif system == 'Darwin': # macOS</i></div><div><i> subprocess.check_call(["brew", "install", "pyqt5"])</i></div></div><div><br /></div><br /><div data-signature-id="1">
<div class="xam_msg_class">
<span style="font-family: Arial; font-size: small;" xam-editor-container="true">
<div class="xam_msg_class">
<span style="font-family: Arial; font-size: small;" xam-editor-container="true">
<div class="xam_msg_class">
<span style="font-family: Arial; font-size: medium;" xam-editor-container="true">
<div class="xam_msg_class">
<span style="font-family: Arial;" xam-editor-container="true"><font size="2">
</font><div class="xam_msg_class" style=""><span style="color: rgb(0, 89, 179); font-family: Calibri, sans-serif; font-size: small;"><b>Andrea Ordonselli</b></span><br style="font-size: small;" /><div data-signature-id="1" style="font-size: small;"><div class="xam_msg_class"><span style="font-size: medium;" xam-editor-container="true"><font size="2"></font><div class="xam_msg_class"><span xam-editor-container="true"><b><span style="line-height: 18.4px; font-family: Calibri, sans-serif; color: rgb(0, 89, 179);"><font size="2">O.GIS - </font></span></b></span><b><span style="line-height: 18.4px; font-family: Calibri, sans-serif; color: rgb(0, 89, 179);"><font size="2">opengis.it</font></span></b></div></span></div></div>
</div>
</span>
</div>
</span>
</div>
</span>
</div>
</span>
</div>
</div><br /><br /><div class="xam-quoted-text xam-reply-text"><div style="border-left: 3px solid #000000; padding-left: 10px;"><div><span style="font-family:Arial; font-size:11px; color:#5F5F5F;">Da</span><span style="font-family:Arial; font-size:12px; color:#5F5F5F; padding-left:5px;"> "QGIS-Developer" qgis-developer-bounces@lists.osgeo.org</span></div>
<div><span style="font-family:Arial; font-size:11px; color:#5F5F5F;">A</span><span style="font-family:Arial; font-size:12px; color:#5F5F5F; padding-left:5px;"> "Matthias Kuhn" matthias@opengis.ch</span></div>
<div><span style="font-family:Arial; font-size:11px; color:#5F5F5F;">Cc</span><span style="font-family:Arial; font-size:12px; color:#5F5F5F; padding-left:5px;"> "Thomas B via QGIS-Developer" qgis-developer@lists.osgeo.org</span></div>
<div><span style="font-family:Arial; font-size:11px; color:#5F5F5F;">Data</span><span style="font-family:Arial; font-size:12px; color:#5F5F5F; padding-left:5px;"> Wed, 23 Oct 2024 16:16:43 +1000</span></div>
<div><span style="font-family:Arial; font-size:11px; color:#5F5F5F;">Oggetto</span><span style="font-family:Arial; font-size:12px; color:#5F5F5F; padding-left:5px;"> Re: [QGIS-Developer] How to deal with QGIS plugins which install additional packages</span></div>
<br />
<div class="xam_msg_class">
<div dir="auto"><div><br /><br /><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <<a href="mailto:matthias@opengis.ch">matthias@opengis.ch</a>> wrote:<br /></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><div>On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" rel="noreferrer" target="_blank">qgis-developer@lists.osgeo.org</a>> wrote:</div></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><br /><br /><div class="gmail_quote"><div class="gmail_attr" dir="ltr">On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, <<a href="mailto:qgis-developer@lists.osgeo.org" rel="noreferrer" target="_blank">qgis-developer@lists.osgeo.org</a>> wrote:<br /></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thomas B via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" rel="noreferrer noreferrer" target="_blank">qgis-developer@lists.osgeo.org</a>> writes:<br />
<br />
> Dear QGIS-Developers,<br />
><br />
> Are there any guidelines from the QGIS project regarding whether a QGIS<br />
> plugin is allowed to autonomously install required packages using PIP or<br />
> similar tools without manual installation by the user?<br />
><br />
> While this might seem convenient, I see it as a potential security risk,<br />
> especially if the user is not explicitly informed about what is happening<br />
> in the background.<br />
<br />
Agreed this is not ok. I think a plugin downloading anything to be<br />
executed or interpreted should be entirely prohibited.<br /></blockquote></div></div><div dir="auto"><br /></div><div dir="auto">+1 . This practice should lead to a plugin being removed from the repositories.</div><div dir="auto"><br /></div><div dir="auto">(Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...)</div></div></blockquote><div><br /></div><div>We've tried to come up with a more transparent approach with support for requirements.txt (see <a href="https://github.com/opengisch/qpip" rel="noreferrer" target="_blank">https://github.com/opengisch/qpip</a>). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation.</div><div>Is this approach generally acceptable?</div></div></div></blockquote></div></div><div dir="auto"><br /></div><div dir="auto">Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers 👍</div><div dir="auto"><br /></div><div dir="auto">I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages.</div><div dir="auto"><br /></div><div dir="auto"><br /></div><div dir="auto"><br /></div><div dir="auto">Nyall</div><div dir="auto"><br /></div><div dir="auto"><br /></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div><br /></div><div>Matthias</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="auto"><br /></div><div dir="auto">Nyall</div><div dir="auto"><br /></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
_______________________________________________<br />
QGIS-Developer mailing list<br />
<a href="mailto:QGIS-Developer@lists.osgeo.org" rel="noreferrer noreferrer" target="_blank">QGIS-Developer@lists.osgeo.org</a><br />
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br />
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br />
</blockquote></div></div></div>
_______________________________________________<br />
QGIS-Developer mailing list<br />
<a href="mailto:QGIS-Developer@lists.osgeo.org" rel="noreferrer" target="_blank">QGIS-Developer@lists.osgeo.org</a><br />
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br />
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br />
</blockquote></div></div>
</blockquote></div></div></div>
</div>
</div></div></span>