<div dir="ltr">Hello Pedro,<div><br></div><div>qgis-plugin-dev-tools (<a href="https://github.com/nlsfi/qgis-plugin-dev-tools#setup">https://github.com/nlsfi/qgis-plugin-dev-tools#setup</a>) solves the dependency issue by including the dependencies with the plugin package.</div><div><br></div><div>It can easily handle most of (non-binary) requirements by automatically rewriting the imports of theses vendored dependencies in the build process. </div><div>This way it is possible to have multiple plugins using different version of the same requirement without any conflicts.</div><div>It is also possible to include binary dependencies but there is no operation system specific logic built yet at the moment.</div><div><br></div><div>There is also a tool called qpip (<a href="https://github.com/opengisch/qpip">https://github.com/opengisch/qpip</a>) for dependency management, which might be worth checking out.</div><div><br></div><div>Cheers,</div><div>Joona</div><div><br></div><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">ma 25.5.2026 klo 6.35 Pedro Camargo via QGIS-Developer (<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>) kirjoitti:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u><div><div style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10pt"><div>Hey Nyall,<br></div><div><br></div><div>I hear you, but let me highlight two points of my original post.<br></div><ul dir="ltr"><li> The plugin asks the user whether they want to install the dependencies. <br></li><li> The dependencies are installed in the plugin folder and can therefore be removed without causing any lasting damage to the user's QGIS installation.<br></li></ul><div>Installing additional dependencies in QGIS remains a painful task for less technical users, adding another (somewhat unnecessary) hurdle to adoption. <br></div><div><br></div><div>On that note, a fair question could be: Is there a recommended low-effort (for users) path to install extra dependencies for plugins? <br></div><div><br></div><div>If not, is that something being considered for the near future?<br></div><div><br></div><div><br></div><div>Cheers,<br></div><div>Pedro</div><div><br></div><div><br></div><div style="border-top:1px solid rgb(204,204,204);height:0px;margin-top:10px;margin-bottom:10px;line-height:0px"><br></div><div><div><br></div><div id="m_6750506275350710662Zm-_Id_-Sgn1">From: Nyall Dawson <<a href="mailto:nyall.dawson@gmail.com" target="_blank">nyall.dawson@gmail.com</a>><br>To: "Pedro Camargo"<<a href="mailto:c@margo.co" target="_blank">c@margo.co</a>><br>Cc: "Qgis Developer"<<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>><br>Date: Mon, 25 May 2026 11:12:20 +1000<br>Subject: Re: [QGIS-Developer] Security issues with plugins<br></div><div><br></div><blockquote id="m_6750506275350710662blockquote_zmail" style="margin:0px"><div><div dir="ltr"><div><br></div><div><br></div><div>On Mon, 25 May 2026 at 08:27, Pedro Camargo via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org" target="_blank">qgis-developer@lists.osgeo.org</a>> wrote:<br></div><div>><br></div><div>> Hello fellow QGISrs,<br></div><div>><br></div><div>><br></div><div>><br></div><div>> I maintain a couple of plugins that require a substantial number of extra Python packages (many of which have compiled/binary components). Hence, those plugins install all such requirements in a folder directly inside the plugin itself, keeping it quite clean when the user wants to remove said plugins.<br></div><div>><br></div><div>><br></div><div>> I have been doing it this way for many years now, but this weekend I received security alerts that both plugins were taken down due to code that downloads extra dependencies (offending code at qaequilibrae/qaequilibrae/download_extra_packages_class.py at develop · AequilibraE/qaequilibrae).<br></div><div>><br></div><div>> Does anyone have any recommendations on how to proceed? What is currently the recommended way for plugins to install further dependencies?<br></div><div><br></div><div>My personal 2c: a plugin should NEVER automatically install dependencies like this. Rather, you should detect missing dependencies, warn the user, and point them to a documentation page directing them how to install the missing libraries on different operating systems.<br></div><div><br></div><div>I think it's EXTREMELY dangerous for a plugin to assume that it can mess with the user's operating system in this way, as it risks completely breaking their QGIS install or even their wider python environment. I would like to see us explicitly blocking all plugins from the repository that do this in future. 👎<br></div><div><br></div><div>Nyall<br></div><div><br>><br>> Cheers,<br>> Pedro<br>><br>><br>><br>> _______________________________________________<br>> QGIS-Developer mailing list<br>> <a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>> List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>> Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></div></div></div></blockquote></div><div><br></div></div><br></div>_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org" target="_blank">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a href="https://lists.osgeo.org/mailman/listinfo/qgis-developer" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote></div>