<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Imho, (<a href="https://github.com/opengisch/qpip"
class="moz-txt-link-freetext">https://github.com/opengisch/qpip</a>)
is an elegant way for handling plugins dependencies. You can
manage isolation by using QGIS profiles. </p>
<div class="moz-signature">
<p> <span style="font-weight:bold;color:#9ACD32;">David</span> <br>
<!-- Responsable Infrastructure <br> -->
<br>
</p>
</div>
<div class="moz-cite-prefix">Le 25/05/2026 à 07:47, Joona Laine via
QGIS-Developer a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:CAKmgki60jiKx29_K07F01Ppsut4s=Oeed6snJO7AVkwEYCVcpA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello Pedro,
<div><br>
</div>
<div>qgis-plugin-dev-tools (<a
href="https://github.com/nlsfi/qgis-plugin-dev-tools#setup"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/nlsfi/qgis-plugin-dev-tools#setup</a>)
solves the dependency issue by including the dependencies with
the plugin package.</div>
<div><br>
</div>
<div>It can easily handle most of (non-binary) requirements by
automatically rewriting the imports of theses vendored
dependencies in the build process. </div>
<div>This way it is possible to have multiple plugins using
different version of the same requirement without any
conflicts.</div>
<div>It is also possible to include binary dependencies but
there is no operation system specific logic built yet at the
moment.</div>
<div><br>
</div>
<div>There is also a tool called qpip (<a
href="https://github.com/opengisch/qpip"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/opengisch/qpip</a>)
for dependency management, which might be worth checking out.</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Joona</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">ma 25.5.2026 klo 6.35 Pedro
Camargo via QGIS-Developer (<a
href="mailto:qgis-developer@lists.osgeo.org"
moz-do-not-send="true" class="moz-txt-link-freetext">qgis-developer@lists.osgeo.org</a>)
kirjoitti:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div
style="font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10pt">
<div>Hey Nyall,<br>
</div>
<div><br>
</div>
<div>I hear you, but let me highlight two points of my
original post.<br>
</div>
<ul dir="ltr">
<li> The plugin asks the user whether they want to
install the dependencies. <br>
</li>
<li> The dependencies are installed in the plugin
folder and can therefore be removed without causing
any lasting damage to the user's QGIS installation.<br>
</li>
</ul>
<div>Installing additional dependencies in QGIS remains a
painful task for less technical users, adding another
(somewhat unnecessary) hurdle to adoption. <br>
</div>
<div><br>
</div>
<div>On that note, a fair question could be: Is there a
recommended low-effort (for users) path to install extra
dependencies for plugins? <br>
</div>
<div><br>
</div>
<div>If not, is that something being considered for the
near future?<br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Cheers,<br>
</div>
<div>Pedro</div>
<div><br>
</div>
<div><br>
</div>
<div
style="border-top:1px solid rgb(204,204,204);height:0px;margin-top:10px;margin-bottom:10px;line-height:0px"><br>
</div>
<div>
<div><br>
</div>
<div id="m_6750506275350710662Zm-_Id_-Sgn1">From: Nyall
Dawson <<a href="mailto:nyall.dawson@gmail.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">nyall.dawson@gmail.com</a>><br>
To: "Pedro Camargo"<<a href="mailto:c@margo.co"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">c@margo.co</a>><br>
Cc: "Qgis Developer"<<a
href="mailto:qgis-developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">qgis-developer@lists.osgeo.org</a>><br>
Date: Mon, 25 May 2026 11:12:20 +1000<br>
Subject: Re: [QGIS-Developer] Security issues with
plugins<br>
</div>
<div><br>
</div>
<blockquote id="m_6750506275350710662blockquote_zmail"
style="margin:0px">
<div>
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>On Mon, 25 May 2026 at 08:27, Pedro Camargo
via QGIS-Developer <<a
href="mailto:qgis-developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">qgis-developer@lists.osgeo.org</a>>
wrote:<br>
</div>
<div>><br>
</div>
<div>> Hello fellow QGISrs,<br>
</div>
<div>><br>
</div>
<div>><br>
</div>
<div>><br>
</div>
<div>> I maintain a couple of plugins that
require a substantial number of extra Python
packages (many of which have compiled/binary
components). Hence, those plugins install all
such requirements in a folder directly inside
the plugin itself, keeping it quite clean when
the user wants to remove said plugins.<br>
</div>
<div>><br>
</div>
<div>><br>
</div>
<div>> I have been doing it this way for many
years now, but this weekend I received security
alerts that both plugins were taken down due to
code that downloads extra dependencies
(offending code at
qaequilibrae/qaequilibrae/download_extra_packages_class.py
at develop · AequilibraE/qaequilibrae).<br>
</div>
<div>><br>
</div>
<div>> Does anyone have any recommendations on
how to proceed? What is currently the
recommended way for plugins to install further
dependencies?<br>
</div>
<div><br>
</div>
<div>My personal 2c: a plugin should NEVER
automatically install dependencies like this.
Rather, you should detect missing dependencies,
warn the user, and point them to a documentation
page directing them how to install the missing
libraries on different operating systems.<br>
</div>
<div><br>
</div>
<div>I think it's EXTREMELY dangerous for a plugin
to assume that it can mess with the user's
operating system in this way, as it risks
completely breaking their QGIS install or even
their wider python environment. I would like to
see us explicitly blocking all plugins from the
repository that do this in future. 👎<br>
</div>
<div><br>
</div>
<div>Nyall<br>
</div>
<div><br>
><br>
> Cheers,<br>
> Pedro<br>
><br>
><br>
><br>
>
_______________________________________________<br>
> QGIS-Developer mailing list<br>
> <a
href="mailto:QGIS-Developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">QGIS-Developer@lists.osgeo.org</a><br>
> List info: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
> Unsubscribe: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a></div>
</div>
</div>
</blockquote>
</div>
<div><br>
</div>
</div>
<br>
</div>
_______________________________________________<br>
QGIS-Developer mailing list<br>
<a href="mailto:QGIS-Developer@lists.osgeo.org"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">QGIS-Developer@lists.osgeo.org</a><br>
List info: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
Unsubscribe: <a
href="https://lists.osgeo.org/mailman/listinfo/qgis-developer"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a><br>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
QGIS-Developer mailing list
<a class="moz-txt-link-abbreviated" href="mailto:QGIS-Developer@lists.osgeo.org">QGIS-Developer@lists.osgeo.org</a>
List info: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a>
Unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.osgeo.org/mailman/listinfo/qgis-developer">https://lists.osgeo.org/mailman/listinfo/qgis-developer</a>
</pre>
</blockquote>
</body>
</html>