Dear QGIS-Developers, Are there any guidelines from the QGIS project regarding whether a QGIS plugin is allowed to autonomously install required packages using PIP or similar tools without manual installation by the user?
While this might seem convenient, I see it as a potential security risk, especially if the user is not explicitly informed about what is happening in the background. One Example: https://plugins.qgis.org/plugins/StreetSmart/ ( I don't intend to blame the author of this plugin. ... it's just an example because I recently installed this plugin and noticed that it tried to install additional packages.) When I installed the plugin it opened two command line windows where no output/echo was shown to the user, just a black window... so not very transparent what’s happening. I had a look at the source code and the plugin uses subprocess to install packages with pip: https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L1005 For one package the plugin only points to a download URL from which a wheel file is downloaded (a self hosted version of cefpython3, because the one that can be installed with pip is not compatible to Python 3.12) : https://github.com/Samsonboadi/StreetSmart/blob/main/street_smart.py#L90 This makes it challenging for the QGIS project to evaluate if the plugin can cause a security threat, as the file that gets downloaded might differ from the one checked before publishing. >From my perspective, I believe QGIS plugins should at least always ask the user for consent before installing additional modules, especially when the modules are downloaded from the internet. Prompted by this recent experience, I would like to ask you for some feedback: How do you feel about this topic? regards, Thomas
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
