On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, < qgis-developer@lists.osgeo.org> wrote:
> Thomas B via QGIS-Developer <qgis-developer@lists.osgeo.org> writes: > > > Dear QGIS-Developers, > > > > Are there any guidelines from the QGIS project regarding whether a QGIS > > plugin is allowed to autonomously install required packages using PIP or > > similar tools without manual installation by the user? > > > > While this might seem convenient, I see it as a potential security risk, > > especially if the user is not explicitly informed about what is happening > > in the background. > > Agreed this is not ok. I think a plugin downloading anything to be > executed or interpreted should be entirely prohibited. > +1 . This practice should lead to a plugin being removed from the repositories. (Possibly we could do something on the code side too, eg by monkey patching over subprocess/etc and explicitly blocking execution of sip, with a developer-friendly exception stating this policy. It'd be easy for someone motivated to circumvent, but could at least be used to advise plugin developers that this is not acceptable practice...) Nyall _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
