On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer < qgis-developer@lists.osgeo.org> wrote:
> > > On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, < > qgis-developer@lists.osgeo.org> wrote: > >> Thomas B via QGIS-Developer <qgis-developer@lists.osgeo.org> writes: >> >> > Dear QGIS-Developers, >> > >> > Are there any guidelines from the QGIS project regarding whether a QGIS >> > plugin is allowed to autonomously install required packages using PIP or >> > similar tools without manual installation by the user? >> > >> > While this might seem convenient, I see it as a potential security risk, >> > especially if the user is not explicitly informed about what is >> happening >> > in the background. >> >> Agreed this is not ok. I think a plugin downloading anything to be >> executed or interpreted should be entirely prohibited. >> > > +1 . This practice should lead to a plugin being removed from the > repositories. > > (Possibly we could do something on the code side too, eg by monkey > patching over subprocess/etc and explicitly blocking execution of sip, with > a developer-friendly exception stating this policy. It'd be easy for > someone motivated to circumvent, but could at least be used to advise > plugin developers that this is not acceptable practice...) > We've tried to come up with a more transparent approach with support for requirements.txt (see https://github.com/opengisch/qpip). It is using pip but with a frontend which informs the user and lets him confirm an eventual installation. Is this approach generally acceptable? Matthias > > Nyall > > _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> > _______________________________________________ > QGIS-Developer mailing list > QGIS-Developer@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
