On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matth...@opengis.ch> wrote:
> On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer < > qgis-developer@lists.osgeo.org> wrote: > >> >> >> On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, < >> qgis-developer@lists.osgeo.org> wrote: >> >>> Thomas B via QGIS-Developer <qgis-developer@lists.osgeo.org> writes: >>> >>> > Dear QGIS-Developers, >>> > >>> > Are there any guidelines from the QGIS project regarding whether a QGIS >>> > plugin is allowed to autonomously install required packages using PIP >>> or >>> > similar tools without manual installation by the user? >>> > >>> > While this might seem convenient, I see it as a potential security >>> risk, >>> > especially if the user is not explicitly informed about what is >>> happening >>> > in the background. >>> >>> Agreed this is not ok. I think a plugin downloading anything to be >>> executed or interpreted should be entirely prohibited. >>> >> >> +1 . This practice should lead to a plugin being removed from the >> repositories. >> >> (Possibly we could do something on the code side too, eg by monkey >> patching over subprocess/etc and explicitly blocking execution of sip, with >> a developer-friendly exception stating this policy. It'd be easy for >> someone motivated to circumvent, but could at least be used to advise >> plugin developers that this is not acceptable practice...) >> > > We've tried to come up with a more transparent approach with support for > requirements.txt (see https://github.com/opengisch/qpip). It is using pip > but with a frontend which informs the user and lets him confirm an eventual > installation. > Is this approach generally acceptable? > Well, I definitely trust yourself/OpenGIS significantly more then other random plugin developers 👍 I would personally feel safest if this was something officially endorsed, with an explicit allow list of acceptable packages. Nyall > Matthias > > >> >> Nyall >> >> _______________________________________________ >>> QGIS-Developer mailing list >>> QGIS-Developer@lists.osgeo.org >>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >>> >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> >
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
