Qgis-plugin-dev-tools approach solves this problem by vendoring the packages and rewriting <https://github.com/nlsfi/qgis-plugin-dev-tools/blob/2df5c099c9c86700e0d323c67243902f1df46fce/src/qgis_plugin_dev_tools/build/rewrite_imports.py#L10>the imports so that "import module.x.y" imports are rewritten in a vendored format: "import something._vendor.module.x.y". Thus multiple plugins can have different versions of packages since they all import their own vendored versions.
Joona ke 23. lokak. 2024 klo 14.58 Matthias Kuhn <matth...@opengis.ch> kirjoitti: > Hi, > > This approach will work fine within limitations, as soon as multiple > plugins ship the same library things become risky as there is no isolation > between libraries. > For python libraries, this may be caused by singletons being used and for > native libraries (as in this example), it's easy to cause crashes by > multiple versions of the same library exporting the same symbols being > loaded in parallel. > That being said: it will work fine in many cases, but I wouldn't promote > this as "best practice". After all, python invented virtualenvs for good > reasons -- each process will always run one environment (potentially > composed of multiple cascading virtual envs, but never multiple "parallel" > envs). > > Cheers > Matthias > > On Wed, Oct 23, 2024 at 1:31 PM John Stevenson - BGS via QGIS-Developer < > qgis-developer@lists.osgeo.org> wrote: > >> Hi, >> >> Mergin Maps plugin also packages the dependencies (including the geodiff >> binary) into the plugin itself. I’m not sure how it handles cross-platform >> differences, though. >> >> >> Plugin: >> >> https://plugins.qgis.org/plugins/Mergin/#plugin-details >> >> >> >> GitHub Actions code: >> >> >> >> >> https://github.com/MerginMaps/qgis-plugin/blob/ef0b2502ddb4bcbc1670b0d82832e93b658c18b2/.github/workflows/packages.yml#L116 >> >> >> Cheers, >> John >> >> *From:* QGIS-Developer <qgis-developer-boun...@lists.osgeo.org> *On >> Behalf Of *Joona Laine via QGIS-Developer >> *Sent:* 23 October 2024 10:58 >> *To:* i...@opengis.it >> *Cc:* qgis-developer <qgis-developer@lists.osgeo.org> >> *Subject:* Re: [QGIS-Developer] How to deal with QGIS plugins which >> install additional packages >> >> >> >> One alternative way of managing the dependencies is to package the >> non-binary runtime dependencies (including licenses) with the plugin. This >> also tackles the problem with different versions of the same requirements >> between multiple plugins. There is a tool for that >> https://github.com/nlsfi/qgis-plugin-dev-tools which also has many more >> useful features for developing QGIS plugins. >> >> >> >> One example of plugins using this tool is pickLayer ( >> https://plugins.qgis.org/plugins/pickLayer/) which bundles >> https://github.com/GispoCoding/qgis_plugin_tools with it. >> >> >> >> What do you think about this approach? >> >> >> >> Regards, >> >> Joona >> >> >> >> ke 23. lokak. 2024 klo 12.01 Info O.GIS via QGIS-Developer < >> qgis-developer@lists.osgeo.org> kirjoitti: >> >> I also did a similar thing in qgis2web plugin. >> >> I explained to the user that he can install qtwebengine to get the latest >> features and to do so he will have to click on a button that indicates that >> an installation will start. >> >> Here is the screen: >> >> >> >> >> >> Could it be okay? >> >> >> >> The code: >> >> >> >> *try:* >> >> * if system == 'Windows':* >> >> * pip_exec = os.path.join(sysconfig.get_path("scripts"), >> "pip3")* >> >> * env = os.environ.copy()* >> >> * if full_proxy_url:* >> >> * env['http_proxy'] = full_proxy_url* >> >> * env['https_proxy'] = full_proxy_url* >> >> * subprocess.check_call([pip_exec, "install", "--upgrade", >> "PyQtWebEngine==5.15.6"], env=env)* >> >> * elif system == 'Linux':* >> >> * subprocess.check_call(["sudo", "apt-get", "install", >> "python3-pyqt5.qtwebengine"])* >> >> * elif system == 'Darwin': # macOS* >> >> * subprocess.check_call(["brew", "install", "pyqt5"])* >> >> >> >> >> >> *Andrea Ordonselli* >> >> *O.GIS - opengis.it <http://opengis.it>* >> >> >> >> Da "QGIS-Developer" qgis-developer-boun...@lists.osgeo.org >> >> A "Matthias Kuhn" matth...@opengis.ch >> >> Cc "Thomas B via QGIS-Developer" qgis-developer@lists.osgeo.org >> >> Data Wed, 23 Oct 2024 16:16:43 +1000 >> >> Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install >> additional packages >> >> >> >> >> >> On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <matth...@opengis.ch> wrote: >> >> On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer < >> qgis-developer@lists.osgeo.org> wrote: >> >> >> >> On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer, < >> qgis-developer@lists.osgeo.org> wrote: >> >> Thomas B via QGIS-Developer <qgis-developer@lists.osgeo.org> writes: >> >> > Dear QGIS-Developers, >> > >> > Are there any guidelines from the QGIS project regarding whether a QGIS >> > plugin is allowed to autonomously install required packages using PIP or >> > similar tools without manual installation by the user? >> > >> > While this might seem convenient, I see it as a potential security risk, >> > especially if the user is not explicitly informed about what is >> happening >> > in the background. >> >> Agreed this is not ok. I think a plugin downloading anything to be >> executed or interpreted should be entirely prohibited. >> >> >> >> +1 . This practice should lead to a plugin being removed from the >> repositories. >> >> >> >> (Possibly we could do something on the code side too, eg by monkey >> patching over subprocess/etc and explicitly blocking execution of sip, with >> a developer-friendly exception stating this policy. It'd be easy for >> someone motivated to circumvent, but could at least be used to advise >> plugin developers that this is not acceptable practice...) >> >> >> >> We've tried to come up with a more transparent approach with support for >> requirements.txt (see https://github.com/opengisch/qpip). It is using >> pip but with a frontend which informs the user and lets him confirm an >> eventual installation. >> >> Is this approach generally acceptable? >> >> >> >> Well, I definitely trust yourself/OpenGIS significantly more then other >> random plugin developers 👍 >> >> >> >> I would personally feel safest if this was something officially endorsed, >> with an explicit allow list of acceptable packages. >> >> >> >> >> >> >> >> Nyall >> >> >> >> >> >> >> >> Matthias >> >> >> >> >> >> Nyall >> >> >> >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> >> >> >> This email and any attachments are intended solely for the use of the >> named recipients. If you are not the intended recipient you must not use, >> disclose, copy or distribute this email or any of its attachments and >> should notify the sender immediately and delete this email from your >> system. UK Research and Innovation (UKRI) has taken every reasonable >> precaution to minimise risk of this email or any attachments containing >> viruses or malware but the recipient should carry out its own virus and >> malware checks before opening the attachments. UKRI does not accept any >> liability for any losses or damages which the recipient may sustain due to >> presence of any viruses. >> >> _______________________________________________ >> QGIS-Developer mailing list >> QGIS-Developer@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer >> >
_______________________________________________ QGIS-Developer mailing list QGIS-Developer@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
