I also did a similar thing in qgis2web plugin.
I explained to the user that he can install qtwebengine to get the latest
features and to do so he will have to click on a button that indicates that an
installation will start.
Here is the screen:
image.png
Could it be okay?
The code:
try:
if system == 'Windows':
pip_exec = os.path.join(sysconfig.get_path("scripts"), "pip3")
env = os.environ.copy()
if full_proxy_url:
env['http_proxy'] = full_proxy_url
env['https_proxy'] = full_proxy_url
subprocess.check_call([pip_exec, "install", "--upgrade",
"PyQtWebEngine==5.15.6"], env=env)
elif system == 'Linux':
subprocess.check_call(["sudo", "apt-get", "install",
"python3-pyqt5.qtwebengine"])
elif system == 'Darwin': # macOS
subprocess.check_call(["brew", "install", "pyqt5"])
Andrea Ordonselli
O.GIS - opengis.it
Da "QGIS-Developer" [email protected]
A "Matthias Kuhn" [email protected]
Cc "Thomas B via QGIS-Developer" [email protected]
Data Wed, 23 Oct 2024 16:16:43 +1000
Oggetto Re: [QGIS-Developer] How to deal with QGIS plugins which install
additional packages
On Wed, 23 Oct 2024, 4:07 pm Matthias Kuhn, <[email protected]> wrote:
On Wed, Oct 23, 2024 at 2:49 AM Nyall Dawson via QGIS-Developer
<[email protected]> wrote:
On Wed, 23 Oct 2024, 9:20 am Greg Troxel via QGIS-Developer,
<[email protected]> wrote:
Thomas B via QGIS-Developer <[email protected]> writes:
> Dear QGIS-Developers,
>
> Are there any guidelines from the QGIS project regarding whether a QGIS
> plugin is allowed to autonomously install required packages using PIP or
> similar tools without manual installation by the user?
>
> While this might seem convenient, I see it as a potential security risk,
> especially if the user is not explicitly informed about what is happening
> in the background.
Agreed this is not ok. I think a plugin downloading anything to be
executed or interpreted should be entirely prohibited.
+1 . This practice should lead to a plugin being removed from the
repositories.
(Possibly we could do something on the code side too, eg by monkey patching
over subprocess/etc and explicitly blocking execution of sip, with a
developer-friendly exception stating this policy. It'd be easy for someone
motivated to circumvent, but could at least be used to advise plugin developers
that this is not acceptable practice...)
We've tried to come up with a more transparent approach with support for
requirements.txt (see https://github.com/opengisch/qpip). It is using pip but
with a frontend which informs the user and lets him confirm an eventual
installation.
Is this approach generally acceptable?
Well, I definitely trust yourself/OpenGIS significantly more then other
random plugin developers 👍
I would personally feel safest if this was something officially endorsed,
with an explicit allow list of acceptable packages.
Nyall
Matthias
Nyall
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
_______________________________________________
QGIS-Developer mailing list
[email protected]
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
