wmayer wrote: ↑Wed Jan 05, 2022 12:49 pm
To me the very first question is whether it's a good idea to let FreeCAD install itself any 3rd party packages and to be honest I doubt it.
I am happy to defer to you on this point (obviously it's less work!), but I have some concerns about the benefits of your suggested approach. To discuss your concerns first:
- Do we have full control over what will be installed?
No: asking pip to install a package implies installing all of that package's dependencies as well. But I think it's worth remembering a) while malware distribution via pip has happened it is a rare occurrence, and has not called for a moratorium on using pip, and b) that not only might one of those dependent packages be malware, but the FreeCAD package itself might be malware! Further, if we say to a user "we are not going to install this package for you, go do it yourself", we're basically still telling them to install malware. A user sophisticated enough to recognize the possibility of this as a malware distribution vector will always have the option to say "no, don't install the dependencies", and for an unsophisticated user there's little difference between our actually installing it, and our instructing them to do so.
- In many cases the OS (i.e. mainly a Linux distribution) provides a suitable package in its repository
This is a serious concern, and probably undetectable by us, though if there is a way I am all ears! Maybe try to do an apt/yum/brew/whatever search before offering pip?
wmayer wrote: ↑Wed Jan 05, 2022 12:49 pm
Like always it's a trade-off between convenience and security and is the little gain of convenience really worth all the trouble? IMO, if an add-on requires a 3rd party package then it should inform the user about it and let him decide how to continue.
My concern is that saying to a user not familiar with python installation: "Install this dependency" is the same as saying "You can't use this Addon," because they don't know how to do it. I suspect this is particularly true on systems where we are shipping a monolithic package (e.g. Windows, Appimage), where the user will not even know which copy of python they should be installing with.
The paths forward as I see them are:
- Keep the old behavior: tell the user there are dependencies they should install, and abort installation of the Addon
- Attempt to explain to the user how to install the addon (e.g. where is the python instance they need), but still tell them to do it themselves.
- Try to figure out really how the user should do the addon installation (e.g. detect if their system uses apt, see if apt has a package, offer instructions for using apt to install it), but still make the user do it themselves.
- Same as above, but actually offer to run the commands for them.