Plugin approval process

The approval of plugins is primarily carried out by contributors. Currently, the primary contributor is Admire Nyakudya ([email protected]). Do not hesitate to get in touch with him if you have any questions about the plugin approval process.

The approval process involves the following steps.

New Plugins

All new plugins follow the rough guidelines outlined below:

  • Plugin metadata.txt should be properly populated with working links i.e.:
    • Plugin home page - This link should direct users to a page on a website that describes the plugin functionality. If you do not have a dedicated page on your website that describes plugin usage, please use the README in the repository or use the code repository as the link. Any other links will result in the plugin being rejected.
    • Tracker - This should link to the issue tracker in your code repository.
    • Code repository - This should link to the code repository. It is expected that the code in the repository is accessible and not a zip file. The repository should also be publicly accessible. Plugins that utilize binaries will not be approved. If you feel that there is no way to provide your plugin without binaries, please reach out to the QGIS Developers mailing list to motivate your case or the QGIS PSC for further discussions.

Note: Plugins cover a whole range of domains which the person doing the approval might not be versed with. With such an expectation, we will try to do random tests (random plugins will be selected) to see if the plugin installs and runs without crashing QGIS. We also expect plugins to be cross-platform, working on Unix systems and Windows. In the list of published plugins, we have a diverse range of plugins offering different functionality. We encourage plugin developers to collaborate on plugins offering the same functionality as developing plugins with functionality that is almost similar. If you need to enhance a particular plugin, we are able to facilitate this with an existing author. For issues relating to the transfer of ownership, or updating any other metadata about existing plugins, please do not hesitate to contact us through the QGIS Developer mailing lists.

Existing Plugins (New updates)

These are plugins that are already in use and being enhanced by new versions being uploaded. During the approval process, we expect the following:

  • Properly update metadata to include a changelog. This will be beneficial for users to understand what has changed between versions.
  • Properly annotate versions with new version numbers.
  • We will also check the metadata.txt links i.e. plugin homepage, tracker, etc. to see if they are still working.

Note: Testing will also be done randomly to see if the plugin still works and does not crash QGIS.

We try to publish/approve plugins daily with the exception of weekends. If you have uploaded a plugin on Friday-Sunday, it will most likely be approved on Monday. During extended holiday periods, the timelines might be even longer. We also take into consideration that contributors live in different parts of the world with different public holidays. This might also impact the timelines for approval.

Automated Security Validation

Every uploaded plugin version goes through an automated two-step process before becoming available for download:

  1. Upload confirmation — Immediately after uploading, you receive an email confirming your plugin was received and that security checks have been queued. The version is not yet visible for approval or download at this point.
  2. Security scan results — A background job runs automated checks (code quality, secrets detection, suspicious file analysis, and more). Once the scan completes you will receive a second email with the results:
    • All checks passed — The version is made available for manual approval (or automatically approved for trusted users, see below).
    • Critical issues found — The version is blocked and cannot be approved until the issues are resolved and a new version is uploaded.

Note: You can inspect the scan results at any time by visiting the version detail page and clicking the Security tab.

Trusted Users — Fast-Track Approval

Users who have been granted the can_approve permission are considered trusted contributors. Their upload forms show an additional optional checkbox:

Publish immediately after security scan passes — If checked and all automated security checks pass, the plugin version is published automatically without waiting for manual review.

This checkbox is unchecked by default. Leaving it unchecked means the upload follows the same two-step flow as any other contributor: upload → security scan → manual approval. Checking it is an explicit opt-in for fast-track publishing.

Fast-track approval is based solely on the uploader's permission. Uploading a new version to an existing approved plugin does not grant fast-track status; only the uploader holding can_approve and explicitly opting in does.

Opting in via the web form

On the plugin upload page, tick the Publish immediately after security scan passes checkbox before submitting. Leaving it unchecked follows the standard two-step flow.

Opting in via the REST/token API (version_create_api)

Include auto_approve_after_scan=true as an extra field in your multipart POST request alongside the package file. Omitting the field (or sending false) uses the default two-step flow.

curl -X POST https://plugins.qgis.org/plugins/<package_name>/version/add/api/ \
     -H "Authorization: Bearer <your_token>" \
     -F "package=@my_plugin.zip" \
     -F "auto_approve_after_scan=true"
Opting in via XML-RPC (plugin.upload)

Pass a second boolean argument to the plugin.upload method. Existing callers that pass only the package continue to work unchanged (the parameter defaults to False).

import xmlrpc.client, base64
server = xmlrpc.client.ServerProxy("https://user:[email protected]/plugins/RPC2/")
with open("my_plugin.zip", "rb") as f:
    data = xmlrpc.client.Binary(f.read())
server.plugin.upload(data, True)  # True = opt-in to fast-track

If you are a regular contributor and would like to be considered for trusted status, please reach out through the QGIS Developer mailing list.

dai nomi dei campi)