[Bf-committers] Python sandbox
Campbell Barton
ideasman42 at gmail.com
Wed Mar 17 19:08:59 CET 2010
hehe, use lua :D, I shouldnt have suggested this at lunch today!
one day I'm told the API needs to be stabilized ASAP, the next,
suggestion to switch languages.
I cant take this seriously!
LetterRip, both blender2.5 and Maya include their own python, so it
doesn't matter if the user has python installed or not.
again, the problem isnt that blender embeds python, its that we allow
blend files to execute python automatically, effectively making
opening a *.blend file as safe as running an *.exe file on windows
from some unknown site.
(automatic execution is disabled by default but renderfarms would
probably need to enable this to be of any use).
but you are right, renderfarms should secure their environment,
sungrid did this very well. You could not even ping an external URL
from a render node.
for now I'm happy to have the 'Trusted' option on load, and focus on
keeping blender useful rather then try apply the same rules as you
would with a web-plugin.
Don't know of any developer who is interested in doing this & doubt
anything will change.
On Wed, Mar 17, 2010 at 6:46 PM, Tom M <letterrip at gmail.com> wrote:
> Ton,
>
> on a farm blender would only have access to the folder that the admin has setup.
>
> Any computer that has python installed has the exact same security risks.
>
> These days, pretty much every computer has python preinstalled,
> especially one used for animation.
>
> Every animation tool has the same issue as far as i'm aware
>
> http://securitytracker.com/alerts/2009/Nov/1023228.html
>
> LetterRip
>
> On Wed, Mar 17, 2010 at 8:45 AM, Ton Roosendaal <ton at blender.org> wrote:
>> Hi,
>>
>> I am not talking about "make everything in Python run sandboxed". The
>> target can be narrowed down to a simpler task:
>>
>> 1) support animation scripts (drivers, constraints, fcurve mods)
>> 2) interface scripts
>> 3) basic import and export
>>
>> If '3' or even '2' is not possible, we then can try '1' even, it might
>> be useful for a total-safe blender to be used on farms, or for bug
>> checks, etc. We should be aware that nearly every user won't ever code
>> Python tools anyway.
>>
>> I also dare to challange python.org to look into this topic again. If
>> we cannot provide a decent quality and reasonable safe Blender with
>> Python, we better ditch it and switch to Lua or so.
>>
>> -Ton-
>>
>> ------------------------------------------------------------------------
>> Ton Roosendaal Blender Foundation ton at blender.org www.blender.org
>> Blender Institute Entrepotdok 57A 1018AD Amsterdam The Netherlands
>>
>> On 17 Mar, 2010, at 13:38, Martin Poirier wrote:
>>
>>>
>>>
>>> --- On Wed, 3/17/10, Campbell Barton <ideasman42 at gmail.com> wrote:
>>>
>>>> I'm not interested in this for a few reasons...
>>>>
>>>> * Its a lot of work, even python guys have trouble to do
>>>> this well and
>>>> there are way more python developers then blenders.
>>>
>>> For this exact reason, I think it's totally outside the scope of GSOC.
>>>
>>> Better people have tried and failed before.
>>>
>>> Martin
>>>
>>>
>>>
>>> __________________________________________________________________
>>> Yahoo! Canada Toolbar: Search from anywhere on the web, and bookmark
>>> your favourite sites. Download it now
>>> http://ca.toolbar.yahoo.com.
>>> _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> http://lists.blender.org/mailman/listinfo/bf-committers
>>
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
>>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>
--
- Campbell
More information about the Bf-committers
mailing list