[Bf-committers] "Security" gets in the way

Benjamin Tolputt btolputt at internode.on.net
Fri Apr 30 03:26:11 CEST 2010 

Ken Hughes wrote:
> Of course the "this is impossible with python" can be wrong in the long 
> term; who know what direction python will evolve in the next 2-3 years. 
> But trying to find a python solution right now, with what we have, is 
> impossible.
>   

Bingo. Glad I'm not the only one saying this. We may not agree on the
final solution (or that we choose to not have one), but I'm glad that
the technical realities are being agreed on. The most frustrating thing
in any debate isn't being disagree with on the final answer, it is
having to correct people on the facts that make up the debate foundation.

Case in point - it is impossible with current versions of Python to
secure the loading/rendering of a Blender scene whilst also allowing
Python to be embedded in said scene (in constraints, rigs, etc). This is
a *fact* given current implementations of Python.

> I have to agree with what someone posted earlier: if someone is 
> convinced this (a secure solution) can be done with the existing Python 
> 3.1, they need to code up a proof-of-concept to shut up everyone who 
> says it can't be done. Otherwise everyone is just filling up a useful 
> mailing list with spam.

Another good point. I've been browsing the code whilst the debate has
"raged" and the amount of work to move Blender to any other language is
phenomenal! If a solution using the standard Python library can be found
- I'd be VERY happy to use it. I am not saying Python is bad - it is a
very good, mature, and flexible language/platform. It's a little "heavy"
for embedding in my projects (and there are thread locking issues); but
I use it all the time for data processing tasks. That said, it is *by
design* unable to be secured in the way Blender requires if one is going
to allow Python expressions in a scene file.

I doubt anyone is going to want to look at replacing Python unless there
is some nod from the core developers as to it being allowed
consideration for trunk. However, a patch to Blender that allows it to
be secured whilst still using Python would likely be accepted without
much hassle at all. It would be a "bug fix" as compared to an
application-wide refactor.

More information about the Bf-committers mailing list