[Bf-committers] Blender security paranoia

Leif Andersen leif.a.andersen at gmail.com
Wed Mar 24 00:01:56 CET 2010


I agree with Benjamin, it's currently secure mainly because it's small, and
thus, most of the major scripts can be hand reviewed by the blender
extensions team.  However, as this grows, there will be more and more
scripts, and several good ones will have to eventually go under the teams
radar, either that, or the team will have to get larger.  Thus a better
model is needed.

Still, a lot of the security needed comes from a good user management system
(outside of the current extensions tracker), which would aid a lot in
helping artists manage what scripts they have installed.  However, after
talking with the people on #blenderpython, it seems like Ton is too busy to
deal with this, and doesn't want it to happen without his approval.  (Which
means it doesn't look like it will be a good GSoC project, at least not yet
:( ).

Still though, I may have been a little over the top, I have done that from
time to time. :)

~Leif Andersen

----------
My first contribution to the blender community:
http://leifandersen.net/2010/03/23/good-feeling-my-first-slightly-major-open-source-contribution/


On Tue, Mar 23, 2010 at 16:38, Benjamin Tolputt
<btolputt at internode.on.net>wrote:

> While I can understand your viewpoint and, to a large extent, share it -
> it is not paranoia if people are out to get you. As soon as Blender
> becomes a large enough target, malware writers will target the users for
> use in their botnets &/or phishing schemes. It is not an "if" it is a
> "when". For the larger applications, they simply add their malware to
> the plethora of key-gens & cracks on the web (working or otherwise); but
> this is not a vector for Blender being free to begin with. Python
> scripts (be they through custom UI's, .blend files, or add-on) are a
> perfect method in which to do this - because hiding the malware is
> damned easy.
>
> Right now, much as I would like to say otherwise, Blender is too small a
> target. The number of people that would download and install the malware
> through a .blend file or a keymap script numbers in perhaps the dozens
> (at most) before the issue is detected - not enough to make it worth the
> time to put together. As Blender gets more popular though, the value of
> getting malware to the users increases. Python's design allows for easy
> malware development/insertion and, due to Blender being so integrated
> with it, it will always be the biggest security flaw of the application.
> You can ignore the issue and (for now) that's probably OK. But as
> Blender gets bigger - the risk factor increases. Sooner or later it WILL
> need to be dealt with.
>
> --
> Regards,
>
> Benjamin Tolputt
> Analyst Programmer
>
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>


More information about the Bf-committers mailing list