[Bf-committers] Please turn off Auto Run Python Scripts by default

Jeroen Bakker j.bakker at atmind.nl
Tue Jun 4 21:33:50 CEST 2013 

Hi,

please be aware that this topic is NOT solvable by us. Even when we make 
the scripts not start on startup, it will be run on some other trigger. 
Scripts are essential for running blender, think about BGE, Animations, 
Rigs, UI, Operators, and many others. Turning them all off, might make 
users not wanting to work with Blender. Closing it on startup does not 
fix a thing. If someone wants to harm, he/she can. That has been a 
proven fact in security.

Security is a big topic and we should be very aware that we are just a 
small component in a much complexer environment and we have not the 
influence to fix the whole environment. And not fixing it in the whole 
environment will not solve anything at all.

Regards,
  - At Mind -

On 06/04/2013 08:58 PM, Gaia wrote:
> Why not just add in User preferences:
>
> [ ] Auto run scripts (we have this already)
> [X] Ask for "autorun on load" if general Autorun is disabled
>
> This would solve all purposes:
>
> - new users are made aware of "huh, there are autorun scripts in this
> blend!"
> - experienced users can customize either:
>     - i trust everybody: always autorun.
>     - i trust nobody: never autorun.
>     - i care: ask me case by case
>
> btw, what is missing here (maybe) is a way to enable autorun on an
> already open blend file which was first loaded with aurorun off.
> That would allow to inspect the scripts before running them at least.
>
> Well, there can always be areas in blender which would
> unexpectedly break with such a change. but ... really ?
>
>
> On 04.06.2013 20:20, Jürgen Herrmann wrote:
>> That is what I meant, it's a delicate topic.
>> It is not very likely that this happens, but it is not impossible.
>> We could wait until this happens the first time and react later or we could
>> act preventative.
>>
>> But in the end it is absolutely indifferent what we do. Some users will
>> always complain about it.
>>
>> /Jürgen
>>
>> -----Ursprüngliche Nachricht-----
>> Von: bf-committers-bounces at blender.org
>> [mailto:bf-committers-bounces at blender.org] Im Auftrag von Thomas Dinges
>> Gesendet: Dienstag, 4. Juni 2013 20:16
>> An: bf-blender developers
>> Betreff: Re: [Bf-committers] Please turn off Auto Run Python Scripts by
>> default
>>
>> I may see this too simple, but you also don't run any .exe file you get your
>> hands on, on your computer.
>> In the end it all comes down to "Do I trust the source, yes or no." ;)
>>
>> Come on, how often did you got a virus or so via a .exe or so, and how often
>> via a .blend file?
>>
>> Am 04.06.2013 19:58, schrieb David Jeske:
>>> On Tue, Jun 4, 2013 at 8:05 AM, Brecht Van Lommel <
>>> brechtvanlommel at pandora.be> wrote:
>>>
>>>> Here's another discussion where the popup idea comes up:
>>>> http://lists.blender.org/pipermail/bf-committers/2010-March/026573.ht
>>>> ml
>>>>
>>>> It's a tradeoff, do we really want to degrade usability for this?
>>> I don't think this is a question of degrading expert blender usability.
>>> It's a question of protecting a broader less expert userbase from
>>> malicious blend files.
>>>
>>> I think your previous post is an excellent case for not SILENTLY
>>> disabling scripts by default. [1] However, this is not the only
>>> option. For nearly a decade MS-Word has been using a challenge dialog
>>> before running scripts. Is there ideological opposition to default to
>>> showing a dialog before processing python scripts in a blend file?
>>>
>>> The decision at the time was that no, we do not. Also note that even
>>>> disabling scripts does not make Blender secure, there's dozens of
>>>> other ways to create malicious .blend files.
>>>>
>>> What are the other "dozen" ways blender could
>>> read/destroy/send-files-to-the-internet/install-viruses with python
>>> scripts disabled?
>>>
>>> [1]
>>> http://lists.blender.org/pipermail/bf-committers/2010-April/027216.htm
>>> l _______________________________________________
>>> Bf-committers mailing list
>>> Bf-committers at blender.org
>>> http://lists.blender.org/mailman/listinfo/bf-committers
>> --
>> Thomas Dinges
>> Blender Developer, Artist and Musician
>>
>> www.dingto.org
>>
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
>>
>> _______________________________________________
>> Bf-committers mailing list
>> Bf-committers at blender.org
>> http://lists.blender.org/mailman/listinfo/bf-committers
> _______________________________________________
> Bf-committers mailing list
> Bf-committers at blender.org
> http://lists.blender.org/mailman/listinfo/bf-committers
>

More information about the Bf-committers mailing list