[Bf-committers] Blender 2.93 Released!

Dan McGrath danmcgrath.ca at gmail.com
Fri Jun 18 11:14:36 CEST 2021 

Also, maybe of interest: SLSA

https://thehackernews.com/2021/06/google-releases-new-framework-to.html

On Thu, Jun 17, 2021, 11:57 PM Dan McGrath <danmcgrath.ca at gmail.com> wrote:

> Hi,
>
> Just a thought, assuming only non commercial add-ons, but is there any use
> in pushing such a add-on system into the python pip repos?
>
> As long as you own the namespace, like blender-*, for example, you would
> at least be able to offload the hosting burden to pip, as well as benefit
> from their battle hardened system.
>
> On Thu, Jun 17, 2021, 9:23 PM Brecht Van Lommel <brechtvanlommel at gmail.com>
> wrote:
>
>> There are certainly challenges implementing such a system, though it's
>> been done many times in other applications. It's too early to go into such
>> details, it's not clear this will even happen or when.
>>
>> On Thu, Jun 17, 2021 at 10:14 PM Dan McGrath <danmcgrath.ca at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> For an official online repository that is integrated into Blender, users
>>>> would not notice much difference compared to bundled add-ons. I think it
>>>> would be valuable to have a way for more developers to share their
>>>> add-ons
>>>> in the same way.
>>>>
>>>
>>> Out of curiosity, where and how were you thinking of hosting this
>>> repository? I would suggest our Google workspace area, due to the ACL,
>>> accountability and immutability of their system, but I don't know that the
>>> team would prefer that over S3 or self hosting.
>>>
>>> If self hosted, what about the security of this? A compromise of a
>>> binary is trickier; the binary rarely changes, has well known checksums, is
>>> signed (on Win/Mac) and at least goes through mirrors and Microsoft which
>>> surely have excellent monitoring for unusual behaviour and known malware.
>>> If you start self-hosting auto-updating python code, files are directly
>>> uploaded into users' networks and devices. You bypass a lot of that built
>>> in security in our delivery pipeline in a way I don't know you can easily
>>> compensate for, not to mention all of the bandwidth costs which are already
>>> a challenge to our gigabit link.
>>>
>>> --
>>> Cheers,
>>> Danny
>>>
>>> ----------------------------------------------------------
>>> Danny McGrath - danmcgrath.ca at gmail.com
>>> GPG key: EDF6 AFF5 2086 F93A 1F59 36A5 44B6 26F3 6968 71CA
>>>
>>

More information about the Bf-committers mailing list