Hi, I don't think I'm bringing up anything new here but would like to point out some things.
First is that there is a difference between python scripts, one category is scripts to extend blender like exporters. These fundamentally can't run inside a sandbox since they need to access files. Some can but it's not worth making the distinction in my opinion. I'm not at all worried about this case really, if you download extensions, plugins, I think people understand these are potentially unsafe. The bf-extensions repository should work well as a place to get things officially reviewed, and personally I don't think it's necessary to do anything more complicated, especially not if it is something that users have to deal with. The real problem is loading .blend files, which users may not know is unsafe. Running scripts is now disabled by default in Blender 2.5, and users must specify explicitly that they trust the .blend file. This replaces the security problem with a usability problem, i.e. loading your own .blend files or e.g. a scripted rig downloaded from the internet is less convenient this way. We could try to improve this still, by warning more clearly if there are scripts and perhaps letting Blender remember which .blend files are trusted. To completely avoid this problem (which I think is really a usability problem with scripts disabled by default), we could try to sandbox such scripts included in .blend files. Besides the fact that python is difficult, by accessing Blender data and operators you can still do the same damage though it's a more complicated. We could try to secure this but it is really difficult, in projects that really care about this (e.g. firefox) security holes are still found, and I don't think Blender developers will really want to invest time to makes this safe. It's also not something you solve once, every Blender feature is a potential security problem. For basic expressions for drivers you could possibly lock down pretty much everything and still have them work. For more advanced scripts making e.g. panels or drawing in the 3d view, this will not work, and more advanced rigs will take advantage of the extensibility of 2.5. To sum up my opinion, sandboxing is very hard and not something we can solve once, it requires continuous attention, so let's not even try it. Instead, the install addon operator should warn about security problems, and loading a .blend file with scripts should become easier for users. Brecht. _______________________________________________ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers