Dear Thomas, As I wrote in the first email, I know there are options to change the behavior, and I am questioning the *default* behavior.
I agree a confirmation popup is not nice, but I am suggesting the confirmation as a compromise to make Blender secure by default without causing data loss to users whose workflow relies on autorun. Yu On Tue, Jun 4, 2013 at 9:34 AM, Thomas Dinges <[email protected]> wrote: > Hi, > as someone previously said, you can start Blender with a parameter (-Y), > to not start scripts automatically, so there is already an option. You > can set that to your blender.exe or so, then you don't have to manually > set it on each startup. > Having a Confirmation popup "Do you really want to run the script?" is > not a good idea, neither as a preference or not. > > Thomas > > Am 04.06.2013 15:23, schrieb Yu Asakusa: >> Thank you for the reply, and especially for the pointer to the >> previous discussion in April and May 2010. I was not aware of it. >> >> I think I took a look at all the messages in that thread in the >> archive. Now I understand it is unacceptable to some people to >> disable autoruns by default. So I will change my suggestion to the >> following: Please add an option to confirm before Blender runs Python >> scripts automatically, and turn on this new option by default. >> Probably this option should be ignored in the batch mode. >> >> I tried to find this suggestion in the past thread, but I could not >> find it. Excuse me if this was already suggested and rejected for >> some reason and I overlooked it, but in that case I am curious what >> the reason for rejection was. >> >> On Tue, Jun 4, 2013 at 8:15 AM, Brecht Van Lommel >> <[email protected]> wrote: >>> There was a decision to turn autorun on even if it causes potential >>> security issues, what it comes down to is that we can't really secure >>> python scripts, but they are critical for many artists worksflows. >>> >>> For a long discussion on the topic see here: >>> http://lists.blender.org/pipermail/bf-committers/2010-April/027216.html >>> >>> On Tue, Jun 4, 2013 at 12:51 PM, Yu Asakusa <[email protected]> wrote: >>>> Hello, >>>> >>>> Currently “Auto Run Python Scripts” in the File tab in the user >>>> preferences (UserPreferencesSystem.use_scripts_auto_execute in Python) >>>> is turned on by default. Please turn it off by default. >>>> >>>> The current default setting means that when users open a blend file, >>>> Blender runs any Python scripts in the file as long as they are marked >>>> for auto-run. Python scripts can read/write local files and do other >>>> malicious things. Therefore, if users would like to open an untrusted >>>> blend file, they must explicitly disable auto-run by either turning >>>> off “Auto Run Python Scripts” in the user preferences or turning off >>>> the “Trusted Source” checkbox in the File Browser window. (See also >>>> my post on Google+ >>>> <https://plus.google.com/u/0/102042171744549015655/posts/2ayrQg2gUG6>.) >>>> >>>> I do not think many users know it is dangerous to open an untrusted >>>> blend file with the default settings in Blender. It is different from >>>> the common expectation for file-editing programs such as word >>>> processors: opening an untrusted file in file-editing programs is >>>> usually not considered to be a security risk. In other words, in >>>> file-editing programs, it is program’s responsibility to prevent >>>> attacks even if users open malicious files. Depending on the point of >>>> view, the current default behavior may be considered as a security >>>> vulnerability in Blender because of the mismatch between user’s >>>> expectation and the actual behavior. >>>> >>>> Regards, >>>> Yu >>>> _______________________________________________ >>>> Bf-committers mailing list >>>> [email protected] >>>> http://lists.blender.org/mailman/listinfo/bf-committers >>> _______________________________________________ >>> Bf-committers mailing list >>> [email protected] >>> http://lists.blender.org/mailman/listinfo/bf-committers >> _______________________________________________ >> Bf-committers mailing list >> [email protected] >> http://lists.blender.org/mailman/listinfo/bf-committers > > > -- > Thomas Dinges > Blender Developer, Artist and Musician > > www.dingto.org > > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
