I guess I'll barge in the discussion too :) I'm not sure that I see the full picture, but here's how I see the actual use-cases (mostly reiterating the points I've read here):
1) A user gets a .blend from somewhere or someone. Most of the time, the user knows what kind of content is supposed to be there. Either (s)he expects no scripts at all (e.g. it's supposed to be only a model/scene with everything already baked), or (s)he knows there might be some interactive elements (e.g. it's a complex rig or explicitly a script setup). In the latter case, a honest .blend author would (should?) warn that the .blend contains scripts and/or drivers. The idea is, the user usually knows whether there *should* be any scripts, and will get suspicious if they are where they shouldn't be. 1.a) The .blend came from a generally trusted source (Blender Cookie, Blend Swap, fellow artist). If the file does something malicious, it won't spread, since the source is known and can be quickly taken down. 1.b) The .blend is of unknown origin or came from some shady site (I suppose that's the situation Ton is afraid of -- the proliferation of .blends due to the Blender's popularity). In this case, the "takedown" approach isn't really possible, but the user *should always* be suspicious if such file contains any bit of Python code, and probably avoid such files at all (just like with the .doc files). So, as I see it, normal users are generally safe if they stick to trusted sources and know whether any .blend contains Python code. Perhaps a big warning at the Blender download page "Don't open .blends with Python if you don't trust the source!" would help. Of course, a targeted/random one-time attack might still cripple a couple of blenderheads' systems, but, as it was already mentioned before -- who would bother? (Obsessive blenderhead-hating trolls are the only ones I can think of.) Even if .blends would become as ubiquitous as pictures (e.g. due to 3D printer sitting in every household, or BGE becoming more popular than Unity), this scenario still avoids .blend-trojans/viruses if users are properly warned and have a bit of computer common sense. 2) The case of Blender developers or similar folks who *have* to open .blends from unknown people. They are more susceptible to the targeted attacks, and "This file contains Python!" warning won't help them much. But these folks are well aware that every user-submitted .blend they open might do something bad, and they are tech-savvy enough to take defensive measures (inspect the Python code before allowing it to run, or even open the .blend in a virtualized environment). Summing up: it's simply a matter of Pareto principle. "Shifting responsibility to users" is an obvious (and easy to implement) first step to security, which takes care of 90% of (currently purely hypothetical) Python-based attacks. Properly forking/sandboxing Python decreases the number of vulnerabilities, but requires a considerable undertaking by the Blender devs. Switching to an inherently safer language (Lua) would probably require at least as much effort, and leave the userbase smaller and quite displeased. The question is, where to draw the line? Hope this makes some sense :-) Dima. _______________________________________________ Bf-committers mailing list Bf-committers@blender.org http://lists.blender.org/mailman/listinfo/bf-committers
