Hi all,
Maybe somebody's mentioned this, but one compromise could be to add an
option at installation time to select for Heightened security (some
functionality disabled). This could be recommended for first-time users
but not set as the default.
T
___
*Mono*:
On the suggestion of Mono, this is a no-go before it even get's to the
starting block. The components needed to make Mono run are quite large
in size and not guaranteed to be on every machine. Currently Blender
runs just fine by distributing the required Python dependencies along
--- On Thu, 4/29/10, Charles Wardlaw cward...@marchentertainment.com wrote:
So you're telling me I can't modify sys.path to remove the
standard Python libraries?
File access is part of builtins, you can remove that.
Even if you try, there's a million of sneaky ways to get it back, like the
+1 to mapping options being in material/modifier/whatever
+1 to get shading influence settings out of texture panel and back into
material (mockup presented by Doug Olivier)
I believe the presence of a stack of slots in 2.4 or a list of textures
in 2.5 in the Texture panels is confusing. I
Charles Wardlaw wrote:
So you're telling me I can't modify sys.path to remove the standard Python
libraries? I'm not talking about a safe and secure sandboxed VM-- I mean
literally remove the functionality. It's just a zip file or a folder or
whatever, and there's no reason you can't
File access is part of builtins, you can remove that.
Even if you try, there's a million of sneaky ways to get it back, like the
following:
[t for t in type(1).__class__.__base__.__subclasses__() if hasattr(t,
write)][0](/path/to/file, w).write(my payload)
There're ways around any
Is time to end up this security discussion: paperware is very beautiful
but never leave the planification phase.
The pro-security team could work on a prototype that could shut up the
rest of us that think this discussion is getting in the way, meanwhile,
the rest of us could continue improving
And it is not just these modules that would be useful to a malware
author. there is subprocess, socket, threading, email, io, platform,
shutil, and many more that could be used to get access to resources that
are not required for rigging/animation purposes in Blender. And this is
ignoring the
Actually this I like this idea too Doug(already mentioned by brecht
actually) and I think the only problem left is where the texture
properties will be. I would prefer being able to see both
material+texture properties at the same time as opposed to the current
system(Well, OK you can have two
Charles Wardlaw wrote:
No answer for you. But if people aren't willing to remove that
functionality, or limit it globally in the internal interpreter, then there's
no way to lock things down.
Agreed 100%. The issue, as I keep repeating, is that the ideal solution
is that the scripts
Raul Fernandez Hernandez wrote:
Is time to end up this security discussion: paperware is very beautiful
but never leave the planification phase.
The pro-security team could work on a prototype that could shut up the
rest of us that think this discussion is getting in the way, meanwhile,
I only use Blender but I was wondering if the other 3d packages have
found a good way to handle this texture/materials problem? Could we
incorporate some good ideas this way? Why reinvent the wheel? Does
anyone have a favorite other system? How does it work?
I am not putting down the other ideas
On Thu, Apr 29, 2010 at 12:31 PM, Kevin Roy kin...@gmail.com wrote:
Hello,
Thu, 29 Apr 2010 11:10:39 +0400
Ruslan Merkulov r.merku...@gmail.com wrote:
2) Create some sort of official content and scripts repository for
Blender with some sort of approving scheme. Maybe create an add-on for
Hi,
ideasma...@gmail.com (2010-04-28 at 1015.26 +0200):
Revision: 28485
http://projects.blender.org/plugins/scmsvn/viewcvs.php?view=revroot=bf-blenderrevision=28485
Author: campbellbarton
Date: 2010-04-28 10:15:26 +0200 (Wed, 28 Apr 2010)
Log Message:
---
Hi guys,
Is this the list of options?
1. Work with the python team to implement the desired security features
into the python trunk.
2. Create a secure python fork and implement the desired security
features into it.
3. Maintain a trusted/certified/signed repository of scripts and warn
users
6. Create a secured blender version of the installer (for platforms
that support it) that creates a locked down blender user for executing
blender.
7. Provide a downloadable virtual machine (VMWare/Virtual Box/etc.) image.
Martin Poirier wrote:
0. Keep current features, switch from default on
Ok it seems we are getting nowhere fast on this, so to address the
original issue, have it off by default as that is what seems to be
causing the most troubles, yet keep it there for those who need it (ie
paranoid IT people :) ),
as in a studio you will mainly be using internal scripts for like
Raul Fernandez Hernandez wrote:
Don't get me wrong, I have no intention of discrimination , I think the
fact that english is not my way of thinking could lead to this. I was
speaking for myself , splitting in pro-security and the rest is very
natural when a discussion arise, is nothing bad,
Michael Fox wrote:
Ok it seems we are getting nowhere fast on this, so to address the
original issue, have it off by default as that is what seems to be
causing the most troubles, yet keep it there for those who need it (ie
paranoid IT people :) ),
To be honest, I think the reason it is
http://www.philhassey.com/blog/tinypy-ideas/
Embed tinypy
* Objective: sandbox tinypy and then (as in lunatic python) build
a python module that uses tinypy for safe execution of “unknown” code
it's just an idea at the moment and not implemented but this sounds
interesting. :) tinypy
Apathy can also result in people giving up trying to convince others of
the wrong solutions. It's a double-edge sword.
Benjamin Tolputt wrote:
Martin Poirier wrote:
There's still very little doubt that this will be the solution that is going
to be adopted (in the short to mid term at
Of course the this is impossible with python can be wrong in the long
term; who know what direction python will evolve in the next 2-3 years.
But trying to find a python solution right now, with what we have, is
impossible.
I have to agree with what someone posted earlier: if someone is
I didn't mean that to come across as a personal attack, Benjamin. I'm
just pointing out that just because someone has an idea, that doesn't
mean it's the right idea.
Ken Hughes wrote:
Apathy can also result in people giving up trying to convince others of
the wrong solutions. It's a
Ken Hughes wrote:
I didn't mean that to come across as a personal attack, Benjamin. I'm
just pointing out that just because someone has an idea, that doesn't
mean it's the right idea.
Ken Hughes wrote:
Apathy can also result in people giving up trying to convince others of
the wrong
8. Worry about it when something actually happens
and you have a real case to confront, rather than hyperbole.
___
Bf-committers mailing list
Bf-committers@blender.org
http://lists.blender.org/mailman/listinfo/bf-committers
Roger Wickes wrote:
8. Worry about it when something actually happens
and you have a real case to confront, rather than hyperbole
This is insulting. The developers have already acknowledged this is an
issue. That is why there is the default on security in Blender now.
Waiting for someone to be
On 30/04/2010 3:49 a.m., Knapp wrote:
I only use Blender but I was wondering if the other 3d packages have
found a good way to handle this texture/materials problem? Could we
incorporate some good ideas this way? Why reinvent the wheel? Does
anyone have a favorite other system? How does it
Ken Hughes wrote:
Of course the this is impossible with python can be wrong in the long
term; who know what direction python will evolve in the next 2-3 years.
But trying to find a python solution right now, with what we have, is
impossible.
Bingo. Glad I'm not the only one saying
That was covered by 5.
People concerned about malicious scripts already have options to run
scripts from the wild in a secure fashion now using a virtual machine or
a locked down user on a decent OS.
People not concerned about security have probably already been pwned anyway.
5 is a valid
Awesome, was curious how light-wave did it.
They are all seeming relatively similar with minor differences in approach.
Any wild cards out there from strange softwares etc?
On 30/04/2010 1:40 p.m., Daniel Salazar - 3Developer.com wrote:
Ive suggested this type of texture managing in the past
Michael Judd wrote:
People concerned about malicious scripts already have options to run
scripts from the wild in a secure fashion now using a virtual machine or
a locked down user on a decent OS.
And as I said before, it is the people that don't know to be concerned
that need this the
--- On Thu, 4/29/10, Benjamin Tolputt btolp...@internode.on.net wrote:
I honestly think the debate is going to fizzle out
regardless, because
the real decision makers are remaining silent.
The topic was reopened following a conversation between decision makers on
IRC. Both of which as well
Doug Ollivier wrote:
Any wild cards out there from strange softwares etc?
hmm... just blender :)
--
Christopher Cherrett
ccherr...@openoctave.org
http://www.openoctave.org
___
Bf-committers mailing list
Bf-committers@blender.org
Martin Poirier wrote:
The topic was reopened following a conversation between decision makers on
IRC. Both of which as well as others have participated in the discussion that
followed.
To be honest, the decision was pretty much already taken, people just didn't
noticed.
Would you be
Best bring this up next meeting and come to some consensus. I wasn't
in IRC for the decision either :)
However I'm going away this weekend, can make it for the next one
though (May 9th).
Don't thinik this is urgent, can wait a week or two, would rather this
be a meeting topic so we can formalize
35 matches
Mail list logo