Blender Addon Registry


#1

Hi,

Some years ago I made an addon to manage an online registry of addons. It seemed natural to me (and still does) that addons could be downloaded on the fly inside Blender, rather than either having bundled addons (i.e. downloaded and installed by design, but I don’t use most of them) or having no standard way to install addons retrieved from internet.

I just discovered developer.blender.org where I told that, and I was redirected here, well another subdomain I wasn’t aware of :slight_smile:

Not sure if it directly works, e.g. GitHub may have changed something in the URL for accessing the registry JSON. Anyway, it was just a proof of concept, hopefully you will like it and adopt this concept into Blender, i.e. redesign the addon window a bit, host the registry on assets.blender.org or something, etc. @AdamPreisler told me about Blender Cloud which could be used for that.

Cheers


#2

We’ve talked about this kind of thing before amongst developers. I think Blender developers would like to bundle fewer addons with Blender and instead put addon writers more in control to publish their addons, rather than going through Blender’s review process and repositories.

The main reason it hasn’t happened yet is time constraints, once we do this officially it would be a big commitment to maintain the repository and ensure there is no malicious content. So I think this could be great, but I expect it will be quite a while unless there is time to officially adopt this thing, especially as long as Blender 2.80 is not released yet.


#3

Indeed, such systems struggle to prevent malicious software to enter. But this problem is already here: we all have downloaded addons from external sites without extensively reading its code. Searching for “npm malicious code” led me to this article, which highlights impressive stats about contributors to vital projects neglecting their account security. So I don’t fear malicious addons per se (most users won’t take risks with addons with low download stats), but I fear venerable addons being compromised. I’m afraid no system can ensure that all its users have the same security requirements at all times. Besides, having a central authority to validate addons doesn’t prevent such risks, but it sure goes against the open source philosophy.


#4

A sort of community approval can be easily maintained. It is usually enough to create functionality to report malicious code and maintain the rating of trusted developers / trusted addons. If this idea is implemented it should put the addon discoverability to entirely new levels.