Extensions Platform

It won’t. Removing the addons from default Blender download will make 4.2 about 5MB smaller. Basic browsing of the Extensions website will download more data then that.

I don’t think that’s fair. The checkbox turns off blender itself connecting to the internet. That’s not ‘nothing’. It doesn’t change anything to the fact that addons can call any python code they want, and even call into external programs. But this has always been the case. It would be a good idea to educate naïve users but that doesn’t really have anything to do with the whole extensions discussion. Apart maybe from making people realize it only now.

Just to clarify:

This checkbox is not about python scripts in addons. Those are always able to run, that’s what an addon is. This checkbox is about embedded scripts in the .blend file. And I don’t think there is a way to tell blender ‘allow scripts added by rigify, but not others’ as there is not way for blender to know which is which.

edit: This post is about the “Auto Run Python Scripts” checkbox, that CookItOff talked about. It is not about the ‘allow internet’ checkbox. I add this clarification, because it leads to some confusion in the replies to this post.

And in what world is this NOT a security risk?
Edit : rephrasing this a bit.
It should be more know that addons CAN have access to the web when used. Certain asset library addons do this already. Maybe it could be added in the addon’s description.
But it might be good to inform users about this. As most, if not all, functionality of an addon wouldn’t need internet acces imho.

Read up on the connecting to the internet issues, some points:

• The description for “Online access” may need to be re-worded to make it clear this isn’t guaranteed for extensions.
• The fact that extensions are not blocked from accessing the internet, still means they can be reported for failing to follow policy, so on any given day - popular extensions are unlikely to be ignoring extensions.blender.org policies.
• Sand-boxing Python is a non-starter, the resulting Python environments tend to be so constrained as to be useless for most extensions. As has already been mentioned, it may be simpler to sandbox Blender itself, although this depends on the underlying platform.
• From the systems I’ve used - having 3rd party packages perform unauthorized internet access tends not to be a problem, not to diminish the concern. I’d put this in a similar category as malicious code - while it can’t be prevented entirely this is something that needs to be managed & re-evaluated if it’s not working well.

Correct. I was merely trying to show a correlation between the two and the known risk of running random add-ons. Good to know about not being able to target specific addons though. Thanks.

“May” is not a strong enough word. If a website gives the user the option to reject cookies but uses cookies anyway, this is illegal. If an app has an email signup with a checkbox for “do not send me marketing emails” and then sends marketing emails, this is illegal. If a software package has a checkbox for “online access” that does nothing to curtail online access, that is illegal. It doesn’t matter if add-one can access the internet, but the messaging around that matters very much.

The Foundation is currently piloting a direct course into a crippling lawsuit that could very well end Blender development through legal costs. Flag this if you want, I know it’s not a popular take, but you have to understand the legal peril you are putting yourselves in here

IANAL/TINLA, pls keep in mind that this isn’t just “my country’s laws are global default”. So many nations / supranational unions have similar (Amsterdam was part of the founding of the EU, yes?) that this is a potential disaster. I strongly advise getting legit legal opinions on the wording and updating the descriptions.

You’re getting flagged because of how you carry your self, not the message you are trying to get across, kindly take it down a few notches.

I have a question surrounding developing extensions:

With legacy addons, you could create a symlink from a development directory into the Blender scripts/addons folder. Then it would show up in the addon list, and you could enable it from the UI, or with an operator.

This is how the vscode blender development extension by @jacqueslucke works, so it would be good to keep this workflow.

However, when creating a symlink into the new extensions directory, it shows up as “missing”:

This error isn’t very informative, and looking into the code hasn’t helped understand the mechanism that’s causing it.

Is there a way to use symlinks with the new system, or does the addon need to be reinstalled each time?

It’s not reasonable to expect users to delineate what “is blender”, and what is “part of blender, but not blender” in this way.

The Foundation is currently piloting a direct course into a crippling lawsuit that could very well end Blender development through legal costs.

I’m not super informed, but I thought this was all about an auto update, or something similar enough. What would make even the most worn out of armchair’s “lawyer” entertain the idea of filing a lawsuit over it? What is the issue here?

What part of that didn’t answer your question?

I mean an actual reason. Not, “Technically, the wording of that checkbox may be correct, but could perhaps not reveal the entirity of the user’s ability to install third party addons that do not respect said checkbox”

That isn’t lawsuit material, especially not the type that goes anywhere.

The issue is that even when this checkbox is OFF, extensions are still allowed to have online access.

network964×517 60 KB

It doesn’t have to go anywhere to be expensive to defend against – very, very expensive, such expense paid for out of money donated for Blender development, not legal fees. Could be avoided with some simple rewording – this seems axiomatic to me, I don’t understand why it’s being argued against.

By all means, reword it. But don’t act like this is something that would even happen, nevermind bankrupt Blender to the point of shutting down development. That’s what I am saying, and why I asked if this is about something other than an auto updater. Seems like it is what it appeared to be so far.

Yes, of course we should – that’s fundamentally necessary to prevention efforts.

It’s all the same point I have been making. There’s a huge difference between, “Clarify this message out of courtesy” and “Remember when the checkbox shut down Blender development?”

There’s also a huge difference between “checkbox shuts off blender’s online access” and “Oh, it doesn’t do that.”

the user can opt out of this and not connect to the internet - So, this changed?