Extensions Platform

Fixed now…

On the Extensions website, the “Version History” tab returns 404 for addons still in Approval Queue (example here).

Thanks. For this it is better to report a bug. From the top-right menu click on “Report Problem”.

Done! Amazing work btw!

Hello!
What I feel so far about the extensions UI in Blender is that is not very clear what to look for in the drop-down menus.
While I understand that this new system encourages developers to use the extension platform, I think that MANY add-ons will still follow the current way of installing an add-on from a zip file, therefore I think that the button for installing an add-on from disk should be exposed at the top level of the header, rather than in a drop-down panel. It’s a functionality that will still have a lot of relevance and for me shouldn’t be so “hidden”, compared to how much relevance is given to the Repositories menu, which I don’t know how frequently I’ll use once they are set-up (I almost feel they should be in the File Paths tab in the Preferences).

Also, for now we’re missing all the add-on categories (3D View, Interface, Materials, etc.), making the process of scrolling and finding add-ons way more tedious. I think that the potential for the system is incredible, but the current UI and UX of it makes it not very comfortable to use.

It does (well, sort of…for some developers.), but it should not be the goal at the expense of making it more difficult for the actual end user to work with it.

One example image of this:

ext-list1920×1200 310 KB

You can drag & drop zip file in Blender and it will install addon

Oh! I never knew this was a thing with add-ons. That’s a actually a great feature and pro tip.
Do I need to have the preference window open or just drag into the viewport?
Thanks

It was added in 4.2. You can just drag wherever. With this, I don’t think giant button in preferences for installing is important anymore.

I would like to make another small request. For 4.2, can we get the same behavior of past past Blender versions that at the moment a “legacy” add-on is installed the add-on list automatically filters itself to only show the add-on that was just installed? As of now with 4.2 you have to scroll through the add-on list and find the newly installed add-on and then check the box.

Filters button/feature seems to be a work in progress, as the results don’t currently look like they match the checkbox chosen.

Hi, i was testing the latests build HASH:dbc842b21e7d and notice that if i disable repositories to more or less filter what i see in the UI extensions list, it also disables the addons/extension and keep em disable even when i enable the repository again, something that is really annoying, luckily as an older blenderhead i have the autosave for the preferences disable (old school) but for newer 2.8 era users that could be really a problem, especially for those users that use a lot of addons/extensions.

A question, the categories that the addons had (modeling, object, 3d view etc) ¿are not going back in the ui interface?

Hello, the new system seems good so far. Being able to use python wheels helps a lot not to have to vendor packages and modify them to use relative imports.

I am migrating an addon to an extension and for it’s full functionality Preferences are needed. It seems that at this point, bpy.context.preferences.addons[__package__].preferences returns None. Is this expected at this point (Blender 4.2 as of June 1st) or should i open an issue?

It returns None when file isn’t in the base folder, in that case you should import it first

from … import package as base_package

and use addons[base_package]

Thank you very much!

@dfelinto

Questions regarding security :

1.) Is the entire extension platform written in python? (And not in C inside blender’s source)

2.) If the entire extension is written in python, can i remove the non-legacy extension manager python files? (I am not talking about disabling but actual removal of the files) (if so, will removing the python files for the NON-LEGACY extension manager will still allow blender to work? (this should be the case, legacy extensions manager and online extensions manager should be de-coupled and should work as 2 python programs; separated ))

3.)Is the extension platform added code to blender’s source for it to use online functionality or is it strictly python; was any functionality that requires sockets got added to the source code? (If the answer is yes, there will be a BIG follow up to this post).

@Illasera the distinction is not between “legacy” and “online”. There’s a new extension packaging and installation mechanism, and it can optionally access online repositories if you enable online access in the preferences. This is going to be the main way to install add-ons going forward, offline or online.

You could edit the Python code to rip out the online access implementation, though I don’t think that really accomplishes anything security wise.

This is not the point, if said functionality is loaded into the program’s working memory , even if un-used by the user, it can be exploited.

most malicious attacks aren’t done directly by the user executing some bad binary but by looking for existing vulnerabilities, we have a huge website dedicated just for that called metasploit.

If blender is using any function that allows for remote connection (I know the version of python and package you guys ship come with near complete IPC ( Inter-Process Communication) functionality that is already a risk but let’s face it, unavoidable (I have seen btw python add-ons with self updater and other stuff that connect to remove servers, can easily be turned vs the user).

I am asking if this extension manager doesn’t compound the problem by making online functionality reside in memory once blender is launched) (EVEN IF UNUSED).

More code always means more potential exploits. But as far as I know, trying not to load particular code into working memory is not a common security strategy for software like Blender. It’s more about protecting entry points, because once you are in you can do whatever you want anyway.

yes sir, that is an obvious statement but its about how wide is the attack surface.

a simple C program with a main function that does 2+5 is not equal to a program with the ability to open up sockets and establish online connection, that is the issue at hand here.

used or un-used , once the functionality to open a remote connection is added, you just opened pandora’s box.

*This is without even addressing the big elephant in the room, not only exploits by bad code if @dfelinto implementation or anyone who worked on it made a mistake (that could happen) but what if your repository become compromised? (you guys were attacked few months ago, remember? that’s a question of trust; and yes it can happen to anyone, not just you, that is the point, and even if the previous attack was a ddos attack , its not the point as well, the point is, BAD THINGS CAN HAPPEN).

And my main fear is that adding such functionality compounds the security hazard aspect.