Security aspects were considered when designing this system, but there are indeed always risks. Do you have specific suggestions for what you want to see changed in the implementation? If you want to patch the Python code in a Blender installation to remove online access code, then you can. But I’m not sure what you expect Blender to do different specifically.
I’ve not a suggestion, but a question on it.
Scenario:
- User adds a 3rd repository, such as blendermarket, github, gumroad
- Adds a plugin from this repository
- Repository is compromised, and plugin updated maliciously
- User has auto-update enabled. Plugin updates, and starts deleting or corrupting user’s data or files at random.
How is this prevented, or minimized to a level that is relatively less worrisome?
How is this different from a user installing a malicious python script they downloaded from the internet?
To be clear, there is no auto update functionality. There is auto check for updates, and then it’s a decision for the user. Though of course users may click without verifying anything.
If a website is compromised, then installing anything from there through a web browser or through Blender is going to be a problem.
You don’t think that a user downloading and installing a file - no part of that process - is any different than software automatically downloading updates?
I’ll rephrase - an automatic check which doesn’t necessarily vet the contents, and will alert the user that pressing “install update” will update the plugin.
Like @brecht already said, it doesn’t happen automatically. You have to press an update button.
So the takeaway to the question of “How is this prevented, or minimized to a level that is relatively less worrisome?”, the answer appears to be “it is not.”
There isn’t much to be done. Downloading and running things from in the internet has an inherent risk. The important bit is that the user can opt out of this and not connect to the internet. Then you minimize the risk.
Thanks for explaining this as if I’m a child, who hasn’t been using the internet for 30 years.
With your permission, i would like to redirect your attention to :
CVE-2024-3094 – XZ LZMA Vulnerability.
A reviewed project with a known contributor of unknown country that we are not allowed to mention (with permissions to do pull requests) decide to do a little code obfuscation with an added script that made half of the world go down the shi… ya know. so, if its a question of trust, don’t trust anyone.
Are you thinking along the lines of checksums or signed keyrings?
I would like to apolgoize to @dfelinto for ruining the discussion a bit but this is not hindsight
there was a discussion a year ago on blender’s asset bundle, the original roadmap included the ability to download assets from within blender via the asset viewer.
I went there and made such a stink about it , a moderator had to PM me and try to calm me down (unsuccessfully, he was nice but i told him to shove it), i pretty much screamed like an autist : “DO NOT add online functionality to blender’s core or python scripts”.
Now, i understand the sunk cost and i have respect for everyone here but i fear that what @brecht is striving for is impossible, no my friend, there is no way to “Improve the implementation to be safer”, and no you guys did not take all the security concerns into account.
If you allow for online connection, if its in the binary code, if its a running python script; its too late pretty much; there are no miracles to allow for safe online functionality, brecht, i am sorry.
i went around the bush to avoid saying it, this project should not make it to blender or at least be marked as an experimental download (This may sound like a big “Screw you” to over 10 people who worked on this project for months, but i am kinda saying it and i apologize but i have to say it).
@Illasera The developers have always been aware that some users like you have this opinion, from the start of the project. But many other users do want the functionality. In the end the developers had to make a decision one way or the other.
what about a different build (Different download) , at least for the next 2-3 upcoming versions?
one with the new add-on manager and one without?
for the sake of testing and feedback.
I think the existing preference for online access is good enough, and not significantly different than a separate download in terms of security.
I understand, thank you, well, i would continue watching this discussion unfold, see if we get any new perspective or we can close the book on the security aspect and take it the way it is.
What do you expect? It’s just another way to install the same code. There is no “security review” for a manual download either. And what should Blender do? Check every change in every extension for possible misuse?
The new extension platform even offers simplified and transparent reviews of the community through the reporting function.
I saw many of your comments in the thread and many were destructive like: Never change a running system. But the new system offers the same functionality and can be scaled much better in the future. So just give it a try and be constructive
True, but up to now, there is a high chance that many Blender users either don’t do manual downloads of addons (all they use are the 100 or so addons that have shipped with Blender for years). Or, they purchase an addon, get an email to be told it’s been updated and go directly to that page and only download/install the code that the single developer has created/changed.
Now sure, in that case, one needs to trust that the specific developer isn’t doing anything bad, but you still aren’t opened up to the whole platform, which could also be compromised.
Now, you pretty much need to be, just to get most of the addons that came with Blender in the first place.
How good or bad this will turn out to be, I guess we will see.
Many of the preinstalled add-ons so far have not been developed by Blender, so security cannot be guaranteed at the moment. In fact, many pre-installed add-ons have not been updated for years, which could theoretically even lead to more security problems. With the new platform, these addons can be updated more easily by the original developers or by others in the community
With external addons you have to trust the developer anyway.
Currently only the way of downloading would change, but that has no real influence on the code quality/safety.
However, unlike before, it is now even easier to report security vulnerabilities via the extension platform and discuss them transparently.
I hate to play the teacher card again, but I’ve seen how people get their add-ons and it can traumatize you. People are really overestimating how many of shipped add-ons were actually used.
People got add-ons from random Gumroad pages, downloaded from github as zip, where they still contain images from the websites readme. Add-ons that don’t actually implement something that already isn’t in Blender, but trick people into thinking they do. There are shady websites that sell free add-ons (mostly to non-English speaking users, who are not aware of main platforms). I’ve seen my add-ons on very suspicious websites up for grabs. There are websites that just download extensions from the platform and upload them on their websites.
I pretty much disallow my students from installing add-ons I didn’t gave them. They accumulate so much trash on PC and in scenes that need to be cleaned. Security concerns are actually lowered with Platform compared to that shitshow. At least somebody opens up a zip a sees whats in it there before publishing.