On 23.05.2014 13:53, Greg Zaal wrote: > Another silly idea: what if we leave this feature on, but only for paths > that include the word "download" in addition to the user-defined folders in > the preferences? > Or keep a history of trusted authors (computer name or ip) and check if the > author of a blend has been trusted before?
Think of a path like "download/../". This issue canont be fixed trivially. You cannot sandbox Python easily. The only way out of that mess would be for render farms to, e.g. put the render in some LXC (or other) container and deny it network access. Burn down the container after the work is done and you’re quite safe. This is nothing blender can fix. It is a kind of a limitation of the python language (note that PyPy, for example, offers ways to allow sandboxing, but many libraries won’t work with PyPy and embedding is totally different, so I assume that blender won’t move to PyPy in the next decade). regards, Jonas disclaimer: not a blender developer. just my five cents. > > -Greg > > > On 23 May 2014 13:43, Tobias Kummer <[email protected]> wrote: > >> Had the same problem here with the #frame driver in the Cycles seed >> value. Renderfarm just ignored it, and I only noticed it after >> rendering. >> >> On Fri May 23 12:26:46 2014, Paolo Acampora wrote: >>> This is an issue at our studio as well, I don't see any rationale in >> these >>> overly security concerns, it just prevents you to work. >>> >>> >>> 2014-05-23 12:06 GMT+02:00 Vilem Novak <[email protected]>: >>> >>>> Hello, >>>> I realize how important is the security when .blend files are >> distributed, >>>> but I thought, is there a way to exclude drivers from the relatively new >>>> strict blocking mechanism? >>>> >>>> To me as animator, it caused allready many problems. >>>> Last is ruining several days of rendertime on a renderfarm which has >>>> scripts >>>> blocked(as is by default!). Actually, it happened to me allready several >>>> times- setting up renders, render nodes, and forgetting about some >> drivers >>>> and the new feature. >>>> I realized so far none of the crowd-render farms for blender don't >> support >>>> scripts on (sheepit, burp). That it of course a logical choice. >>>> >>>> So the idea is - can there be some check to determine if a driver is >>>> actually a python script? If it's using any commands, and not only >>>> numerical >>>> / logical operators? And then, could such simple drivers be enabled? >>>> >>>> It would really save my life very often. Now I have to write a script >> that >>>> bakes all drivers before sending file to render farm... >>>> >>>> Regards >>>> Vilem >>>> _______________________________________________ >>>> Bf-committers mailing list >>>> [email protected] >>>> http://lists.blender.org/mailman/listinfo/bf-committers >>>> >>> >>> >>> >> _______________________________________________ >> Bf-committers mailing list >> [email protected] >> http://lists.blender.org/mailman/listinfo/bf-committers >> > _______________________________________________ > Bf-committers mailing list > [email protected] > http://lists.blender.org/mailman/listinfo/bf-committers > _______________________________________________ Bf-committers mailing list [email protected] http://lists.blender.org/mailman/listinfo/bf-committers
