This is a post to share some of my thoughts on what I consider a weak point of Blender’s python scripts: the safety of scripts and keeping track of new versions. For a quick summary skip to the last part of this post.
Currently (before Blender 2.5) there are two main categories of scripts. The first category consists of scripts that come bundled with Blender, for instance a lot of the import and export scripts. The second category consists of scripts that are written by community members, but cater for too specific needs to be included in Blender (or aren’t included for other reasons). This second category contains a lot of scripts and many are listed in the wiki Script Catalog. However, once you’ve downloaded such a script it’s hard to keep track of new releases. I have quite some scripts on my computer of which I don’t know if it’s the latest version.
Another problem is the safety of the scripts. If they are in the Catalog I usually run them without checking the code for malicious behaviour, but when I’ve downloaded it from another location it takes some time to first check that they won’t harm my computer.
Use the current Blender Extensions repository to include an option inside Blender for checking for new updates. It could work like this:
- A script writer submits his script to the repository
- Some other people review the script and check it for malicious code
- If approved, an id is added to the script’s code and the script is moved to the approved section of the repository
- A user downloads the script
- After a month the user presses the ‘check for updates’ button inside Blender and Blender contacts the database to check for new versions of the script id’s installed by this specific person
- If there is a new version, the old script is overwritten and updated
Benefits / drawbacks
- Stimulates script writers to upload scripts to a central database
- Secure scripts for users, so they don’t have to manually check them
- Easy to keep track of new script updates
- Involves more work to maintain the repository
The reason I’m proposing a “check for updates” button, instead of having Blender automatically check for updates, is that I vaguely remember Ton being against such functionality. Besides, I’m pretty tired of software needing internet access myself.
Contrary to scripts bundled with Blender, scripts that simply want to be in the repository, don’t need to provide extra functionality that will be enjoyed by a broad audience. Specific niche applications can in this way reach a wider audience and the users don’t have to check specific threads or personal websites for new versions. With the added advantage of knowing that the scripts won’t harm their computers.
Obviously the repository will need te be kept secure. If it were hacked it could be used to distribute malicious code, just like any other download location.
To be clear, this post is just a proposal, a brainstorming session. I don’t have the coding skills to add the “check for updates” function to Blender (though I do know Python). I just want to see what people think of it, before I post it to for example the mailing list (unfortunately Blenderstorm is down).
Starting with Blender 2.5 I propose an update function is added to Blender, for checking on updates for the installed python scripts. Not just for the bundled scripts, but also scripts that have been checked and added to the repository. This will make it easier for users to keep track of updates and stimulate script authors to contribute to a central repository.
Please post any C&C you might have.