…okay, fair statement when you think about it, but you gotta admit it’s bad optics, really bad optics.
The quoted developer is giving his own opinion here. If you look at all discussions, we took their reports very seriously and spent a lot of time on it already. I don’t think it’s fair to publish it with such a negative accusation. I’ve asked Cisco to correct the text.
Meanwhile: the issue has been recognised and we hope we can tackle it with Cisco’s help.
Brecht followed up with this statement later on…
Right, I am not speaking for the Blender Foundation. Nor am I saying vulnerabilities should not be taken seriously, but rather that if anyone is serious about making loading arbitrary .blend files in Blender secure, fixing these issues reported by TALOS will not get us much closer to that. Users should understand that loading untrusted scene files in Blender and similar CG software is not secure, and not get the false impression that software developers addressing the occasional reported issue means it is secure.
For background on security and arbitrary code execution in CG software in general, see this article.
eh fair enough.
I don’t think the security flaws are a big deal either,
You should treat files you downloaded from a random site, like candy from a stranger.
You probably shouldn’t be doing it in the first place, but when you do, scan it.