Also, maybe of interest: SLSA https://thehackernews.com/2021/06/google-releases-new-framework-to.html
On Thu, Jun 17, 2021, 11:57 PM Dan McGrath <danmcgrath...@gmail.com> wrote: > Hi, > > Just a thought, assuming only non commercial add-ons, but is there any use > in pushing such a add-on system into the python pip repos? > > As long as you own the namespace, like blender-*, for example, you would > at least be able to offload the hosting burden to pip, as well as benefit > from their battle hardened system. > > On Thu, Jun 17, 2021, 9:23 PM Brecht Van Lommel <brechtvanlom...@gmail.com> > wrote: > >> There are certainly challenges implementing such a system, though it's >> been done many times in other applications. It's too early to go into such >> details, it's not clear this will even happen or when. >> >> On Thu, Jun 17, 2021 at 10:14 PM Dan McGrath <danmcgrath...@gmail.com> >> wrote: >> >>> Hi, >>> >>> For an official online repository that is integrated into Blender, users >>>> would not notice much difference compared to bundled add-ons. I think it >>>> would be valuable to have a way for more developers to share their >>>> add-ons >>>> in the same way. >>>> >>> >>> Out of curiosity, where and how were you thinking of hosting this >>> repository? I would suggest our Google workspace area, due to the ACL, >>> accountability and immutability of their system, but I don't know that the >>> team would prefer that over S3 or self hosting. >>> >>> If self hosted, what about the security of this? A compromise of a >>> binary is trickier; the binary rarely changes, has well known checksums, is >>> signed (on Win/Mac) and at least goes through mirrors and Microsoft which >>> surely have excellent monitoring for unusual behaviour and known malware. >>> If you start self-hosting auto-updating python code, files are directly >>> uploaded into users' networks and devices. You bypass a lot of that built >>> in security in our delivery pipeline in a way I don't know you can easily >>> compensate for, not to mention all of the bandwidth costs which are already >>> a challenge to our gigabit link. >>> >>> -- >>> Cheers, >>> Danny >>> >>> ---------------------------------------------------------- >>> Danny McGrath - danmcgrath...@gmail.com >>> GPG key: EDF6 AFF5 2086 F93A 1F59 36A5 44B6 26F3 6968 71CA >>> >> _______________________________________________ Bf-committers mailing list Bf-committers@blender.org List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-committers
