Python and Security
I was going to chip in a few thoughts to the python discussion, but
Jordan rightly suggested shutting the discussion down [I receive digests
BTW so I am always behind the curve].
I was going to recommend that the python/container rabbit hole was
something that an OpenSCAD development team should simply not bother with.
Run python against / for OpenSCAD? sure, but there is the potential for
security issues way outside the remit or control of the OpenSCAD
development team.
If someone is expert enough to run python and OpenSCAD in tandem, they
need to take responsibility for the security of their own systems, and
that includes accepting the risks that come with downloading someone
else's python code which may do harm [but at least its human readable
text, not machine code, which helps [a bit]].
I love a rabbit hole, but eventually you have to decide when to come
back out and try another one..
Roger.
FYI:
There is currently progress to establish OpenSCAD + LUA
Lua has many language features which makes it compatible with SCAD language
Many People prefer Lua over Python and some believe it can be securely
sandboxed.
But the progress is still in the very beginning. only cube sphere and show
is working at the moment.
On Mon, Jul 14, 2025 at 11:48 AM Roger Whiteley via Discuss <
discuss@lists.openscad.org> wrote:
I was going to chip in a few thoughts to the python discussion, but
Jordan rightly suggested shutting the discussion down [I receive digests
BTW so I am always behind the curve].
I was going to recommend that the python/container rabbit hole was
something that an OpenSCAD development team should simply not bother with.
Run python against / for OpenSCAD? sure, but there is the potential for
security issues way outside the remit or control of the OpenSCAD
development team.
If someone is expert enough to run python and OpenSCAD in tandem, they
need to take responsibility for the security of their own systems, and
that includes accepting the risks that come with downloading someone
else's python code which may do harm [but at least its human readable
text, not machine code, which helps [a bit]].
I love a rabbit hole, but eventually you have to decide when to come
back out and try another one..
Roger.
OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org
On 7/14/2025 2:47 AM, Roger Whiteley via Discuss wrote:
I was going to chip in a few thoughts to the python discussion, but
Jordan rightly suggested shutting the discussion down
We need to be careful, since there are quite a number of people on the
mailing list who aren't interested in Python-related stuff, but the
particular area that I thought needed to be shut down completely is "why
can't you sandbox Python" because that's a discussion that's totally
unrelated to OpenSCAD in any form. For OpenSCAD purposes, the answer is
that people have tried and failed and it's not possible, full stop.
If someone is expert enough to run python and OpenSCAD in tandem,[...]
Today, that's a bit of a pain in the neck to do. But that's an
implementation problem. If we get past that implementation problem so
that (one way or another) you just do an OpenSCAD install, or you do an
OpenSCAD install and a Python install and they talk to each other, then
we're back in the realm of non-experts. Blender lets you write in
Python without requiring any sort of expert install, which says it's
possible for us too.
Python has a little steeper learning curve than OpenSCAD, but only a
little; I think a Python-based CAD environment could be approximately as
beginner-friendly as OpenSCAD is.
@Roger Whiteley roger.whiteley@me.com
, I agree with you on people having to take responsibility for their own
systems, but I think it is also reasonable for us to do what we can to plug
the stupid holes (you can name them as you choose). Also, a python
interface to OpenSCAD is for people who are either into programming python,
or at least making a commitment to learn it for their purposes. It should
never be assumed that someone choosing PythonSCAD is a total noob, and if
they are, it is reasonable to warn them of the dragons beyond.
Next rabbit hole please...
On Mon, Jul 14, 2025 at 1:57 PM Jordan Brown via Discuss <
discuss@lists.openscad.org> wrote:
On 7/14/2025 2:47 AM, Roger Whiteley via Discuss wrote:
I was going to chip in a few thoughts to the python discussion, but Jordan
rightly suggested shutting the discussion down
We need to be careful, since there are quite a number of people on the
mailing list who aren't interested in Python-related stuff, but the
particular area that I thought needed to be shut down completely is "why
can't you sandbox Python" because that's a discussion that's totally
unrelated to OpenSCAD in any form. For OpenSCAD purposes, the answer is
that people have tried and failed and it's not possible, full stop.
If someone is expert enough to run python and OpenSCAD in tandem,[...]
Today, that's a bit of a pain in the neck to do. But that's an
implementation problem. If we get past that implementation problem so that
(one way or another) you just do an OpenSCAD install, or you do an OpenSCAD
install and a Python install and they talk to each other, then we're back
in the realm of non-experts. Blender lets you write in Python without
requiring any sort of expert install, which says it's possible for us too.
Python has a little steeper learning curve than OpenSCAD, but only a
little; I think a Python-based CAD environment could be approximately as
beginner-friendly as OpenSCAD is.
OpenSCAD mailing list
To unsubscribe send an email to discuss-leave@lists.openscad.org